When Your AI Turns Against You
Attackers can hide instructions in web content to make ChatGPT leak private data. What the HackedGPT research means for SMBs — and a 10-point checklist to lock your AI stack down.

For many SMBs, the greatest risk isn't a missing patch — it's the human clicking the link. In 2025, adversaries shifted from "deploy malware and wait" to "trick a human and access the kingdom."
Per CrowdStrike's 2025 Global Threat Report, social-engineering attacks surged — particularly generative-AI-aided phishing, voice phishing (vishing), and identity-focused intrusions:
For SMBs — tighter budgets, leaner teams, delegated responsibilities — sophisticated social engineering plus limited resources is a dangerous combination.
These actors increasingly direct their tradecraft at SMB supply-chain footholds, vendor trust networks, and third-party relationships — making them highly relevant to your business.
SMBs often have less mature identity, cloud, and phishing-defense controls; a large share of all attacks target smaller businesses, with average costs ranging widely into the hundreds of thousands or more. Phishing, spear-phishing, smishing, and vishing remain the most common vectors for initial access — and SMBs are a soft flank for adversaries reaching bigger targets.
Adversaries are scaling their social-engineering playbook. The human remains the weakest — and most profitable — link. For SMBs this doesn't mean "you'll be breached tomorrow." It means act now, deliberately, and smartly. When the human front line becomes resilient, adversaries are forced onto the longer, noisier path — and that gives you the advantage.
Want a phish-resilient team and a hardened identity posture? We run real-world phishing and vishing simulations and identity-centric assessments built for SMB budgets.