4 ways small businesses can protect themselves from AI-driven email threats

According to the U.S. Small Business Administration, many small businesses cannot afford professional IT solutions and may lack time to devote to cybersecurity, or may not know where to begin. Yet they handle sensitive customer data, financial information, and proprietary business details that make them attractive targets. According to Expert Warns of Rising AI Security Threats to Small Businesses, a World Economic Forum survey shows that ransomware attacks have increased by nearly 300%, with over 50% of these attacks specifically targeting small businesses. Meanwhile, according to Tiago Henriques, Chief Underwriting Officer at Coalition, writing in SC Media, business email compromise schemes alone represented nearly one-third of all claims in the first half of 2024, with the average loss from these attacks climbing 23% year-over-year to $35,000. 

The evolution of email threats

Traditional email scams were often easy to spot. Poor grammar, suspicious sender addresses, and obvious phishing attempts made it simple for even non-technical users to identify threats. However, AI tools can analyze writing styles, research targets through social media, and craft personalized messages that are virtually indistinguishable from legitimate communications. As “Expert Warns of Rising AI Security Threats to Small Businesses" notes, cybercriminals now leverage AI to create convincing and personalized emails designed to deceive employees into revealing sensitive information or downloading malicious software.

According to Brian Finch, co-leader of the cybersecurity, data protection and privacy practice at Pillsbury Law, writing in Forbes, AI-generated phishing emails have "significantly higher open rates than conventionally composed phishing emails." This increased effectiveness makes them dangerous for small businesses that may lack advanced security infrastructure. The problem is highlighted in "The Growing Cyber Risks from AI — and How Organizations Can Fight Back," which notes that phishing surged 202% in late 2024, and over 80% of phishing emails now incorporate AI, with nearly 80% of recipients opening them.

These AI-powered attacks include business email compromise schemes where criminals impersonate executives or vendors, deepfake voice messages that accompany phishing emails, and automated spear-phishing campaigns that adapt based on recipient responses. As Henriques notes in SC Media, when combined with funds transfer fraud, business email compromise schemes accounted for 60% of all cybersecurity claims in 2024, demonstrating that even basic email attacks can be effective.

The Growing Cyber Risks from AI explains, "Compared to the traditional process of cyber-attacks, the attacks driven by AI have the capability to automatically learn, adapt, and develop strategies with a minimum number of human interventions." The result is that "attacks that once took days now unfold in minutes," leaving traditional detection technology struggling to keep pace with these strikes.

Rom Hendler, CEO and cofounder of Trustifi, points out in Forbes Technology Council, hackers now "often place ads on job sites looking for experts in AI to help develop malicious tools," treating cybercrime as a business and investing in the same advanced technologies that legitimate companies use. Mark Bower-Easton, Head of Distribution at Oxford Capital, emphasizes the scope of this challenge in "Expert Warns of Rising AI Security Threats to Small Businesses" stating "Cyber-attacks are on the rise, driven by increasingly innovative tactics from criminal gangs and state-sponsored hackers targeting both individual financial data and national infrastructure. Yet, as attackers evolve, so do defenders."

Real-world examples show these threats. According to Forbes, WordPress and Instagram fell victim to AI-based cybersecurity incidents, impacting more than 20,000 WordPress sites. The gig economy platform TaskRabbit also suffered an AI-driven breach when hackers launched a bot-based denial-of-service attack, affecting more than 3.75 million users.

Learn more: 10 Email security threats changing cybersecurity defense in 2025

1. Implement advanced email filtering

Modern email filtering solutions go beyond traditional spam filters by analyzing sender behavior, message content, and attachment characteristics to identify potential dangers. 

However, Hendler notes a challenge in Forbes, "most legacy security technologies are not designed to stop an AI-generated incident or handle the level of volume typically associated with a more sophisticated AI-led attack," as many traditional security solutions rely on blacklisting and whitelisting rather than more advanced AI-powered interpretation technologies. "Expert Warns of Rising AI Security Threats to Small Businesses" highlights that hackers are using AI to scan for and exploit vulnerabilities in software systems at unprecedented speed and scale, with small businesses at risk due to limited resources for frequent software updates and patches.

The U.S. Small Business Administration emphasizes the importance of keeping all software updated as a fundamental security measure. Install antivirus software on all business computers and update them regularly, as software vendors provide patches and updates to correct and improve security and operations. According to the SBA, it's best to configure your software to install updates automatically, and also update all operating systems, web browsers, and other applications to help secure all business data.

The U.S. Small Business Administration also recommends using Cloud Service Providers (CSPs) to host information and collaboration services, noting that Software-as-a-Service providers for email and workplace productivity can help secure data, especially under a hybrid work model.

"The Growing Cyber Risks from AI — and How Organizations Can Fight Back" emphasizes the importance of using AI-driven defensive tools, like behavior-based detection, anomaly hunting, and automated response platforms so you can react in real time to emerging threats.

However, technology alone isn't enough. As Henriques emphasizes in his SC Media commentary, while AI-powered security tools are valuable for defending against AI threats, "they are not a silver bullet." Instead, businesses must adopt what he calls a "defense-in-depth strategy"—a multi-layered cybersecurity approach that protects against the failure of any single control by adding multiple safeguards.

2. Invest in employee training and awareness

The U.S. Small Business Administration identifies employees and work-related communications as the leading cause of small business data breaches, noting that they are direct pathways into your systems. Regular, engaging cybersecurity training should be a non-negotiable part of your business operations. 

According to the SBA, training your employees on internet usage best practices can help in preventing cyberattacks. Useful training topics include spotting phishing emails, using good internet browsing practices, avoiding suspicious downloads, enabling authentication tools and protecting sensitive vendor and customer information.

Train employees to recognize red flags such as urgent requests for wire transfers, unexpected password reset emails, requests to verify account information, and messages that create a sense of panic or urgency. Given the rise of deepfake scams, as highlighted by Henriques in SC Media, employees should also be trained to question unusual requests, especially those involving financial transactions or confidential data. The Growing Cyber Risks from AI article reports that some studies indicate a 3,000% increase in deepfake fraud activity.

"Expert Warns of Rising AI Security Threats to Small Businesses" emphasizes that deepfake technology now poses a threat, as cybercriminals use AI to create realistic audio and video impersonations of company executives. These deepfakes can be used to manipulate employees into transferring funds or sharing confidential information.

Modern threat actors have expanded beyond traditional email phishing to include vishing (voice phishing) and smishing (SMS text phishing) attacks. According to Forbes, these attacks often work in tandem with email campaigns. Vishing attacks "often lead users to a hacker-controlled website, luring the victim to input their online credentials," while smishing uses SMS messages with embedded malicious URLs. Forbes notes that victims of these multi-channel attacks "are less likely to question the email source if they have already spoken to the impostor on the phone or via SMS text.”

3. Create clear verification procedures

Establish and enforce clear protocols for sensitive transactions and information requests. Any email requesting wire transfers, changes to payment information, or access to sensitive data should trigger a verification process that uses a separate communication channel. 

The U.S. Small Business Administration recommends working with banks or card processors to ensure you are using the most trusted tools and anti-fraud services for secure payment processing. According to the SBA, businesses should isolate payment systems from less secure programs—for example, do not use the same computer to process payments and casually browse the internet. This separation creates a barrier that prevents cross-contamination between high-risk and critical business functions.

To counter voice deepfakes, Henriques recommends in SC Media that businesses implement an additional safeguard, establish previously agreed-upon codewords that allow both parties to verify their identities during phone calls. This simple but effective measure can prevent voice spoofing attacks that might otherwise succeed even when employees follow verification protocols.

The U.S. Small Business Administration also emphasizes the importance of controlling physical access to business computers from unauthorized individuals. Laptops and mobile devices can be easy targets for theft and can be lost, so they should be locked if unattended. Additionally, the SBA recommends that administrative privileges should only be given to trusted IT staff and key personnel, and businesses should perform access audits on a regular basis to ensure that former employees are removed from systems.

4. Regular backups and incident response planning

The U.S. Small Business Administration recommends regularly backing up data on all computers. According to the SBA, if possible, perform data backups to cloud storage on a weekly basis to help minimize data loss.

The U.S. Small Business Administration also recommends auditing the data and information housed in cloud storage repositories on a regular basis, including services like Dropbox, Google Drive, Box, and Microsoft Services. According to the SBA, businesses should appoint administrators for cloud storage drives and collaboration tools, and instruct administrators to monitor user permissions as well. Employees should have access to only the information they need, following the principle of least privilege.

Develop and regularly test an incident response plan that outlines exactly what to do if you suspect or confirm an email-based attack. This plan should include steps for isolating affected systems, notifying relevant parties, preserving evidence, and recovering operations. The Growing Cyber Risks from AI article recommends updating your incident response plan with scenarios like model poisoning, deepfake impersonation, or AI-driven malware, and including legal, communications, and other relevant stakeholders in your response teams.

Read also: Inbound Email Security

FAQs

How can small businesses identify AI-generated phishing emails that look authentic?

Look for subtle inconsistencies such as unusual tone, context errors, or unexpected urgency even in otherwise well-written emails.

Can AI-driven cyberattacks also target social media or messaging apps?

Yes, attackers increasingly use multi-channel campaigns that combine email with fake social media profiles or direct messages.

How often should employee cybersecurity training be conducted?

The U.S. SBA recommends quarterly refreshers, especially as AI threats evolve faster than traditional scams.