TL;DR

AI-powered attacks surged 47% in 2025, with deepfake phishing alone jumping 310% since 2023 — but most SMBs are buying AI-branded security tools without understanding what actually stops these threats. The real defence isn't one magical AI platform; it's layered controls targeting specific attack surfaces: AI-aware email filtering, identity verification for voice/video, prompt injection guardrails on any AI agent touching business data, and a governance framework that treats AI tools like any other third-party vendor.

The Threat Landscape Has Changed — And It's Personal

AI didn't invent cybercrime, but it industrialised it. Where attackers once spent weeks crafting a single spear-phishing email, they now generate hundreds of personalised, grammatically flawless messages in minutes. The numbers tell the story: 68% of cyber threat analysts say AI-generated phishing is harder to detect in 2025 than any previous year, and 63% of cybersecurity professionals now rank AI-driven social engineering as their organisation's top threat for 2026.

For SMBs, this is existential. 60% of small businesses that suffer a significant breach close within six months. The average cost of an AI-powered data breach hit $5.72 million in 2025 — a 13% jump — and financial services bore 33% of all AI-driven incidents. Australian businesses are in the crosshairs too: 20% of companies report being targeted by deepfake attacks daily.

What makes this different from traditional threats is scale and believability. AI-generated phishing doesn't have typos. Deepfake voice clones don't sound robotic. The attacker's economics have flipped: cheaper to attack, harder to detect, and the defensive tools marketed as "AI-powered" are not all created equal.

AI-Powered Phishing and Deepfake Social Engineering: The Front Door Attack

Phishing remains the number-one initial access vector. AI has made it dramatically more effective. Large language models generate contextually convincing emails that reference real business relationships, recent transactions, and internal jargon scraped from breached data or public sources. Business Email Compromise (BEC) attacks powered by AI now craft messages that pass both spam filters and human inspection.

Deepfake attacks are the escalation. In one commonly reported pattern, a finance controller receives a voicemail that sounds identical to the CEO — cloned from just seconds of publicly available audio from a conference talk or podcast. The message authorises an urgent wire transfer. These synthetic media attacks grew 62% year-over-year in 2025, primarily targeting enterprise verification systems and financial controls.

What actually works for SMBs:

  • Microsoft Defender for Business (~$6 AUD/user/month) includes AI-driven email protection that analyses writing patterns, sender reputation anomalies, and link behaviour in real time. It catches a meaningful chunk of AI-generated phishing that legacy signature-based tools miss.
  • CrowdStrike Falcon Go (~$30 USD/device/month) provides endpoint detection with behavioural AI that flags unusual process chains — the kind of activity that follows a successful phishing payload. It's designed for organisations without a security team.
  • Identity verification protocols are the cheapest and most effective control against deepfake social engineering. The rule is simple: any financial transaction or credential change requested via voice, video, or email must be confirmed through a separate channel. A phone call to a known number. An in-person check. This costs nothing to implement and stops the majority of deepfake-driven fraud.
  • Security awareness training must now include deepfake examples. Platforms like KnowBe4 and Proofpoint offer AI-specific phishing simulation modules. Budget $2–5 AUD per user per month.

What's hype: Any vendor claiming their tool "detects all deepfakes" is overstating. Detection accuracy varies wildly depending on the model, language, and audio quality. The arms race between generation and detection favours the attacker. Verification protocols beat detection tools every time.

Prompt Injection and AI Agent Security: The New Attack Surface You Probably Haven't Secured

If your business uses AI agents — chatbots handling customer queries, AI assistants with access to internal documents, automated workflows that chain LLM calls to tools and databases — you have a new attack surface that traditional security doesn't cover.

Prompt injection is the single most exploited vulnerability in modern AI systems. An attacker embeds malicious instructions inside data that an AI agent reads: a support ticket, a document, an email subject line. The agent interprets these as commands and executes them. In an enterprise context, this can mean exfiltrating customer data, modifying records, or escalating privileges — all through natural language manipulation.

The risk compounds with agentic AI. Agents chain actions together, access multiple systems, and operate at machine speed. NIST classifies this as "agent hijacking" — a form of indirect prompt injection where malicious instructions hidden in consumed data push the agent toward unintended actions. A single poisoned input can cascade across your CRM, email, and file storage.

The OWASP Top 10 for LLM Applications ranks prompt injection, sensitive information disclosure, and supply chain vulnerabilities as the top three threats. For agentic AI specifically, the top concerns are memory poisoning (corrupting an agent's persistent state), tool misuse (tricking an agent into calling APIs it shouldn't), and privilege compromise.

What actually works for SMBs:

  • Principle of least privilege for agents. Every AI agent should have the minimum access required for its function. A customer-facing chatbot does not need database write access. An internal summarisation tool does not need email-sending capability. Audit what your agents can reach.
  • Input sanitisation and output filtering. Any data fed to an AI agent from external sources (customer inputs, web scraping, third-party APIs) must be sanitised. Resources like Lasso Security's MCP Gateway and Protect AI's Guardian enforce context guardrails and monitor prompts in real time. Budget $500–2,000 AUD/month depending on usage.
  • Human-in-the-loop for high-risk actions. Any AI agent action involving financial transactions, data deletion, credential changes, or external communications should require explicit human approval. This is a design choice, not a product — and it's free to implement.

What's hype: "AI firewall" products that claim to block all prompt injections. The academic literature is clear: prompt injection is an unsolved problem in general. Mitigations reduce risk; they do not eliminate it. Any vendor claiming otherwise is not being honest.

