PUBLICATION DATE: January 22, 2026

In early 2024, a finance worker at Arup, a multinational engineering firm, received an email from the company’s CFO requesting several confidential transactions. Suspicious of the request, the employee did exactly what security experts recommend: they requested a video call to verify.

The call was arranged. Multiple people joined—the CFO and several colleagues. Everyone looked right. Everyone sounded right. The finance worker, reassured by what they saw and heard, authorized 15 transactions totaling $25 million.

Every single person on that video call was an AI-generated deepfake.

By the time Arup discovered the fraud, the money had vanished into accounts across Hong Kong. Rob Greig, Arup’s global chief information officer, later told reporters: “The number and sophistication of these attacks has been rising sharply in recent months.”

This isn’t a cautionary tale from some distant future. This is happening right now, and if you’re running an SMB, you’re actually more at risk than the Fortune 500 companies making headlines.

The Threat Has Evolved—And It’s Personal

For years, cybersecurity advice for small and medium businesses focused on the basics: strong passwords, employee training, and updated software. That advice isn’t wrong, but it’s no longer enough.

Artificial intelligence has fundamentally changed what attackers can do:

Personalized attacks at scale. Remember when phishing emails were easy to spot because of broken English and generic greetings? AI can now scrape your LinkedIn, analyze your company’s website, and craft convincing messages that reference real projects, actual colleagues, and genuine business contexts. What used to take hours of manual research now takes seconds.

Voice and video deepfakes. That phone call from your CFO asking you to approve an urgent payment? AI voice cloning tools can replicate someone’s voice from just a few seconds of audio—easily found in a webinar recording or company video. Some tools can even generate convincing video calls.

Automated vulnerability discovery. AI doesn’t just help attackers craft better scams. It helps them find weaknesses in your systems faster than ever before. AI-powered tools can probe your network, identify outdated software, and exploit vulnerabilities before your IT team even knows they exist.

Adaptive social engineering. Traditional attack scripts followed patterns. AI-driven attacks learn and adapt in real-time based on your responses, making them exponentially harder to recognize.

Why SMBs Are Prime Targets

Here’s the uncomfortable truth: attackers know that small and medium businesses often have the worst of both worlds—valuable assets worth stealing, but without enterprise-level security budgets or dedicated security teams.

You have:

  • Bank accounts worth targeting
  • Customer data that can be sold or ransomed
  • Access to larger partners through your supply chain
  • Smaller IT teams with limited time for security

Attackers also know that many SMBs haven’t updated their security posture in years. Those “basic” defenses you put in place five years ago? They were designed for a different threat landscape.

The Cost of Inaction Isn’t Theoretical

When I work with SMB executives, I often hear, “We haven’t been attacked yet, so we must be doing something right.” That’s like saying you don’t need smoke detectors because your house hasn’t burned down.

Consider what a successful attack actually costs:

  • Direct financial loss: The average cost of a data breach for SMBs is $2.98 million, according to recent studies
  • Operational downtime: Most ransomware attacks shut down operations for days or weeks
  • Customer trust: 60% of small businesses that suffer a cyberattack go out of business within six months, largely due to lost customer confidence
  • Regulatory penalties: Data breaches now trigger mandatory reporting and potential fines under various privacy laws
  • Recovery costs: Forensics, legal fees, PR management, and system rebuilding add up quickly

What Actually Works in the AI Era

The good news? You don’t need a Fortune 500 budget to protect yourself. But you do need to update your approach:

  1. Assume your employees will be fooled. The best training in the world can’t keep up with AI-generated attacks. Instead of relying solely on employee vigilance, implement verification protocols for sensitive actions. A simple callback to a known number before approving any wire transfer could have saved that manufacturing company $2.3 million.
  2. Implement multi-factor authentication everywhere. Not just for email—for every system that touches money, customer data, or critical operations. Yes, it’s inconvenient. So is bankruptcy.
  3. Update your incident response plan. When was the last time you tested it? Does it account for AI-powered attacks? Do your employees know what to do if they suspect they’ve been compromised? An outdated plan is worse than no plan because it creates false confidence.
  4. Get serious about vulnerability management. You can’t protect systems you don’t know about, and you can’t patch vulnerabilities you haven’t identified. This doesn’t require expensive tools—it requires discipline and regular assessment.
  5. Consider bringing in expertise. I’m obviously biased here, but there’s a reason fractional executives exist. You don’t need a full-time CISO, but you absolutely need someone who understands both the technical landscape and your business priorities to help you make smart security decisions.

The Real Question

The question isn’t whether AI will be used against your business. It already is. The question is whether you’ll adapt your defenses before or after you become a statistic.

Cybersecurity isn’t an IT problem anymore—it’s a business survival issue. And in an era where AI gives attackers unprecedented capabilities, hoping you’re too small to be noticed is not a strategy.

If you’re not sure where to start, start by asking yourself: If we got hit tomorrow, would we survive?

At 2Go Advisory Group, our fractional CTOs help SMBs navigate complex technology challenges including cybersecurity strategy, AI adoption, and technology infrastructure. If you’d like to discuss how to protect your business in this evolving landscape, reach out.

Learn more about Katrina Montinola and our services at
https://www.2goadvisorygroup.com/artificial-intelligence or
contact: kmontinola@cios2go.com or +1 (650) 346-3880.

For your Talent needs in direct hire, full-time or part-time contract staffing, contact Executive Recruiter, Leesa Meintzer at leesa@2gorecruiting.com.

Leesa Meintzer is an executive recruiter with more than 20 years of experience in talent acquisition. She excels in partnering across various business functions and brings a comprehensive perspective to talent acquisition. She works with Engineering, Healthcare, Product, Finance, Accounting, Business Operations, Sales, Manufacturing, Human Resources, Learning & Development, and Talent Acquisition for corporate and high-growth start-ups.

Topics: