The 10 Most Common Ways Small Businesses Get Hacked in 2026
- David Chernitzky
- Mar 27
- 9 min read
Updated: Mar 31
Small Businesses Are the Target. The Numbers Prove It.
Attackers don’t go after small businesses because they’re interesting. They go because they’re accessible. Limited IT staff, deferred updates, and undertrained employees make SMBs the path of least resistance for automated, AI-assisted attacks.
The Verizon 2025 DBIR analysed 22,000+ incidents and 12,000+ confirmed breaches and found 88% of SMB breaches involved ransomware. IBM’s Cost of a Data Breach 2025 put the global average at $4.44 million. The FBI’s 2024 IC3 Report recorded $16.6 billion in cybercrime losses, up 33% year-on-year.
88% of SMB breaches involved ransomware | $4.44M global average breach cost | 33% increase in cybercrime losses in 2024 |
Sources: Verizon DBIR 2025 · IBM Cost of a Data Breach 2025 · FBI IC3 2024 Annual Report
1. Phishing — Now AI-Generated by Default
Phishing was the most-reported cybercrime in the FBI 2024 IC3 Report, ~193,000 complaints. What changed: 83% of phishing emails are now AI-generated (KnowBe4 2025). The old red flags, bad grammar, strange formatting, are gone. Kaseya’s 2025 research found 80% of AI phishing attacks target SMBs, averaging $50,000 per incident.
What it looks like in practice • An invoice from a real supplier, with updated banking details and the correct tone. • A Microsoft 365 login alert asking you to verify after ‘unusual sign-in activity.’ • A QR code in a printed document directing to a credential-harvesting page. |
What to do • Run phishing simulations using AI-quality templates, not 2019 scenarios. • Deploy DMARC, SPF, and DKIM to block domain spoofing. • Train staff to report suspicious emails, not just delete them. |
Sources: KnowBe4 2025 Phishing Trends Threat Report · FBI IC3 2024 Annual Report · Kaseya 2025 Email Security Report · Verizon DBIR 2025
2. Stolen Credentials — The Number One Breach Vector
Compromised credentials were involved in 22% of all confirmed breaches (Verizon DBIR 2025). 88% of attacks against business web applications used stolen credentials. Credential stuffing accounted for 19% of all authentication attempts in SSO provider logs on an average day.
The DBIR found only 49% of a user’s passwords across services were unique. A breach at a consumer platform routinely unlocks corporate accounts.
22% of all confirmed breaches began with stolen credentials Verizon Data Breach Investigations Report 2025 |
✔ What to do • Enforce MFA on every external-facing platform — starting with email. • Deploy a password manager to eliminate credential reuse across accounts. • Monitor for credential exposure by checking your domain against known breach databases. |
Sources: Verizon DBIR 2025 · Verizon DBIR 2025 Credential Stuffing Research (Langlois, 2025)
3. Ransomware — Disproportionately Targeting SMBs
Ransomware was present in 44% of all breaches in the Verizon DBIR 2025, a 37% increase year-on-year. For SMBs: 88% of SMB breaches involved ransomware. Sophos 2025 put average recovery cost at $1.53 million. Critically, 69% of businesses that paid were attacked again.
88% of SMB breaches involved ransomware in 2025 Verizon DBIR 2025 · Sophos State of Ransomware in Manufacturing 2025 |
⚠ Double extortion is now standard • 87% of 2025 ransomware attacks involved data exfiltration alongside encryption. • Attackers steal files first, then encrypt — threatening to publish if ransom is not paid. • Paying the ransom does not remove the risk of data publication. |
✔ What to do • Maintain offline or immutable backups — tested regularly. • Segment your network so ransomware cannot spread laterally from one compromised device. • Patch externally-facing systems on a defined schedule. Most ransomware exploits known vulnerabilities. |
Sources: Verizon DBIR 2025 · Sophos State of Ransomware 2025 · FBI IC3 2024 Annual Report
4. Business Email Compromise (BEC) — No Malware Required
BEC requires no technical exploit. An attacker impersonates a supplier or executive and redirects a payment. The FBI IC3 received 21,489 BEC complaints in 2023 with $2.9 billion in adjusted losses. Over 2022–2024, IC3 recorded nearly $8.5 billion total. The AFP’s 2025 Fraud Survey found 63% of organisations experienced BEC in 2024.
$8.5B in BEC losses reported to FBI IC3 between 2022 and 2024 FBI IC3 / Nacha Report, 2025 |
✔ What to do • Require a verbal callback to a known number for any change to payment or banking details. • Enable MFA on all business email accounts. • Require dual approval on wire transfers above a defined threshold. |
Sources: FBI IC3 2024 Annual Report · AFP 2025 Fraud and Control Survey · Proofpoint 2024 IC3 Analysis (May 2025)
5. Unpatched Software and Exposed Edge Devices
Vulnerability exploitation surged 34% year-over-year in the Verizon DBIR 2025, accounting for 20% of confirmed breaches. VPN-targeted exploits grew almost eight-fold. Roughly half of all perimeter device vulnerabilities observed remained unresolved throughout the reporting period.
Attackers scan for vulnerable devices at scale. Your unpatched firewall is discovered the same way Google indexes a webpage.
What it looks like in practice • A VPN appliance running 2022 firmware with a publicly documented critical exploit. • Remote desktop protocol (RDP) exposed directly to the internet with no additional access controls. • A website plugin unupdated for six months with a known injection vulnerability. |
✔ What to do • Maintain an inventory of all internet-facing devices and software versions. • Subscribe to vendor security advisories, most exploits follow public disclosure within days. • Decommission or replace legacy edge devices no longer receiving security updates. |
Sources: Verizon DBIR 2025 · Enzoic DBIR 2025 Analysis (August 2025)
6. Third-Party and Supply Chain Attacks
Breaches involving external partners doubled year-over-year to 30% of all breaches (Verizon DBIR 2025). The attack often doesn’t land on your systems directly, it lands on your provider’s. Attackers then use the trusted connection that already exists to reach your environment.
30% of all confirmed breaches involved a third party, doubled from 15% the year before Verizon DBIR 2025 |
✔ What to do • Ask every vendor with system access to evidence their security controls. • Review and restrict permissions granted to third-party integrations. • Include breach notification obligations in vendor contracts. |
Sources: Verizon DBIR 2025 · SensCy 2025 SMB Cybersecurity Threats Report
7. MFA Bypass, When Multi-Factor Authentication Isn’t Enough
Prompt bombing, flooding a user with push notifications until they accept one, appeared in 14% of all incidents in the Verizon DBIR 2025. Adversary-in-the-Middle (AiTM) attacks, token theft, and SIM swapping complete a toolkit that increasingly defeats push-notification and SMS-based MFA.
MFA remains essential. But push or SMS MFA is no longer sufficient for high-value accounts. The DBIR recommends phishing-resistant FIDO2 passkeys for email, financial systems, and admin access.
⚠ Common MFA bypass methods in 2025 • Prompt bombing: 30+ push requests at 2am until the user accepts one. • Adversary-in-the-Middle (AiTM): intercepting MFA prompts in real time. • SIM swapping: taking control of a phone number and all SMS codes sent to it. |
✔ What to do • Move high-risk accounts from push/SMS to FIDO2 hardware keys or passkeys. • Train employees to report unexpected MFA prompts immediately — never accept one you didn’t initiate. |
Sources: Verizon DBIR 2025 · Beyond Identity DBIR 2025 Analysis · Descope DBIR 2025 Analysis
8. Unmanaged Personal Devices (BYOD)
The Verizon DBIR 2025 found that 46% of infostealer-compromised devices with corporate login data were non-managed personal devices. A personal laptop not enrolled in MDM has no security policies, no endpoint detection, and no remote wipe capability.
VikingCloud’s 2025 research found 74% of SMB owners self-manage security or rely on an untrained person. At many SMBs, no one is responsible for defining endpoint standards
46% of credential exposure came from non-managed personal devices Verizon DBIR 2025
✔ What to do • Define a BYOD policy specifying which platforms can be accessed from personal devices. • Require device compliance checks before granting access to sensitive systems. • Enforce MFA and configure session timeouts on all cloud platforms. |
Sources: Verizon DBIR 2025 · VikingCloud 2025 Cyber Threat Landscape Study
9. Voice Phishing, Deepfakes, and AI Impersonation
Vishing (voice phishing) affected 30% of organisations in 2025, up 15% year-over-year. AI voice cloning now achieves 98% accuracy from a three-minute sample. Deepfake files surged from 500,000 in 2023 to a projected eight million by end of 2025.
What it looks like in practice • A call from someone who sounds exactly like your CEO, asking finance to process an urgent payment. • A video call with your ‘accountant’ asking you to confirm banking credentials before an audit. • A text from a supplier’s real number (compromised phone) with a link to updated invoice terms. |
✔ What to do • Establish a verbal code word for high-value financial requests — required regardless of who appears to be calling. • Extend phishing training to include vishing and deepfake scenarios — not just email. • Implement an out-of-band confirmation process for any transfer above a defined threshold. |
Sources: SensCy 2025 Cybersecurity Threats Report · KnowBe4 2025 Phishing Trends Threat Report
10. Human Error and Insider Risk
The Verizon DBIR 2025 found approximately 60% of all confirmed breaches involved a human action: a malicious click, a socially engineered call, or the misdelivery of sensitive data. The WEF puts the human error share at 95% of cybersecurity breaches.
