Kaspersky Reports Rise in Fake AI Tool Attacks on SMBs

Kaspersky reported a sharp rise in cyberattacks targeting small and medium-sized businesses with fake AI tool lures, detecting over 33,300 such attacks in the first four months of 2026—nearly five times the 2025 volume. The attacks often use popular AI names like Claude and OpenClaw, and Kaspersky noted that most initial access offerings on the dark web allegedly target SMBs.

What happened Kaspersky released a 2026 threat analysis for small and medium-sized businesses ahead of International SMB Day on June 27, 2026. Per Kaspersky's Securelist report, in the first four months of 2026 Kaspersky solutions detected over 33,300 cyberattacks on SMBs pretending to be popular AI tools, nearly five times the volume recorded in 2025 and 39% more than detections for office and collaboration tool disguises. The report also documents almost 415,000 attacks using fake messenger apps and video conferencing software. Kaspersky names Claude and OpenClaw among the AI-themed lures and notes that the majority of initial accesses offered on the dark web are allegedly accesses to SMBs. Technical details Kaspersky states its analysis leveraged anonymized telemetry from the Kaspersky Security Network KSN and data collected from users of Kaspersky solutions for SMBs. The report categorizes threats including malware and potentially unwanted applications PUAs that are disguised as legitimate services, social-engineering lures via communication platforms, and fraud campaigns that use fake AI tooling to extract payments or credentials. Kaspersky provides real-world examples illustrating these vectors. Editorial analysis - technical context Attackers adopting popular product names as lures is a well-documented pattern in phishing and supply-chain social engineering. Companies and defenders seeing a surge in brand-targeted malware should consider that attackers commonly follow mainstream adoption curves, repackaging known malware families or PUAs with convincing installers and social media bait. Observed tactics in Kaspersky's data mirror these behaviors: heavy use of messaging apps and video-conference themes, plus AI-branded bait that leverages customer interest in productivity and generative tools. Industry context Companies in comparable threat landscapes often become valuable targets not only for direct financial fraud but as stepping stones into larger supply chains. Kaspersky's finding that many initial-access records on the dark web are allegedly SMB accounts aligns with broader reporting that less-protected vendors and contractors can serve as pivot points for attacks against larger enterprises. What to watch - •Rising counts of detections labeled as fake or malicious AI tools in telemetry and endpoint logs - •Increased listings of SMB access credentials or RDP/VPN entries on dark-web marketplaces - •Phishing campaigns that use messenger and video-conference themes with credential-harvesting payloads For practitioners Monitor telemetry for AI-branded installer filenames and messaging-app lures, validate vendor access controls, and track dark-web chatter for SMB access listings. Kaspersky's report supplies data points to prioritize detection rules and user-awareness training around AI-themed scams. Scoring Rationale The report documents a notable uptick in AI-branded lures and large volumes of messenger-based attacks that matter to defenders and SOC teams supporting SMBs. It is a significant security signal but not a frontier-tech or regulatory watershed. Practice interview problems based on real data 1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with. Try 250 free problems /problems