TL;DR

AI has simultaneously armed attackers with scalable, convincing social engineering and given defenders genuinely useful detection tools — but the SMB market is flooded with overpromises. The threats that matter most right now are AI-generated phishing that bypasses traditional filters, deepfake voice and video used for wire fraud, and prompt injection against AI agents handling sensitive data. The defenses that actually work are layered: AI-augmented email filtering, identity-based access controls, and governance frameworks like NIST's AI RMF — not a single "AI security" appliance.

The Threat Landscape Has Shifted — AI Changed Both Sides

Two years ago, phishing emails were identifiable by awkward grammar and generic greetings. Today, large language models generate flawless, personalized lures at scale — in any language, referencing real business context scraped from LinkedIn and your own website. Simultaneously, the defensive tooling market has exploded, with vendors slapping "AI-powered" labels on everything from antivirus to firewalls. For SMB leaders, the challenge isn't a lack of tools — it's separating signal from noise.

1. AI-Powered Phishing: The Volume Problem Is Real

The Australian Cyber Security Centre (ACSC) and CISA have both reported sharp increases in phishing volume and quality since 2024. LLMs let attackers generate thousands of variant emails, each tailored to a specific recipient, for near-zero marginal cost. BEC (business email compromise) alone cost Australian businesses over $98 million in reported losses in 2023–2024, and AI is accelerating that trend.

What works for SMBs:

  • AI-augmented email security gateways like Proofpoint Essentials (from ~$5/user/month), Mimecast (from ~$9/user/month), and Avanan (now Check Point, from ~$6/user/month) use ML models to analyse sender behaviour, content patterns, and link reputation in real time. These genuinely outperform legacy filters.
  • DMARC enforcement (p=reject) remains the single highest-ROI control — it's free and blocks domain spoofing. Many SMBs still haven't implemented it.
  • MFA with phishing-resistant factors (FIDO2/WebAuthn keys like YubiKey, ~$55–$80 each) neutralises credential phishing regardless of how convincing the lure is.

What's hype: Standalone "AI anti-phishing" browser extensions that promise 99% detection rates. They test well in labs and degrade in production against adversarial inputs.

2. Deepfake Social Engineering: Low Frequency, High Impact

The 2024 Arup engineering firm case — where a Hong Kong finance employee transferred $25.6 million after a deepfake video call impersonating the CFO — is the canonical example. Similar incidents have hit UK, Austrian, and Australian firms. Voice clones require as little as 3 seconds of audio samples.

For SMBs, the realistic risk is voice deepfake fraud: a caller impersonating your CEO or supplier, urgently requesting a payment change or wire transfer.

Practical controls:

  • Out-of-band verification policies for any payment detail change or transfer above a threshold. Call back on a known number — not the one provided by the caller.
  • Dual-authorisation for wire transfers (already an ISO 27001 expectation under A.8.13).
  • Staff awareness training that specifically covers deepfake scenarios, not just generic phishing. KnowBe4 (~$20–$35/user/year) and Proofpoint Security Awareness include deepfake modules in 2026.

Deepfake detection tools (Pindrop, Reality Defender, McAfee Deepfake Detector) exist but are enterprise-priced ($15,000+/year) and still produce false positives. For most SMBs, process controls beat technology here.

3. Prompt Injection and AI Agent Security: The New Attack Surface

If your business uses AI agents — whether that's a customer service chatbot, an internal assistant with access to documents, or automated workflows connected to APIs — you have a new attack surface that traditional security tools don't cover.

Prompt injection is the dominant risk: an attacker embeds instructions in content the AI processes (a document, a web page, an email subject line) that override the system prompt. In 2024, researchers demonstrated prompt injection against Bing Chat (Copilot) and multiple enterprise assistants. In 2025, OWASP released its LLM Top 10, with prompt injection ranked #1.

Real-world SMB exposure scenarios:

  • A customer support chatbot that has access to other customers' order data being tricked into leaking it
  • An AI agent connected to email and calendar being manipulated to forward sensitive messages
  • A RAG (retrieval-augmented generation) system ingesting untrusted web content that contains hidden instructions

What works:

  • Least privilege for agent permissions. Don't give an AI agent blanket email access. Scope tokens to specific folders or read-only operations.
  • Output filtering and content guardrails. Lakera Guard (~$0.001–$0.01 per API call) and Promptfoo (open source, free) can screen prompts and outputs for injection attempts.
  • Human-in-the-loop for any agent action involving payments, data deletion, or external communications.
  • Vendor due diligence. If using Microsoft Copilot, Google Gemini for Workspace, or similar, review their data handling and isolation guarantees. Microsoft's Copilot for Microsoft 365 does not train on your data, but not all vendors offer the same protection.

4. Model Theft and Data Poisoning: The Supply Chain Risk

If your business fine-tunes models or uses custom AI pipelines, two risks deserve attention:

Model theft — exfiltration of proprietary fine-tuned weights or training data. This is primarily a concern for organisations investing significant resources in custom models. The mitigation is standard data security: encryption at rest, access logging, network segmentation for training infrastructure.