For small businesses the risk is compounded by over-permissioned access. When every employee reaches every folder and database, a single compromised account can reach everything.
What it looks like in practice • A customer data file emailed to the wrong external address — triggering breach notification obligations. • A former employee’s account still active two weeks after resignation, used to access company files. • A shared admin password, never rotated, used by a former contractor from overseas. |
✔ What to do • Implement an offboarding checklist: immediate account disablement and access revocation across all platforms. • Audit permissions regularly. Remove access that is no longer needed. • Conduct security awareness training at least annually, with targeted refreshers after incidents. |
Sources: Verizon DBIR 2025 · World Economic Forum Global Cybersecurity Outlook 2025 · BD Emerson 2025
The Cost of Doing Nothing
All ten attacks above succeed because of operational gaps that are entirely fixable. IBM’s Cost of a Data Breach 2025 found the global average breach cost is $4.44 million, and that organisations using AI and automation in security saved $1.9 million per breach. VikingCloud puts downtime cost at $53,000 per hour. The average time to identify a breach is 241 days (IBM 2025).
The question is not whether you can afford security. It’s whether you can afford the alternative.
Quick Reference: All 10 Attack Vectors
Attack Vector | Key Stat | Primary Control |
1. Phishing (AI-enhanced) | 193K complaints, FBI IC3 2024 | Phishing sims; DMARC/SPF/DKIM |
2. Stolen Credentials | 22% of breaches; DBIR 2025 | MFA; credential monitoring; password manager |
3. Ransomware | 88% of SMB breaches; DBIR 2025 | Offline backups; network segmentation; patching |
4. Business Email Compromise | $2.9B losses in 2023; FBI IC3 | Verbal verification; MFA on email; dual approval |
5. Unpatched Vulnerabilities | Exploitation +34% YoY; DBIR 2025 | Asset inventory; patch schedule; decommission legacy |
6. Supply Chain / Third Party | Third-party breaches doubled; DBIR 2025 | Vendor assessment; limit permissions; notify clauses |
7. MFA Bypass | Prompt bombing in 14% of incidents | FIDO2/passkeys for high-risk accounts |
8. BYOD / Unmanaged Devices | 46% of credential exposure; DBIR 2025 | MDM policy; compliance checks; zero trust |
9. Deepfakes and Vishing | Vishing: 30% of organisations; 2025 | Code words; out-of-band verification |
10. Human Error / Insider Risk | 60% of breaches; DBIR 2025 | Offboarding process; least-privilege; awareness training |
Frequently Asked Questions
What is the most common way small businesses get hacked in 2026?
According to the Verizon 2025 DBIR, stolen credentials remain the single most common initial access vector, involved in 22% of all confirmed breaches. Phishing is the most frequently reported attack type by volume.
How much does a cyberattack cost a small business?
IBM’s Cost of a Data Breach 2025 puts the global average breach cost at $4.88 million. For SMBs specifically, research from VikingCloud puts downtime cost at approximately $53,000 per hour. Total Assure’s 2025 study found an average SMB breach loss of approximately $120,000.
Does multi-factor authentication protect against all attacks?
MFA significantly reduces risk but is no longer a complete solution. The Verizon DBIR 2025 documented a surge in MFA bypass techniques, including prompt bombing (in 14% of incidents), adversary-in-the-middle attacks, and SIM swapping. For high-risk accounts, phishing-resistant FIDO2 passkeys are recommended over push notifications or SMS codes.
Are small businesses really targeted by hackers?
Yes. The Verizon DBIR 2025 found that 88% of SMB breaches involved ransomware, and KnowBe4’s 2025 research found that 80% of AI-generated phishing attacks target SMBs rather than large enterprises. Small businesses are attractive targets precisely because they typically have weaker defences.
What is the single most impactful security control for a small business?
Multi-factor authentication on email and financial platforms. It prevents the vast majority of credential-based attacks and is available at no additional cost on most platforms. Pair it with a phishing simulation programme and a formal offboarding process for the highest return on security investment.
About This Document
Produced by Armour Cybersecurity (armourcyber.io) for awareness and informational purposes. All statistics are drawn from primary sources published in 2025 or 2026: Verizon 2025 DBIR, FBI IC3 2024 Annual Report (published May 2025), IBM Cost of a Data Breach 2025, Sophos State of Ransomware 2025, KnowBe4 2025 Phishing Trends Threat Report, Kaseya 2025 Email Security Report, VikingCloud 2025 Cyber Threat Landscape Study, AFP 2025 Fraud and Control Survey, and others cited per section. Statistics should be verified against source reports for formal use. Armour Cybersecurity does not warrant the continued accuracy of third-party data.
armourcyber.io · © Armour Cybersecurity 2026
Comments