Technology Advisor Blog

When many people picture cybercrime, they imagine hackers breaking into giant corporations with sophisticated tools and complex code. But for most small businesses, cybercrime today looks much more ordinary - and much more personal.

• It looks like an email from a trusted vendor asking for updated payment information.

• It looks like a voicemail that sounds like a company executive requesting an urgent wire transfer.

• It looks like a Microsoft 365 login page that appears completely legitimate.

And increasingly, thanks to artificial intelligence, these scams are becoming harder and harder to spot.

The FBI recently released its latest Internet Crime Complaint Center (IC3) report, highlighting billions of dollars in losses tied to cybercrime, including growing losses from AI-assisted scams and cryptocurrency fraud. While the numbers themselves are staggering, the bigger takeaway for local businesses is this:

Cybercriminals are getting better at pretending to be someone you trust.

The Numbers Behind the Headlines

The statistics in the FBI’s newly released Internet Crime Complaint Center (IC3) report are difficult to ignore.

According to the report, Americans lost nearly $21 billion to cyber-enabled crime in 2025 alone. The FBI received more than 1 million complaints, a significant jump from the previous year. Among the most commonly reported issues were phishing and spoofing attacks, extortion, investment scams, compromised business email accounts, and tech support fraud.

One of the most striking findings is how heavily scammers are leaning on cryptocurrency-related fraud. Complaints involving cryptocurrency totaled more than $11 billion in reported losses.

But another statistic stands out for a different reason.

For the first time in the report’s nearly 25-year history, the FBI included a dedicated section on artificial intelligence-related cybercrime. The IC3 received more than 22,000 AI-related complaints, resulting in nearly $893 million in losses.

And those numbers likely represent only part of the picture.

Many people never report scams at all  -  especially when they feel embarrassed or fear they “should have known better.” Unfortunately, that stigma is exactly what makes cybercrime harder to fight.

The reality is that modern scams are becoming extraordinarily convincing. Criminals are now using AI to generate polished emails, clone voices, create fake identities, and produce believable videos that can imitate coworkers, executives, vendors, or even family members. These scams are designed to create urgency and emotional pressure, often catching people off guard during busy workdays.

This is one of the biggest mindset shifts businesses need to make:

Cybersecurity is no longer just about spotting obvious red flags. Increasingly, it’s about having processes and safeguards in place for situations where something looks legitimate but isn’t.

That’s why even well-run organizations with smart, experienced employees can still become targets.

It can happen to the best of us! Even with proper defenses in place like strong passwords, multifactor authentication, cybersecurity awareness training, phishing emails can still get through to someone's inbox, and just last week we saw yet another case of a clicked link.  Fortunately, in this case the local business was protected by Identity Threat Detect and Respond (ITDR), and the attack was stopped just a few seconds after it started!  (For more on that, check our recent blog: What if They're Already In?  The Blind Spot in Email Security Most Businesses Miss.

Why These Scams Are Becoming More Convincing

For years, phishing emails were often easier to spot. Many contained spelling mistakes, awkward wording, strange formatting, or suspicious-looking links that raised obvious red flags.

That’s changing quickly.

Artificial intelligence is giving cybercriminals new tools to create polished, professional, and highly believable scams at a scale we haven’t seen before. In its latest IC3 report, the FBI noted that AI technology now enables the creation of convincing synthetic content, including fake social media profiles, personalized conversations, audio, video, and other digital content that can be used to support fraud schemes.

The report also warns that AI-generated content is becoming increasingly difficult to detect while simultaneously becoming easier for criminals to create.

That matters for small businesses because many scams today are no longer generic “spam” messages sent to thousands of people. Attackers can now use AI tools to:

• write realistic emails without the spelling and grammar mistakes people once looked for
• imitate the tone and style of trusted coworkers or vendors
• create fake LinkedIn or social media profiles to build credibility
• generate convincing text conversations or customer service interactions
• clone voices or manipulate audio recordings
• produce realistic-looking invoices, documents, or videos

In many cases, these attacks are designed to create urgency and emotional pressure. A message may appear to come from a company executive requesting an immediate payment, a vendor asking to change banking information, or a trusted service provider warning about an account issue.

