New Year’s Resolutions for Cybercriminals

New Year’s Resolutions for Cybercriminals

img-blog-the-one-business-resolution-that-actually-sticks

Somewhere right now, a cybercriminal is making New Year’s resolutions too.

They’re reviewing what worked in 2025 and planning what to try in 2026.

And yes, small businesses are appealing targets - not because anyone’s careless, but because most teams are busy and stretched thin.

Below is their 2026 game plan, and how to make it far less effective.

Resolution #1: “Send phishing emails that look normal”

The era of obvious scam emails is fading. Modern tools can generate messages that:

  • Sound credible
  • Mirror your company’s language
  • Reference real vendors you actually use
  • Skip the classic spelling errors and fake urgency

January is especially noisy, people are catching up after the holidays and moving fast.

A typical example:

“Hi [your name], I tried sending the updated invoice, but the file bounced. Can you confirm this is the right email for accounting? Here’s the new version, let me know if you have questions. Thanks, [actual vendor name].”

Your counter-move:

  • Verify, don’t just read. Any request involving payments, credentials, or sensitive data gets confirmed via a separate, trusted channel.
  • Use modern email filtering. Enable tools that help detect impersonation and anomalies (e.g., display-name spoofing, sender domain mismatches).
  • Normalize double-checks. Make “I verified first” a positive behavior, not paranoia.

Resolution #2: “Impersonate your vendors, or your leadership”

Vendor “bank account change” emails and “CEO texts” for urgent wires remain common. Increasingly, voice cloning and other social-engineering tricks are part of the mix.

Your counter-move:

  • Change-control by policy. Any update to payee details requires a callback using a number you already trust, not the one in the email.
  • Dual control for payments. Require two people or steps for wires and account changes.
  • MFA on finance/admin accounts. If a password leaks, additional factors help block access.

Resolution #3: “Focus on small businesses”

Attackers increasingly favor many smaller, simpler attempts over a few high-profile ones. Smaller teams often have fewer dedicated security resources, and that’s what adversaries look for.

Your counter-move:

  • Cover the basics well. Turn on MFA, apply updates on a schedule, and test your backups periodically. These steps raise the bar quickly.
  • Retire the “we’re too small” myth. Target selection is often about opportunity, not company size.
  • Get expert support. You don’t need an in-house security team; you need right-sized help and clear priorities.

Resolution #4: “Exploit new-hire season and tax-time noise”

New team members may not know your processes yet. At the same time, tax-related phishing (e.g., W-2 requests) tends to spike.

Your counter-move:

  • Onboard with security. Before new hires get full access, cover how to spot and report suspicious requests, and what your “never by email” rules are.
  • Write it down. Test it. For example: “We don’t email W-2s,” “Payment changes require a callback,” and “Gift card requests are not a thing.”
  • Celebrate verification. Thank the person who double-checks a real request. That reinforces the norm.

Preventable beats recoverable

You can either:

  • React after an incident, with business interruption, remediation, and potential reporting obligations, or
  • Reduce risk up front, with layered controls, monitoring, and training

Prevention and preparedness cost less than cleanup—financially and operationally.

How to make their year harder

A capable IT/security partner helps you move off the “easy target” list by:

  • Monitoring and alerting on covered systems to surface suspicious activity sooner
  • Tightening access (least privilege, MFA, offboarding) so one credential doesn’t unlock everything
  • Training people on current scams (not just the obvious ones) and encouraging verification
  • Defining simple verification policies for payments and data requests
  • Maintaining and testing backups so recovery options exist if something goes wrong
  • Applying patches on a cadence so known vulnerabilities get closed in a timely way

This is about prevention and resilience, not guarantees.

Take your business off their target list

Book a New-Year Security Reality Check.

We’ll identify practical next steps to reduce risk this year—aligned to your team, tools, and budget.

No scare tactics. No jargon. Clear priorities you can act on.

Book your 15-minute New-Year Security Reality Check

Because the best resolution is making sure you’re not on someone else’s list of goals.