4 in 5 small businesses had cyberattacks last year and almost half of those were AI powered

One more reason things cost more today: cybercrime.

A survey by the Identity Theft Resource Center, a San Diego-based education and victim resource nonprofit, found that 38% of small businesses hit by a cyberscam or breach in the previous 12 months passed those losses to customers by raising prices.

Another key finding: Cybercrime against small businesses is increasingly fueled by artificial intelligence.

“The era of predictable, human-scale threats has been superseded by a new reality of automated, intelligent and massively scalable attacks powered by AI,” said the report, which discusses trends in threats, prevention and attacks. It also gives detailed recommendations about network and application security, data protection and employee and contractor practices. (The survey reached out to more than 650 companies across more than 12 industries in August.)

Eva Velasquez, the CEO of the Identity Theft Resource Center, said the results offer a stark reminder that hackers aren’t picky. They will grab data and money from anyone, including large and small businesses, and individuals.

“When we think about risk, it really is all businesses,” Velasquez said. From mom and pops to large companies, “They’re all attractive to hackers.” Small businesses sometimes don’t pay enough attention to cybersecurity “because they think they’re not vulnerable. They think, ‘Well, why would anybody target me?’”

Not only are they being targeted, but they are being successfully breached, some multiple times a year. Two or three breaches in a 12-month period was the most common pattern. Another 34% had one breach and almost 12% had four or more.

One encouraging shift: The percentage of companies with one or two breaches increased from 2024, while the percentage of companies with more than two breaches dropped. Perhaps companies are improving their cybersecurity protocols after a first or second breach.

The report, however, said companies being hit only once says something about cyber attackers’ methods.

“Threat actors appear to be focusing on opportunistic, high-volume strikes. This alters the risk calculus for (small businesses), shifting the primary challenge from defending against a determined, persistent adversary to repelling a continuous barrage of single-shot attacks from a multitude of sources.”

The nonprofit helps individuals for free, and business in some cases get charged fees used to fund its free services. The nonprofit faced a significant drop in federal government grants last year, but remains financially robust thanks to private donors and unclaimed awards from class action settlements, Velasquez said.

“Our services remain available at the same level they were prior to changes in the federal grant processes/availability,” Velasquez said.

AI attacks have skyrocketed

Four out of five small businesses reported they were victims of a security or data breach in the past 12 months — a statistic unchanged from a year before.

But the nature of these attacks has changed, with AI taking center stage.

In past surveys of small businesses that suffered cyber and data breaches, incidents were caused by insecure cloud environments, ransomware, hackers, malicious employees or contractors, lapses by remote workers, software flaws and attacks on third-party vendors, the report said.

AI was not even named as a cause, as recently as 2024.

But in 2025, 41% of small business victims said AI was the root cause of a recent attack.

Generative AI can craft “highly personalized social engineering attacks that mimic the tone and context of legitimate internal communications,” the report says.

Hackers now are launching large-scale, automated attacks that cover a lot more ground, Velasquez said.

In cybercrime, AI is the great equalizer. Sophisticated scams can be carried out by less knowledgeable wrongdoers who use generative AI.

“These tools are effectively democratizing advanced attack capabilities that were once the domain of highly skilled actors,” the report said.

The cause for data and cyber breaches that saw the biggest percent drop in 2025, compared to 2024, was remote work — which makes sense, as workers have returned to offices. Every other cause of attacks has also dipped, perhaps as scammers and data thieves turned to AI.

While AI was added to the list and some causes became less prevalent, no cause disappeared.

Paying the price

When small businesses suffer a breach or fraud, the financial hit can include lost revenue, legal costs, fines and penalties, insurance, marketing and security overhauls.

Adding up these expenses, the survey found that 37% of companies lost more than $500,000 last year, per incident. A quarter lost up to $250,000 and another quarter lost between $250,000 and $500,000.

To recoup costs, companies used cash reserves, turned to investors for funds, cut jobs, or tapped credit and cyber insurance. They also adopted a new tactic: 38% raised prices.

“This represents a significant, inflationary macroeconomic ripple effect stemming directly from the worsening cyberthreat landscape for small businesses,” the report said.

One reason for this change may be that other sources of funding were harder to come by. A smaller percentage got money from investors to respond to cyber and data breach incidents in 2025 than 2024. Also, fewer companies turned to cyber insurance, with almost a quarter of companies saying they had “difficulty obtaining or renewing cyber insurance” after a breach. “This suggests that as the frequency and cost of claims have risen, insurers have responded by adjusting underwriting standards.”

Compared to 2024, fewer companies cut jobs as a way to offset losses due to cybercrime: 18%, down from 27%.

Relying less on insurance and investors, and opting to cut fewer jobs as a result of cyber breaches, may have each or all contributed to the raising of prices.

Preventing losses

Which sensitive data did crooks slink away with?

Employee data was most commonly accessed in breaches, with customer data and company IP both ranking close behind.

To fight back, some companies have robust tools in place, but the survey also found a disturbing trend. “The implementation of critical security measures, such as multi-factor authentication, has declined,” it said. One reason, the report posited: company leaders are overwhelmed and “neglecting the very basics that provide an effective defense.”

Velasquez and her nonprofit urge companies to keep studying known and evolving threats and to keep adapting their cybersecurity practices.

“The single most critical access control for any (small business) to implement is MFA,” the report said. MFA stands for multi-factor authentication — a system of safety checks where a request to access secure information has to be vetted through multiple, independent channels. MFA makes it “significantly harder for attackers to use stolen passwords.”

Examples of these are free authenticator apps (like Google Authenticator), SMS codes that get sent to a user’s phone when they try to log in using a password, and physical hardware tokens.

The report cited an “alarming decline in MFA adoption for internal systems,” from around 33% in 2024 to around 27% in 2025. This “represents a critical, high-priority vulnerability that SBs must address immediately.”

‘A societal shift’

“Really good companies with robust cybersecurity can have a breach,” Velasquez said. “It’s not an automatic indicator of negligence.”

But companies with less robust cybersecurity are far more at risk.

The report has six pages of tips for preventing cyber and data breaches and countering AI-powered attacks. These range from what kind of training companies should offer to how firewalls should be set up, to data encryption best practices and more.

Small businesses need to strengthen their prevention, but Velasquez also made this pitch to consumers: don’t turn away from companies that are taking steps to protect your data, even if it’s annoying.

That crushingly long four-second delay until a verification text message arrives, the extra screen taps involved in using an authenticator app — those are a sign a company is doing things right.

“One of the conflicts that we have is convenience versus security. And businesses are fighting this tension between, ‘I have to be secure and I have to make people jump through hoops to prove that they are who they say they are, so that I can protect their data, their account, their information.’ And individuals going, ‘I want convenience.’”

“If we have a societal shift where we understand that some friction, a little bit of inconvenience, is actually good for us,” she said.

A company that asks you to do those things is one you should do business with, Velasquez added, “because you know that they have put measures in place to protect you and your data.”