And because AI allows criminals to personalize these messages quickly, even experienced employees can find them difficult to distinguish from legitimate business communication.

One of the most important things business owners should understand is this:   Falling for a scam does not mean someone is careless or unintelligent.

Modern phishing and impersonation attacks are specifically engineered to appear trustworthy. Criminals study how businesses communicate, how approvals happen internally, and what kinds of messages employees are likely to respond to under pressure.

That’s why cybersecurity today is less about expecting employees to “catch every scam” and more about building processes, verification steps, and a workplace culture where people feel comfortable slowing down and asking questions when something seems unusual.

The Human Side of Cybercrime

One thing we often see after a phishing incident is embarrassment.

Employees may hesitate to report suspicious activity because they’re worried they’ll get in trouble or feel foolish for clicking something. Business owners sometimes avoid talking about scams altogether because they think it reflects poorly on their organization.

But silence is exactly what cybercriminals rely on.

The reality is that modern phishing attacks can fool almost anyone under the right circumstances — especially during busy workdays when people are moving quickly and multitasking. AI-generated messages can look remarkably convincing, particularly when they appear to come from trusted coworkers, vendors, or service providers.

Creating a workplace culture where employees feel comfortable reporting suspicious emails, unusual requests, or mistakes early can dramatically reduce the damage from an incident.

In cybersecurity, early reporting matters far more than perfection.

What Small Businesses Can Do Right Now

The good news is that small businesses do not need enormous IT departments or massive security budgets to make themselves significantly harder targets.

Often, the most effective improvements come from a combination of awareness, process, and layered protection.

Here are a few practical steps businesses can take now:

Slow Down Financial Requests

Many scams succeed because they create urgency.

If an employee receives a request involving:

• wire transfers
• gift cards
• payment changes
• payroll updates
• sensitive documents

there should always be a second method of verification before moving forward.

A quick phone call to a known number can prevent a major financial loss.

Make Reporting Easy

Employees should know:

• it’s okay to ask questions
• it’s okay to report suspicious messages
• it’s better to report something harmless than stay silent

The businesses that respond best to cyber threats are usually the ones where people feel safe speaking up quickly.

Use Multi-Factor Authentication Everywhere Possible

Multi-factor authentication (MFA) remains one of the simplest and most effective protections available.

MFA is a security measure that requires users to verify their identity using two or more methods - such as a password plus a code sent to a phone or generated by an authentication app. MFA helps protect accounts even if a password is stolen. 

Even if passwords are stolen through phishing, MFA can often stop attackers from gaining access to email accounts and business systems.

Provide Ongoing Security Awareness Training

Cybersecurity training is no longer just about spotting poor grammar in suspicious emails.

Employees need help understanding:

• impersonation tactics
• fake login pages
• urgent financial scams
• AI-generated messaging
• text-message phishing (“smishing”)
• fake tech support requests

The goal is not to make employees paranoid. It’s to help people recognize when something feels unusual and know what to do next.  If you know the message could be a fake, you're more likely to slow down and ask questions.

Have a Trusted IT and Security Partner

When something suspicious happens, time matters.

Having trusted professionals to call can help businesses respond faster, reduce damage, and avoid making stressful decisions alone during an incident.

Cybersecurity Is About Resilience, Not Perfection

The FBI’s report is an important reminder that cybercrime continues to evolve rapidly, especially as AI tools become easier for criminals to use.

But this is not a reason for panic.

It’s a reason for businesses to build practical habits, stronger verification processes, and a culture where employees feel supported instead of blamed.

No business can eliminate every risk entirely. The goal is not perfection  -  it’s resilience.

At Ekaru, we believe good cybersecurity starts with conversations, awareness, and trusted relationships. Technology matters, but people and processes matter just as much.

If you’d like help reviewing your organization’s cybersecurity practices, employee awareness training, or response planning, we’re always happy to have a conversation.

About the author: