While you’re setting New Year’s resolutions, cybercriminals are doing the same thing.
In general, they’re not focused on self-care or work-life balance.
They’re reviewing what worked last year—and planning how to steal more this year.
And particularly, small businesses are at the top of their list.
Not because you’re careless.
Because you’re busy.
And criminals love busy.
Here’s what cybercriminals are planning for the new year—and how you can ruin those plans.
Cybercriminal Resolution #1: “I’ll Send Phishing Emails That Look Completely Legit”
The days of poorly written scam emails are all but over.
Because of AI, phishing emails now:
- Sound professional and natural
- Use your company’s language
- Reference real vendors you work with
- Avoid obvious red flags
Attackers don’t need typos anymore. They just need good timing.
And January is perfect timing. People are finally catching up from the holidays, moving fast, and not double-checking every message.
A modern phishing email looks like this:
“Hi [your actual name], I tried sending the updated invoice, but the file bounced back. Can you confirm this is still the right email for accounting? Here’s the new version – let me know if you have questions. Thanks, [Your actual vendor’s name]”
No Nigerian prince. No urgent wire transfer. Just something that sounds so normal, from someone you trust.
Your counter-move:
- Train employees to verify, not just read. Any request involving money, passwords, or files should be confirmed another way.
- Use email security tools that actually flag impersonation attempts and suspicious senders.
- Create a culture where asking, “Can you confirm this?” is encouraged—not criticized.
Cybercriminal Resolution #2: “I Will Impersonate Your Vendor… or Your Boss”
This is one of the most damaging scams because it feels so real.
A vendor email says:
“We’ve updated our banking details. Please use this account going forward.”
In similar fashion, your bookkeeper gets a text from “the CEO:”
“Urgent—wire this now. I’m in a meeting and can’t talk.”
Even worse, voice deepfakes are becoming common. Criminals clone voices from podcasts, videos, or voicemail greetings. The “CEO” calls your finance person and asks for a “quick favor”—and it actually sounds exactly like them.
This isn’t science fiction. It’s happening now.
Your counter-move:
- Create a strict callback policy for any banking or payment changes. Always verify using a known phone number.
- No payment moves without voice confirmation through established channels.
- Enable multi-factor authentication (MFA) on all financial and admin accounts.
Cybercriminal Resolution #3: “I’ll Go After Small Businesses Harder Than Ever”
Cybercriminals used to focus on big companies. But big companies improved security, tightened insurance requirements, and became harder to attack.
So criminals changed strategies.
Instead of one difficult $5 million attack, they now prefer dozens of easier $50,000 attacks that are almost guaranteed to work.
Small businesses are ideal targets. You have money worth stealing. You have data worth ransoming. And you probably don’t have a dedicated security team.
Attackers know:
- You’re understaffed
- You don’t have a security team
- You’re juggling everything
- You believe “we’re too small to be targeted”
That belief is their favorite vulnerability.
Your counter-move:
- Implement basic protections like MFA, automatic updates, and tested backups.
- Stop assuming size equals safety. Small businesses are targeted because they’re easier—not because they’re insignificant.
- Work with a professional IT partner who monitors threats and closes gaps before attackers find them.
Cybercriminal Resolution #4: “I’ll Exploit New Hires and Tax Season Chaos”
January brings new employees. But new employees don’t know your rules yet.
Because they are eager to impress and be helpful, they don’t want to question authority.
In fact, from an attacker’s perspective, new employees are perfect targets.
Common scams include:
- “I’m the CEO—can you handle this quickly? I’m traveling and can’t do it myself.” A veteran employee may think twice. However, a new hire who wants to make a good impression is already on it.
- Fake payroll or HR requests
- W-2 requests and fake IRS notices
A classic attack looks like this:
Someone impersonates your CEO or HR director and sends the following “urgent” request to whoever handles payroll. “I need copies of all employee W-2s for a meeting with the accountant. Please send them ASAP.”
Once criminals have those W-2s, they have Social Security numbers, addresses, and salaries. They file fake tax returns before your employees do. Your team finds out only when their real returns get rejected as “duplicates.”
Your counter-move:
- Include security training in employee onboarding—before email access is granted.
- Create clear, written policies: “We never email W-2s.” “All payment requests must be verified by phone.” Additionally, write them down and test people on them.
- Praise employees who verify requests—even when they turn out to be legitimate.
Prevention Always Beats Recovery Every Time
You have two choices when it comes to cybersecurity.
Option A: React after an attack
- Pay ransoms or emergency IT fees
- Notify clients and regulators
- Rebuild systems
- Repair trust and reputation
Cost: tens or hundreds of thousands of dollars
Timeline: weeks to months
Outcome: you may survive, but you’ll never forget it
Option B: Prevent the attack
- Secure systems properly
- Train your team
- Monitor threats
- Fix vulnerabilities before they’re exploited
Cost: a fraction of Option A
Timeline: ongoing, in the background
Outcome: nothing happens—which is the goal
You don’t buy a fire extinguisher after the fire.
You buy it so you never need it.
How to Ruin a Cybercriminal’s Year
A good IT partner helps keep you off the “easy target” list by:
- Monitoring systems 24/7, catching threats before they become breaches
- Locking down access and credentials so one stolen password doesn’t open everything
- Training employees on modern scams
- Setting and enforcing verification policies
- Maintaining and testing backups
- Patching systems before attackers exploit them
That’s fire prevention, not firefighting.
Cybercriminals are optimistic about the year ahead. They’re mostly counting on businesses being distracted, understaffed, and unprotected.
So, let’s disappoint them.
Take Your Business Off Their Target List
👉 Book a New Year Security Reality Check
In just 17 minutes, we’ll show you:
- Where you’re exposed
- What matters most
- How to stop being low-hanging fruit this year
No scare tactics. No jargon. Just clarity.
Book My 17-Minute CallBecause the best New Year’s resolution
is making sure you’re not on someone else’s list of goals.
