← back to blog
Red Team

Why SMBs Are Being Phished More Than Ever in 2025

Hooded hacker at laptop surrounded by phishing hooks — SMB social engineering threats

For many SMBs, the greatest risk isn't a missing patch — it's the human clicking the link. In 2025, adversaries shifted from "deploy malware and wait" to "trick a human and access the kingdom."

The alarm bells are ringing

Per CrowdStrike's 2025 Global Threat Report, social-engineering attacks surged — particularly generative-AI-aided phishing, voice phishing (vishing), and identity-focused intrusions:

  • 52% of vulnerabilities observed related to initial access, and 79% of detections were malware-free.
  • Vishing attacks increased 442% from the first to the second half of 2024.
  • Adversaries now deploy deep-fake audio/video, synthetic profiles, and fast breakout times.

For SMBs — tighter budgets, leaner teams, delegated responsibilities — sophisticated social engineering plus limited resources is a dangerous combination.

Five threat-actor groups leveraging social engineering

  • Famous Chollima (North Korea-nexus) — uses generative AI to craft social-engineering campaigns and fictitious profiles.
  • Chatty Spider (eCrime) — a high-volume adversary that exploits trust and identity-based access rather than relying purely on malware.
  • Liminal Panda (China-nexus) — focused on cloud and identity intrusions, using social engineering and credential theft to pivot.
  • Genesis Panda (China-nexus) — rapid cloud-environment exploitation via identity compromise and trust-based lures.
  • Murky Panda (China-nexus) — emphasizes lateral movement and living-off-the-land after human-targeted access.

These actors increasingly direct their tradecraft at SMB supply-chain footholds, vendor trust networks, and third-party relationships — making them highly relevant to your business.

Why SMBs are high-value targets

SMBs often have less mature identity, cloud, and phishing-defense controls; a large share of all attacks target smaller businesses, with average costs ranging widely into the hundreds of thousands or more. Phishing, spear-phishing, smishing, and vishing remain the most common vectors for initial access — and SMBs are a soft flank for adversaries reaching bigger targets.

What SMBs should do now

  1. Assume humans will be phished. Go beyond "don't click the link." Run simulated phishing, and add training for vishing and deep-fake impersonation — the 442% vishing jump can't be ignored.
  2. Harden identity and access. Enforce phishing-resistant MFA (physical keys, app + biometrics), monitor for unusual logins, and intersect identity monitoring with lure detection.
  3. Segment and limit trust channels. Govern third-party access, not just internal systems. Adversaries exploit trust and supply-chain links.
  4. Build a phish-resilient culture. Teach employees to verify unusual requests via a known-good route, and simulate scenarios: deep-fake audio, "boss texting" urgent payment, fake recruiter lures.
  5. Layer detection and response. Since most attacks are malware-free and hands-on-keyboard, use EDR/XDR for abnormal behavior and ensure rapid response and visibility.

Final word

Adversaries are scaling their social-engineering playbook. The human remains the weakest — and most profitable — link. For SMBs this doesn't mean "you'll be breached tomorrow." It means act now, deliberately, and smartly. When the human front line becomes resilient, adversaries are forced onto the longer, noisier path — and that gives you the advantage.

Want a phish-resilient team and a hardened identity posture? We run real-world phishing and vishing simulations and identity-centric assessments built for SMB budgets.

$ ./read_next
Threat Intel

When Your AI Turns Against You

Attackers can hide instructions in web content to make ChatGPT leak private data. What the HackedGPT research means for SMBs — and a 10-point checklist to lock your AI stack down.