New Year’s Resolutions for Cybercriminals (Spoiler: Your Business Is on Their List)

While most people start the year thinking about health goals or better habits, cybercriminals are doing something very different.

They are reviewing what worked last year and refining their approach for the next one. And increasingly, their focus is not large corporations. It is small and mid-sized businesses that are busy, understaffed, and moving fast.

Not because those businesses are careless.
Because they are stretched thin.

Here is what criminals are planning this year and how to make sure your business is not part of their success story.

Resolution 1: Send Phishing Emails That Look Normal

The days of obvious scam emails are over. Today’s phishing messages are polished, realistic, and often written with the help of AI.

They sound like real vendors.
They reference real invoices.
They use real names and familiar language.

The goal is not to scare you. It is to catch you at the wrong moment. A busy morning. A distracted afternoon. A time when it feels easier to respond than to double check.

What works against it:
Train employees to verify requests involving money, credentials, or sensitive data using a second method. Support this with modern email filtering that flags impersonation attempts and suspicious sender behavior.

Resolution 2: Impersonate Vendors and Executives

One of the most effective scams today involves pretending to be someone your team already trusts.

A vendor asks to update banking details.
A message appears to come from the CEO asking for a quick payment.
Sometimes the request even comes as a phone call using a cloned voice.

It feels real because it is designed to feel familiar.

What works against it:
Clear verification rules. No account changes or payments without confirmation through a known phone number. Multi-factor authentication on finance and administrative accounts. No exceptions.

Resolution 3: Target Small Businesses More Aggressively

Large companies have improved their defenses. Insurance requirements are stricter. Security teams are common.

Small businesses, on the other hand, often rely on limited internal resources. That makes them attractive targets. Not because the payoff is massive, but because the success rate is higher.

Most attacks are not personal. They are opportunistic.

What works against it:
Basic security done well. Strong authentication, regular updates, monitored systems, and tested backups make your business harder than the next one. Attackers usually move on.

Resolution 4: Exploit New Hire Season and Tax Chaos

New employees want to be helpful. They do not yet know company rules. That makes them prime targets.

Add tax season to the mix and the risk increases. Fake payroll requests, W-2 scams, and IRS impersonation attempts spike early in the year.

What works against it:
Security training as part of onboarding. Written policies for handling payroll, tax data, and payment requests. A culture where verification is encouraged and rewarded.

Prevention Beats Recovery

Recovering from an attack is expensive, disruptive, and stressful. Preventing one is quieter, cheaper, and far less painful.

Good security does not rely on fear. It relies on preparation.

Monitoring.
Training.
Clear rules.
Systems that reduce risk by default.

The goal is simple. Make your business uninteresting to criminals.

Take Your Business Off Their List

A strong IT partner helps you close gaps before they become problems. Not after.

If you want a clear picture of where you are exposed and what matters most, start with a short conversation. No pressure. No scare tactics. Just practical insight.

Because the best New Year’s resolution is making sure your business is not part of someone else’s plan.