What Changed
Traditional phishing was a numbers game. Attackers would blast out millions of poorly written emails and hope a small percentage clicked. Bad spelling, strange formatting, generic greetings made them easy to spot.
AI changed that entirely. Large language models have reduced the time to craft a convincing phishing campaign from 16 hours to roughly five minutes. Attackers now generate thousands of personalized, grammatically flawless emails targeting specific employees at specific companies — referencing real vendors, real job titles, real recent events.
AI-generated phishing emails now achieve a 54% click rate compared to 12% for standard phishing messages. That is not a small difference. That is the difference between one in eight employees clicking and one in two.
Why Small Businesses Are the Primary Target
Eight in ten phishing attacks target small and medium-sized businesses rather than enterprises, with an average loss per incident of $50,000. The reason is straightforward — small businesses typically have fewer security controls, less employee training, and no dedicated security team.
Attackers know this. They target companies that cannot afford enterprise-grade security, which is exactly the gap that managed security services are designed to close.
What These Attacks Look Like Now
Forget the obvious scam emails. Modern AI phishing looks like:
- An email from your Microsoft 365 administrator asking you to verify your account
- A message from a vendor you actually work with, referencing a real invoice, asking you to update payment information
- A message appearing to come from your bank or insurance provider
- QR codes in emails leading to fake login pages
- Voice calls using AI-generated audio impersonating someone you know
Adversary-in-the-middle attacks — which bypass multi-factor authentication by intercepting session cookies in real time — surged 146% in 2024. Even MFA is no longer a complete defense against the most sophisticated attacks.
5 Things Las Vegas Businesses Should Do Right Now
1. Run a phishing simulation. The only way to know how vulnerable your team is is to test them with realistic fake phishing emails. This gives you a baseline and identifies who needs additional training.
2. Implement email security beyond spam filtering. Standard spam filters were built for old-style phishing. AI-generated emails bypass them routinely. Advanced email security looks at behavior, context, and intent — not just blacklists.
3. Train your team on the new rules. The old training — look for bad spelling — is now actively harmful because it creates false confidence. Your team needs to know that a perfectly written, personalized email from a known contact can still be an attack.
4. Enable MFA everywhere, then add a second layer. MFA significantly reduces risk but is not foolproof against session hijacking. Use authenticator apps rather than SMS codes where possible.
5. Have an incident response plan. Know what to do when someone clicks. The faster you contain a breach, the less damage it causes. Most small businesses find out what that costs the hard way.
Brydan Solutions provides email security, simulated phishing campaigns, and security awareness training for Las Vegas small businesses. Start with a free network assessment — we will give you an honest picture of where you stand.