Data poisoning — adversarial manipulation of training data to embed backdoors or biases. For SMBs consuming third-party models (via API or open-source downloads), this is a supply chain trust problem. Stick to models from established providers (OpenAI, Anthropic, Google, Mistral) and verify checksums on open-source downloads from Hugging Face.

5. Governance: The Framework That Ties It Together

The single most underrated investment for SMBs is a governance framework — not because it sounds impressive, but because it forces you to inventory your AI usage, classify risks, and assign ownership.

NIST AI Risk Management Framework (AI RMF 1.0) is the global reference. Published in January 2023 and freely available, it structures AI risk management around four functions: Govern, Map, Measure, and Manage. It's designed to be adaptable — you don't need a 50-person security team to use it.

For Australian SMBs, the ACSC's Essential Eight remains the baseline technical controls framework, and it maps cleanly onto AI threats: application control (A.3) limits agent execution, restricted admin privileges (A.5) limits blast radius, and multi-factor authentication (A.4) is your phishing defence.

ISO/IEC 42001:2023 (AI Management System standard) is emerging as the certification path for organisations that need formal AI governance — relevant if you're pursuing ISO 27001 and want to demonstrate AI risk maturity to enterprise clients.

FAQ

Q: Do we need a dedicated "AI security" product? Not necessarily. Most AI threats are addressed by strengthening existing controls — MFA, least privilege, email filtering, network segmentation. Dedicated AI security tools (Lakera, HiddenLayer, Robust Intelligence) become valuable when you're deploying custom AI agents or fine-tuning models. For a 20-person firm using standard SaaS, prioritise process controls and awareness training first.

Q: How much should an SMB budget for AI-related cybersecurity? If you're already spending on email security ($5–$9/user/month) and MFA, your incremental AI-specific spend should be modest — typically $2,000–$5,000/year for a small business, primarily for enhanced awareness training, guardrail tooling, and a governance review. The expensive mistakes are emergency incident response (deepfake wire fraud averages $50,000–$500,000 per incident) — not the preventive spend.

Q: Are deepfake attacks actually targeting small businesses? Yes, though less frequently than enterprises. Attackers target anyone with payment authority. The 2024 incidents ranged from multinationals to firms with under 50 staff. The attack is cheap (~$50 for a voice clone using commercial tools) and the payoff is high. Process controls — callback verification, dual authorisation — are your best defence regardless of company size.

Q: What's our legal exposure if an AI agent we deploy causes harm? Under Australian law, you're responsible for the actions of systems you deploy, regardless of whether a human initiated the action. The Privacy Act 1988 applies to personal data handled by AI systems. If an agent leaks customer data due to prompt injection, that's a notifiable data breach under the NDB scheme. ISO 42001 and the NIST AI RMF both provide defensible frameworks for demonstrating due diligence.

Conclusion

AI hasn't created entirely new categories of cyber risk — it's dramatically lowered the cost and skill barrier for attackers while expanding your attack surface through AI-powered tools and agents. The SMBs that stay safe aren't the ones buying the most expensive "AI security" appliances; they're the ones implementing layered controls (DMARC, phishing-resistant MFA, least-privilege agent access), building human process barriers against social engineering, and adopting governance frameworks that force structured thinking about where AI touches their business.

Your next steps, in priority order:

  1. Implement DMARC enforcement (p=reject) if you haven't — it's free and blocks domain spoofing
  2. Upgrade to phishing-resistant MFA (FIDO2) for all admin and finance accounts
  3. Inventory your AI usage — list every tool, agent, and API that processes your data
  4. Adopt the NIST AI RMF as your governance scaffold — it's free and framework-agnostic
  5. Run a deepfake-specific tabletop exercise with your finance team

Don't wait for the regulatory deadline or the vendor pitch. The threats are operational today.

Visit consult.lil.business for a free cybersecurity assessment. We'll help you map your AI attack surface and build a prioritised defence plan — no jargon, no vendor lock-in.

References

  1. NIST AI Risk Management Framework (AI RMF 1.0) — The US National Institute of Standards and Technology's framework for managing risks associated with AI systems, January 2023.
  2. ACSC Annual Cyber Threat Report 2023–2024 — Australian Cyber Security Centre's annual report detailing phishing, BEC, and social engineering trends affecting Australian organisations.
  3. OWASP Top 10 for Large Language Model Applications — Community-driven list of the most critical security risks for LLM applications, with prompt injection ranked #1, 2025 edition.
  4. ISO/IEC 42001:2023 — AI Management System Standard — International standard specifying requirements for establishing, implementing, and improving an AI management system.
  5. CISA Cybersecurity Advisories — Deepfake and AI-Enabled Social Engineering — US Cybersecurity and Infrastructure Security Agency guidance on defending against AI-enhanced social engineering attacks.

Verifier warning: verifier could not run (PluginLlmTrustError).

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation