Why the SME is now the primary engine of global cybercrime
- Written by Daniel Garcia, Vice President and General Manager for APAC at Kaseya
For over a decade, the most practical and effective advice we could offer an employee was to spot the typo. It was practical, it was free, and it worked. If an email looked slightly off or the grammar felt clunky, it was likely a trap.
But as we enter the second half of 2026, that era hasn't just faded — it has been systematically dismantled. According to the 2026 Kaseya INKY Email Security Report, the age of the obvious scam is over, and AI has industrialised them.
In this new landscape, Australian small-to-medium businesses (SMBs) find themselves in a precarious position. They are no longer just the backbone of the economy but have become the primary engine of the global cybercrime economy. With 83% of phishing now AI-assisted, relying on the human eye to spot a mistake is no longer a reliable strategy. We must stop hoping staff can identify a scam when it lands in their inbox and start changing how we run our businesses day-to-day.
The myth of the small target
There is a persistent and dangerous myth in the boardroom that a business can be “too small to target”. Falling victim to this false sense of security could be the difference between your doors being open or shut by the end of the year. Our research shows that 82% of ransomware attacks now target organisations with fewer than 1,000 employees. Cybercriminals aren't always looking for the biggest prize. They are looking for the most efficient entry point, and SMBs often lack the dedicated security staff or modern infrastructure of their enterprise counterparts.
When that entry point is breached, the downward trajectory is almost impossible to stop. The median loss for an SMB following a Business Email Compromise (BEC) event now stands at US$50,000. While that might be a rounding error for a multinational, for 60% of small businesses, a successful cyberattack is a terminal event that forces them to close their doors within just six months. To survive, we must move beyond awareness and into decisive action, keeping pace with how quickly these threats are evolving.
Tells aren’t what they used to be
Legacy security models are failing because the red flags we’ve long relied on have been scrubbed away. AI-generated phishing now achieves a staggering 54% click rate, compared to just 12% for generic campaigns. Because 83% of phishing is now AI-assisted, these messages are grammatically perfect and contextually sophisticated, eliminating that gut feeling of suspicion.
In the second half of 2025 alone, Kaseya detected over 6.6 million brand impersonation emails. These attacks now perfectly mirror the communication styles of the banks, shipping companies, and software providers — like Microsoft, which was weaponised over 1.9 million times last year — that anchor SMB operations. When the logo is pixel-perfect and the language is flawless, asking a human to spot the fake is no longer a fair fight.
Fighting fire with fire
True cyber resilience requires a fundamental shift in posture. We must start training our teams to verify intent.
This shift begins with four non-negotiable pivots:
Context over appearance
Since visual cues are now unreliable, security training must now evolve toward contextual verification. Any emails requesting for financial redirection or an urgent off-platform action must be handled with a mandatory confirmation through a second-channel. This is as easy as a quick phone call to a known and trusted number, regardless of how professional the email looks.
Enforce calendar hygiene
Attackers are increasingly bypassing mail filters by injecting malicious links directly into staff schedules. Disabling the automatically add invitations feature in your mail settings is a simple step that can help secure the digital workspace and close a primary backdoor for credential theft.
Adopt a no QR via email policy
QR codes have become the preferred delivery vehicle for malicious links. Legitimate financial and logistics institutions almost never use this method for secure communications. If a bank or shipping company sends a QR code to be scanned, assume it is a scam.
Level the playing field with AI
Human eyes cannot catch millions of automated brand impersonations. Small business owners must shift their budgets from legacy filters to GenAI-powered intent detection. You cannot enlist your team to be the only line of defence against these advanced AI threats.
In an era where scams are indistinguishable from legitimate business, your defence must match the sophistication of the threat. By moving beyond the manual era of spotting typos and embracing automated, intent-based protection, Australian SMBs can reclaim their security. It is time to stop serving as the engine of the cybercrime economy and start building the resilient future that our businesses, and our broader economy depend on.
