6 min. read • Email this page • Bryley Systems Inc.

Missed part 1? Read How AI Can Empower Criminals Part 3: How AI Could Go Wrong? Quiz

Small businesses do not have the cybercriminal-fighting resources that larger organizations have. So how should a smaller organization best deal with the growing threats posed by AI?

Small businesses and the criminal use of AI

The biggest challenge now

AI-powered cybercrime is revolutionizing Business Email Compromise (BEC) scams, enabling criminals to pose as trusted individuals with scale and precision.

Using Large Language Models (like ChatGPT), attackers can now automate the creation of personalized emails and even voice messages by scraping publicly available data like from voices on podcasts or LinkedIn. This lets them bypass traditional security measures and exploit our trust in familiar communication patterns, and so can trick employees into giving away sensitive information or transferring funds to fraudulent accounts. (Read part one for a fuller look at this.)

The changing rules of engagement

The efficiency and sophistication of these AI-driven attacks pose a threat to businesses of all sizes. For the reasons, below, with the introduction of AI, even small organizations are more vulnerable to devastating financial losses.

Bryley has witnessed tactics evolve from ridiculously crude phishing attempts to fake antivirus-update-required emails to sophisticated impersonation scams. At each of these historical moments, the attacks reflected the real-world tech trends of the day. And today we’re just in the middle of digital evolution. Consider:

A small shop receives an email from its owner urging a $75,000 wire transfer to get in on a last-minute bulk order opportunity. Only AI has crafted the email based on scraped social media data, to capture the boss’ tone. AI can analyze public profiles to mimic individuals, as pointed out in Huntress’s 2023 trend report. And without FTC regulations that demand disclosure by public companies, the FBI reports that when small- to medium-sized businesses are attacked, it might go unreported due to embarrassment or fear of reputational damage.
A family-owned bakery is attacked with a deepfake voicemail from a bank manager insisting on a $50,000 payment to fix an account discrepancy. AI voice synthesis, available on the dark web, makes this possible. A bakery might not report the loss to avoid signaling financial weakness to suppliers.
And consider a small law firm where an AI chatbot, posing as a client in a compromised email, tricks a paralegal into transferring $100,000 for a settlement – chatbot tech’s conversational skills, highlighted in Microsoft’s 2024 Digital Defense Report¹, drives this, and legal firms often hush such breaches to protect client confidence.

Yes, these are hypotheticals, but they aren’t far-fetched; they’re extensions of documented patterns². But they often go unreported due to shame, financial recovery attempts or client trust concerns.

Limited resources against an enhanced enemy

The fact that smaller operations may have less money to throw at a problem shouldn’t be a surprise, so here are ways smaller businesses are affected:

Potential lack of cybersecurity personnel

no one may be on-site who is expert in cybersecurity
a limited role is given to an outsourced IT provider often because of budget, instead of involving them to uphold a robust and evolving security stack

Reliance on trust-based relationships

Larger businesses often have more robust financial controls:
- different people assigned to handle different parts of finances (a built-in checks and balances safeguard)
- better documentation and record-keeping (to trace the movement of funds and detect fraud so they’re better able to contain the damage)
Larger companies usually have a multi-layered approval processes, making it more difficult for BEC scams to succeed in the first place. These often include mandatory verification steps for any changes to payment instructions.
Smaller businesses tend to have less formalized procedures, and so may be more vulnerable to social engineering that exploits personal relationships and trust.

The value of what’s on the internet

Larger companies have a generally more sophisticated sales process than small businesses. This makes it likely that smaller businesses will put it all out there – on the web, on social media, etc. (More secure businesses often keep reports behind registration walls.) Readily accessible information makes a prime target for scrapers.
Small businesses may have less awareness of the risks of web scraping. They might lack dedicated security personnel or the budget for scraping-mitigation approaches.
A business may underestimate the value of what may seem innocuous information. But it can be used to facilitate a targeted attack (e.g. ‘thanks for making the payment change – be seeing you at the Boston show’.

Up next

I just have to outrun you

The bear grabs what’s at-hand (at-claw). People – in this case, cybercriminals – think like that, too. So having security fundamentals in-place goes a long way to keeping your business secure. Only you’ve got to be aware this species of bear is evolving, so what’s fundamental evolves, too.

The availability of AI presents unique and escalating challenges for smaller-sized organizations, who are vulnerable to its misuse in cyberattacks.

While AI offers appealing up-side, its accessibility also empowers malicious actors with efficient, scalable attack methods, making any-sized business more vulnerable.

These reports (parts 1 and 2 of 3) have laid the groundwork for understanding AI-driven threats. Bryley’s special reports are written as educational content that can be shared with team-members and acted on to improve your business’ security. In this spirit, coming next in our three-part guide, is a four-question quiz, based on the multiple-choice structure of cybersecurity quizzes (this quiz is anonymous), so you can see how you’re faring (and your people) with criminal-use of AI concepts …

Subscribe to Up Times by Bryley, the monthly tech newsletter for New Englanders by New Englanders.

^{1 https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2024}
^{2 Microsoft’s 2024 Digital Defense Report}

Small businesses are especially susceptible to AI-enhanced attacks:

AI-driven automation lets criminals target organizations of any size efficiently
Smaller businesses are generally easier targets with lesser defenses
Impersonation powered by AI creates emails (and voice calls and videos) that are designed to appear identical to genuine communications
Small businesses tend to have less formal processes for verification – often trusting familiar email, text and voice patterns – which can open the door to abuses of tech that is trained on patterns

Per-device features	Basic	Pro*
Response to network-critical issues	Within four hours. Same Day, as the situation requires	Within four hours. Same Day, as the situation requires
Response to non-critical issues	Within eight hours. Same Day, as the situation requires	Within eight hours. Same Day, as the situation requires
Performance optimization	Included	Included
Security optimization	Included	Included
Monitoring and alerts	Included	Included
File and patch updates	Included	Included
Reporting	Included	Included
Administration	Included	Included
Reliability optimization	Partial	Included
Software issues	Partial	Included
Hardware issues	Partial	Included
Network issues	Partial	Included
PC imaging		Included
On-site response		Included

When AI strikes a small business