Security

Are Small Businesses Ready To Guard Against Deepfake Phishing Attempts?

SMB IT leaders can reduce risk from artificial intelligence-powered scams with practical, layered defenses that don’t require enterprise-scale resources.

BizTech Staff

Most IT leaders at small to medium-sized businesses (SMBs) are likely familiar with the high-profile deepfake phishing attack in early 2024 in which a multinational company lost $25 million after an employee joined a video call with scammers impersonating colleagues, including the CFO.

While that example involved a large enterprise, the same tactics are increasingly being used against smaller organizations — which often have fewer security resources and less formal verification processes.

At the same time, generative artificial intelligence (AI) is rapidly improving. Tools for creating convincing fake videos, synthetic voices and spoofed identities are becoming easier to access and cheaper to deploy. According to Fortinet’s 2025 Global Threat Landscape Report, AI is now “supercharging the cybercrime supply chain,” making sophisticated attacks more scalable than ever.

For small businesses, this creates a unique challenge: Attackers don’t need to breach complex systems if they can simply impersonate a trusted executive or vendor.

In fact, one survey found that 43% of finance workers admitted to falling for phishing attempts — a statistic that underscores how difficult these scams can be to detect.

Click the banner below for deeper insight into modern cyber resilience.

x-cyberattack-static-2024-clickhere-desktop

x-cyberresillience4-static-2024-na-desktop

“Many deepfake phishing campaigns are fueled by targeting information obtained from compromised accounts,” says Jim Richberg, head of cyber policy and global field CISO at Fortinet. “That connection makes the outreach seem legitimate.”

For SMBs, where IT teams are often small and employees wear multiple hats, that credibility can make it even harder to distinguish real requests from malicious ones.

That’s why foundational user training remains one of the most cost-effective defenses. Even as technology evolves, teaching employees to recognize classic phishing signals — urgency, unusual requests or changes in normal processes — can significantly reduce risk.

A Practical, Multilayered Security Approach for SMBs

Traditional email filters and text-based protections are no longer enough — especially for organizations with limited security layers.

AI-powered impersonation can now support real-time conversations, answering personal verification questions and mimicking trusted individuals. This makes it easier for attackers to bypass help desks or trick employees into approving payments or sharing credentials.

For SMB IT leaders, the goal isn’t to replicate enterprise-scale defenses but to build a rightsized, multilayered strategy that combines:

User awareness training
Simple process controls
Targeted security tools

For example, one of the most effective changes is also one of the simplest: slowing down.

“Users are more likely to fall for scams on mobile devices,” Richberg explains. Encouraging employees to review financial or sensitive requests on a full-sized screen — where they can inspect links and verify details — adds an extra layer of protection.

SMBs can also reduce risk by introducing lightweight process controls, such as:

Requiring a second approver for financial transactions
Verifying requests through a separate communication channel (such as a phone call)
Standardizing procedures for password resets or account changes

These steps don’t require major investments, but they can dramatically reduce exposure.

WATCH: Get the four cybersecurity trends impacting businesses in 2026.

Rethinking Authentication in the Age of AI

As deepfake audio improves, even voice-based authentication may become less reliable. Organizations that rely on biometric verification should monitor evolving threats and be prepared to adapt.

For SMBs, this doesn’t necessarily mean replacing systems immediately. Instead, it means: