AI-Powered Cybercrime: The New Threat to Small Business

Cybercriminals have discovered a powerful new weapon: artificial intelligence. And they’re using it to target Australian small businesses at an alarming rate.

Research shows that 43% of Australian businesses faced AI-powered attacks in 2024, with the average incident costing $49,600. These aren’t your traditional cyber threats. AI enables criminals to automate attacks, create highly personalised phishing scams, and use deepfakes to mimic trusted voices and faces. The attacks are faster, cheaper, and much harder to detect.

1. Hyper-Personalised Phishing

AI scrapes social media and business data to craft convincing emails that impersonate your suppliers, partners, or even your accountant. These aren’t generic spam. They reference real projects, use correct names, and look completely legitimate.

2. Deepfake Voice and Video Scams

Criminals use AI to clone executive voices or create fake video calls. Your finance team receives what appears to be a video message from your CEO authorising an urgent payment. It looks real, sounds real, but it’s completely fabricated.

3. AI-Enhanced Ransomware

Modern ransomware uses AI to constantly rewrite its own code, evading traditional antivirus detection. These ‘polymorphic’ attacks are contributing to a nearly 300% rise in ransomware incidents.

4. Shadow AI Data Leaks

Your staff might be using free AI tools like ChatGPT to draft emails or summarise documents, innocently uploading confidential customer data, financial records, or strategic plans in the process. Once that data leaves your systems, you’ve lost control of it.

5. Automated Password Attacks

AI accelerates credential stuffing attacks, trying millions of username and password combinations faster than your IT can react. If your team reuses passwords across sites, attackers can gain access within minutes.

1. Create an AI Usage Policy

Document every AI tool your business uses, including hidden ones in your CRM or email software. Define clear rules about what data cannot be uploaded to AI systems (customer records, financial data, personal information). Make this policy part of your staff onboarding.

2. Enforce Multi-Factor Authentication Everywhere

This single step prevents the majority of automated attacks. Require MFA across all business accounts, including any AI platforms you use. No exceptions.

3. Train Staff to Verify Unusual Requests

Implement a ‘human-in-the-loop’ rule: any unusual financial request or urgent payment instruction must be verified through a second, independent channel. If someone emails asking for payment details to be changed, call them on a known number to confirm. Never rely solely on email or video.

4. Use Enterprise-Grade AI Tools

Free AI tools can use your data to train their models. Switch to enterprise subscriptions that guarantee your business data remains private and isn’t used for AI training purposes.

5. Deploy AI-Powered Security

Fight AI with AI. Modern security tools use artificial intelligence to detect anomalies in real time, spotting unusual login patterns, suspicious email behaviours, or abnormal data access before damage occurs.

Here’s the critical question: if your business falls victim to an AI-powered attack, is your cyber insurance adequate?

Many policies were written before AI-enabled threats became mainstream. They may not adequately cover deepfake fraud, AI-enhanced social engineering, or data breaches caused by shadow AI usage. With the Privacy Act and Australian Cyber Security Act 2024 tightening requirements, inadequate cyber cover could leave you exposed to both financial losses and regulatory penalties.

Key coverage to review:

• Social engineering and funds transfer fraud (including deepfake scenarios)

• Breach response costs (forensic investigation, customer notification, legal fees)

• Business interruption from ransomware or system compromise

• Regulatory defence costs and penalties

• Cyber extortion and ransom payments

AI-powered cybercrime isn’t a future threat. It’s happening now. The criminals are already using these tools. The question is whether your business is prepared.

Protection requires both operational changes (policies, training, technology) and appropriate insurance coverage. One without the other leaves you vulnerable.

Is your cyber insurance ready for AI-powered threats?

Let’s review your coverage and ensure you’re protected against the latest cyber risks.