By Jay Abbott
Legacy Capital treats cybersecurity as an enterprise value driver. For small and midsize businesses, the most common path to financial loss, downtime, and reputational damage begins with phishing and email compromise. One breached inbox can escalate into wire fraud, payroll diversion, vendor payment redirects, or ransomware.
This matters because every company we evaluate is measured on durability: how reliably it can operate, scale, and protect the downside. Weak phishing controls create uncertainty, and uncertainty becomes deal friction. In diligence, that can mean deeper questioning, longer timelines, tighter legal terms, escrow holdbacks, or valuation pressure. Practical controls reduce incident probability and reduce transaction risk.
The Phishing Attacks SMBs Face Most Often
Business Email Compromise (BEC) and executive impersonation
Attackers impersonate an executive or compromise a mailbox and push an urgent request to send a wire, approve an invoice, or process a confidential payment change.
Vendor payment redirects and “new bank account” scams
Accounts Payable receives an email that appears to come from a vendor claiming banking details have changed. Payments route to the attacker. These attempts often hit at month-end or right before payment runs.
Credential harvesting via fake login pages
“Document shared,” “password expires,” and “unusual login detected” messages send users to realistic login pages that steal credentials. Once attackers control email, they can monitor conversations, reset passwords, and stage fraud.
The damage often comes from the chain reaction: a stolen password becomes an email takeover, a takeover becomes a vendor redirect, and that redirect becomes a six-figure loss. That is why phishing defense must be paired with workflow design.
Verizon’s 2025 DBIR, citing FBI IC3 data, notes that more than $6.3 billion was transferred in 2024 as part of BEC scams.
The Emerging Risk: AI Agents and Automated Workflows
More SMBs are deploying AI tools and workflow agents that draft emails, automate approvals, summarize documents, or integrate finance systems. These tools can improve efficiency. They also expand the attack surface if not governed carefully.
An AI agent connected to email, file storage, or payment systems becomes a high-privilege asset. If compromised, it can send convincing messages from a legitimate domain, scrape vendor and customer data, export sensitive documents, or trigger automated workflows based on manipulated inputs.
NIST has highlighted distinct security risks that arise when AI agent outputs are connected to software systems capable of taking real-world actions.
Attacks can be more personalized and harder to distinguish from normal business communication. Prompt injection is another emerging vector, where malicious instructions embedded in content can cause an AI system to take unintended actions without proper boundaries.
From a diligence perspective, we ask:
- What AI tools are connected to core systems?
- What permissions do they have?
- Are outbound communications human-reviewed before sending?
- Is there logging and audit visibility into agent activity?
- Are API keys and integrations managed with least-privilege access?
The Controls Legacy Capital Expects to See
We are not asking SMBs to run enterprise security operations. We look for repeatable controls that prevent common losses and demonstrate operational maturity.
MFA and account hygiene
MFA should be enabled for everyone, with additional rigor for leadership, finance, HR, and administrators. Shared accounts should be eliminated.
Money-moving controls that resist bypass
Vendor banking changes should require out-of-band verification using a known number already on file. Wires and ACH should have two-person approval above a defined threshold. A simple written rule should govern the process: email alone never approves changes to payment instructions.
Role-based training tied to real attack patterns
Finance and AP should drill on BEC and vendor redirects. HR and payroll should drill on direct deposit changes and identity verification. Leadership should recognize impersonation tactics and credential traps. Short, consistent training beats long sessions that fade quickly.
Patch and endpoint discipline backed by tested recovery
Strong operators keep systems updated, maintain endpoint protection, and run reliable backups that are tested.
These controls matter because phishing incidents rarely stay contained. They create downtime, delayed invoicing, disrupted fulfillment, vendor disruption, and leadership distraction. Even when the direct loss is a fraudulent wire, the follow-on impact can include weeks of cleanup and customer questions.
The strongest operators can show that phishing is harder to execute and easier to catch. They have clear procedures for bank changes, an escalation path, MFA enforcement, controlled access, and tested backups. The business runs on discipline.
Phishing resilience protects two essentials: continuity and trust. Continuity and trust support enterprise value.
Download the Legacy Capital Investor Kit.