Model Theft and AI Supply Chain Risks: Guarding Your Competitive Edge

Model theft — stealing proprietary or fine-tuned AI models — is an emerging threat most SMBs haven't considered. If you've invested in fine-tuning a model on your customer data, sales patterns, or proprietary processes, that model is a valuable intellectual property asset. Attackers targeting model weights, training data, or inference APIs can replicate your competitive advantage overnight.

The broader supply chain risk is equally concerning. The OWASP Top 10 for LLMs flags "LLM supply chain vulnerabilities" at number three: using pre-trained models or plugins from untrusted sources can introduce backdoors, data exfiltration channels, or biased behaviour that's nearly impossible to detect through normal testing.

Practical steps for SMBs:

  • Inventory every AI tool and model your organisation uses. Who provides it? What data does it access? Where are model weights stored? This sounds basic, but most SMBs cannot answer these questions.
  • Vet AI vendors like any other third-party supplier. Ask for SOC 2 reports, data handling policies, and incident response procedures. If a vendor can't provide these, find an alternative.
  • Scan for hallucinated dependencies. AI-generated code can reference packages that don't exist — a growing attack vector where attackers publish malicious packages under those names. Tools like Socket.dev and Snyk detect these automatically. Free tiers cover most SMB needs.

Governance Frameworks: The Boring Thing That Actually Saves You

Technology alone won't solve this. The organisations that survive AI-driven attacks are the ones with governance frameworks that dictate how AI is used, monitored, and responded to when things go wrong.

The essential components for SMBs:

  1. AI usage policy. Document which AI tools are approved, what data can be shared with them, and what tasks require human oversight. This should be a living document, not a one-time exercise.
  2. Vendor risk assessments. Every AI tool gets evaluated against the same criteria: data residency, encryption at rest and in transit, access controls, breach notification timeline, and right to audit. Use the NIST AI Risk Management Framework (AI RMF 1.0) as your reference structure.
  3. Incident response plan updated for AI. Your IR plan needs scenarios for AI-specific incidents: prompt injection leading to data exposure, deepfake-driven fraud, AI agent misconfiguration. Practice these scenarios annually.
  4. Continuous monitoring. The Australian Cyber Security Centre (ACSC) Essential Eight remains the baseline. Layer AI-specific monitoring on top: log all AI agent actions, alert on anomalous tool usage patterns, and review agent permissions quarterly.

Cost reality: A basic AI governance framework can be implemented for $5,000–15,000 AUD for a 50-person SMB using existing staff and open-source templates. That's roughly 0.3% of the average breach cost. It's the highest-ROI security investment you can make.

FAQ

Q: Do SMBs really need AI-specific security tools, or are traditional tools enough? A: Traditional tools miss AI-generated threats. AI phishing passes legacy spam filters because it's grammatically correct and contextually relevant. Deepfake voice attacks bypass call-back verification if you don't have a secondary channel. You need at minimum AI-aware email filtering and identity verification protocols. You do not need every "AI-powered" product on the market.

Q: How much should an SMB budget for AI-specific cybersecurity? A: For a 50-person business, budget $15,000–30,000 AUD per year. This covers endpoint detection (CrowdStrike Falcon Go or similar), email security (Microsoft Defender for Business), security awareness training with AI modules (KnowBe4), and basic governance implementation. Scale up or down based on your industry risk profile.

Q: What's the biggest gap in most SMB security postures right now? A: AI agent access controls. Most businesses deploying AI chatbots, assistants, or automated workflows haven't audited what those agents can access or do. A customer-facing chatbot with access to an internal knowledge base is a data breach waiting to happen. Fix this first — it costs nothing to restrict permissions.

Q: Are Australian businesses specifically targeted? A: Yes. Australian businesses face above-average rates of AI-driven social engineering, with 20% reporting daily deepfake targeting. The ACSC has issued specific guidance on AI-enabled threats. Australian SMBs in financial services, healthcare, and professional services are particularly attractive targets due to high-value data and historically lower security maturity compared to enterprise peers.

Conclusion

AI cybersecurity for SMBs isn't about buying the most expensive AI-branded tool. It's about understanding the specific threats — AI phishing, deepfake social engineering, prompt injection, supply chain risks — and applying targeted, layered controls. The most effective defences are often the cheapest: verification protocols, least-privilege agent design, and a governance framework that treats AI like any other business risk.

Start with an inventory of every AI tool your business uses. Audit what each one can access. Implement a verification protocol for any financial action requested electronically. Train your team on what AI-generated attacks look like. Then layer in the technology: AI-aware email filtering, behavioural endpoint detection, and prompt injection guardrails for any agent-facing systems.

The threats are real and growing. The defences are achievable. The gap between the two is usually just awareness and action.

Visit consult.lil.business for a free cybersecurity assessment tailored to your business.

References

  1. AI Cyber Attacks Statistics 2026: Attacks, Deepfakes & Ransomware — SQ Magazine
  2. Prompt Injection Attacks: The Most Common AI Exploit in 2025 — Obsidian Security
  3. Enterprises Are Racing to Secure Agentic AI Deployments — Help Net Security
  4. NIST AI Risk Management Framework (AI RMF 1.0) — National Institute of Standards and Technology
  5. 25 Social Engineering Statistics That MSPs Should Know About in 2026 — Guardz

Need to prove security trust?

Start with qualified triage. We verify authority, minimise access, define scope, and focus on evidence that helps with insurers, customers, tenders, boards, auditors, and AI governance reviewers.

Start Qualified Triage