Back to Blog
    cybersecurity
    risk-management
    vendor-fraud

    Cyberattacks Are Now the #1 SMB Threat in 2026: What a Real ACH Diversion Attempt Teaches Us

    Dustin CollettMarch 2, 2026

    In 2026, the most common "business interruption" story we hear isn't about supply chain delays or a slow quarter—it's an email.

    A controller gets a perfectly normal invoice. The names are right. The timing matches. The signature looks familiar. And then, right when the payment is about to go out, the bank details "change."

    That's why the latest SMB research is landing the way it is: cyberattacks have overtaken inflation and recession concerns as the #1 perceived threat for SMBs. VikingCloud reports that 3 in 4 SMBs rank cyber incidents as the biggest risk to their business this year, ahead of inflation and recession.

    And the hard part? This isn't only happening to "unprepared" companies. It's happening to teams that are busy, growing, and doing their best—often without dedicated security staff.

    Why Cyber Risk Jumped to the Top in 2026

    Two recent studies help explain the shift.

    VikingCloud (Feb 24, 2026): 3 in 4 SMBs say cyber incidents are most likely to negatively impact their business this year.

    Proton (published Feb 26, 2026): Nearly one in four SMBs fell victim to cyberattacks in the past 12 months.

    The trend line is clear: cyber risk isn't just an "IT problem" anymore—it's an operational risk. When you can't invoice, ship, schedule, or collect payments, the impact shows up immediately in cash flow and customer trust.

    VikingCloud also calls out the accelerant many SMBs are feeling firsthand: attackers are using AI to move faster than human response cycles, with 42% of SMB respondents saying AI-driven attack speed makes traditional patching and response effectively obsolete.

    A Real-World Example: The ACH Diversion Attempt That Almost Worked

    Here's a condensed version of an incident we reviewed recently (names and a few details simplified for privacy, but the mechanics are real).

    A Midwest company was working with a long-time vendor. Normal stuff: purchase order, invoice, and a routine "Can you send your ACH/Wire instructions?" request.

    Then the twist: the reply came from what looked like the vendor's accounting contact—but the domain was a near-perfect look-alike.

    • Legitimate domain (example): microsoft.com
    • Look-alike domain used in the attempt: rnicrosoft.com (one letter swapped)

    The email thread contained accurate "inside baseball" details (invoice number, the right people CC'd, matching tone and timing). The attacker attached "ACH payment instructions" and pushed for quick confirmation.

    This is the point where many diversions succeed: the change request arrives in the same conversational thread and feels routine.

    What stopped it? A boring, old-fashioned control that works:

    • Mac-Tech's AP team required verbal confirmation of banking details before initiating a first-time ACH payment.
    • The attacker tried to sidestep that verification by providing a phone number to call—another common tactic when criminals want to keep the "verification" inside their control.

    That one step—out-of-band verification using a trusted phone number—is the difference between "close call" and "six figures gone."

    The Readiness Gap: DIY Security vs. Modern Attacks

    VikingCloud highlights the mismatch SMBs are living with:

    84% of SMB owners still self-manage security (even as threats become more automated and more targeted).

    Baseline tools are common, but the coverage gaps are telling:

    • Vulnerability scanning: 34%
    • Penetration testing: 32%
    • Security awareness training: 32%

    These aren't "nice-to-haves." They're how you catch the stuff that bypasses basic antivirus and spam filters.

    And in payment-diversion scenarios specifically, the technical compromise may be subtle:

    • A mailbox rule that auto-forwards finance emails
    • A compromised vendor mailbox
    • A look-alike domain that slips past rushed visual checks

    The "attack" is often less about malware and more about trust manipulation—and that's exactly what AI makes cheaper and more scalable.

    The Controls That Stop ACH Diversion (Without Slowing the Business)

    If you want practical, low-drama safeguards that reduce risk quickly, start here.

    Vendor change control (non-negotiable)

    • Any change to ACH/wire details requires a second approver.
    • Verification must happen out-of-band (call a known-good number from your vendor master file, not the email signature).

    Banner and block look-alike domains

    • Add mail protections for suspicious variants (common typos, extra letters, swapped letters).
    • Flag "first-time sender" messages to finance.

    Lock down mailbox forwarding

    • Alert on: new inbox rules, external forwarding, unusual OAuth app consents, and new delegates.
    • Disable automatic external forwarding unless there's a documented business need.

    Harden identities

    • Multi-Factor Authentication (MFA) everywhere, with phishing-resistant options where possible.
    • Conditional access policies that challenge risky sign-ins.

    Continuous vulnerability management

    • Don't treat scanning as an annual checkbox. The data shows many SMBs simply aren't doing it consistently.
    • Pair scanning with prioritized remediation (what to fix first, based on impact and exploitability).

    Why Partnering with an MSP Beats DIY in 2026

    Security "ownership" doesn't have to mean "do everything yourself."

    The VikingCloud data point—84% still self-managing security—isn't a character flaw. It's a capacity problem. Owners and ops leaders are trying to run a business. Attackers are running a production line.

    For most SMBs, the winning model looks like this:

    • Managed Detection and Response (MDR): 24/7 alerting, triage, and response for endpoints and identities
    • Continuous monitoring: Mailbox rule changes, forwarding, unusual sign-ins, suspicious OAuth consents
    • Risk-based security: Focus on the few controls that reduce the most risk (not "more tools")
    • Repeatable governance: Vendor payment procedures, tabletop exercises, and clear escalation paths

    It's not about fear—it's about building a system that catches problems early, so the business can keep moving.

    Next Steps: Turn This Into a Simple 30-Day Plan

    If you're reading this thinking, "We could probably get tricked by that," you're not alone—and you're not behind. You're normal.

    A good next step is a short, scoped review of:

    • Finance mailbox rules and forwarding
    • Identity posture (MFA/conditional access)
    • Vulnerability coverage and remediation cadence
    • Vendor payment change controls

    If you'd like help turning this into a practical plan (and making sure the monitoring is always on), start here.

    Or if you're ready to discuss 24/7 detection and response for endpoints and Microsoft 365, see our Managed Detection & Response.