If you have been following tech headlines, you may have seen coverage of Claude Mythos, an unreleased Anthropic model reported to be exceptionally capable at finding software vulnerabilities. Anthropic has also launched Project Glasswing, which is intended to use early access to these frontier capabilities to help security partners find and fix weaknesses in critical software before similar capabilities are broadly available.
The bigger, more immediate issue is that AI is already improving the attacks that hit SMBs every day, especially financial fraud. In practical terms, AI makes criminals faster, more convincing, and harder to spot.
Here are three AI-powered fraud patterns businesses are seeing right now, followed by the straightforward controls that still stop them.
Invoice and wire fraud gets more believable
Business Email Compromise is not new. What is changing is quality and speed.
Attackers can use AI to write more natural emails, mimic tone, produce cleaner “supporting documentation,” and iterate quickly when a target hesitates. A fake vendor request to “update our banking details” can look legitimate at first glance, especially when the email arrives during a busy week.
What to do now: implement a “no exceptions” verification step. Any change to payment instructions, ACH details, or bank routing information must be verified using a second channel you already trust. If the process is consistent, staff can follow it even under pressure.
Payroll redirect scams become easier to execute
Payroll fraud often starts with a simple email: “Hi, I need to update my direct deposit for next paycheck.” AI does not need to break into your systems to make this work. It only needs to generate convincing messages at scale and time them well.
What to do now: require a strong verification process for payroll changes. At minimum:
- Require MFA on payroll platforms.
- Require confirmation for any deposit change.
- Restrict who can approve payroll updates, and ensure approvals are logged.
Deepfake voice adds urgency to old scams
The classic “urgent request from the boss” is evolving. With AI-generated voice, criminals can attempt to impersonate leadership well enough to create doubt and urgency, especially in a noisy environment or on a short call.
Even when a deepfake is not perfect, it can push employees into acting quickly. That is the point.
What to do now: create a simple internal rule: no money moves based on urgency alone. Large or unusual payments require a second approval and a callback verification. Make it normal for staff to slow the process down.
The basics still matter, and they still work
Financial fraud is often a people-and-process attack, but the foundational security controls are what keep it from turning into a larger breach.
Backups you can restore. If an attacker gains access, encrypts files, or destroys data as cover for fraud, tested backups determine whether you recover quickly or face a prolonged disruption. Backups should be protected from ransomware and tested periodically with real restores.
Multi-factor authentication for critical systems. Turn on MFA for email, accounting, banking portals, payroll, and remote access. Many fraud attempts succeed because email is compromised and then used to approve or redirect payments.
Offboarding as a security event. When someone leaves, disable accounts the same day, remove access to shared systems, reset shared passwords, and recover company devices. Dormant accounts and shared credentials are common entry points for fraud.
Updates and lifecycle management. Keep systems supported and patched. AI may accelerate discovery of weaknesses, but attackers still regularly succeed through old, unpatched, or misconfigured systems.
Cyber insurance, plus readiness. Insurance can be a vital backstop, but it is not a plan by itself. Know your policy requirements now, not after an incident. Keep your breach coach and carrier contact information accessible, and understand what evidence and steps are expected during a claim.
What about “zero-days”?
A zero-day is a vulnerability that is unknown to the vendor or not yet patched. You usually cannot fix it immediately because the fix may not exist yet.
For SMBs, the practical defense is resilience:
- Reduce exposure (limit unnecessary remote access and admin access).
- Limit blast radius (MFA, least privilege, strong offboarding).
- Make recovery realistic (tested backups and a simple response plan).
A practical next step
AI will keep improving, and the headlines will keep coming. The best way for an SMB to respond is to make sure the fundamentals are in place, and to add simple verification steps that prevent money from moving based on a single email or a rushed phone call.
If you want help translating these ideas into a simple, repeatable process your team will actually follow, that is where an experienced IT partner can add value. A brief assessment can identify the one or two changes that will make the biggest difference first.
