Fraud and cybersecurity: What small businesses must know in 2025

Fraud and cybersecurity can no longer be treated as separate challenges. In 2025, they are two sides of the same coin – and small businesses are often caught in the middle. As fraudsters weaponise automation and AI, smaller merchants and nonprofits are increasingly being used as proving grounds for attacks.

"The criminals who used to target only large enterprises now see small businesses as easier prey."

I’ve spent years tracking these schemes, and the shift is clear. The criminals who used to target only large enterprises now see small businesses as easier prey. Why? Because many don’t think they’re targets and often lack the protections to defend themselves. That makes them ideal for card testing and other bot-driven attacks.

The growing risk of bot attacks

One of the most damaging threats today is enumeration fraud. This is where fraudsters use bots, botnets or automated scripts to test stolen card credentials at scale. These attacks don’t just cause fraudulent charges – they can bring down a website, rack up authorisation fees and even trigger penalties from card networks. Over half of all internet traffic today is already bot-driven, and a significant portion of that is malicious. That number is only going to rise.

I’ve seen small merchants go from months of no issues to more than 100,000 fraudulent payment attempts in a single day. That kind of surge can overwhelm systems and finances alike.

Generative AI and Fraud-as-a-Service

Generative AI has fundamentally changed the fraud landscape. It has made it simple for anyone, even those without coding skills, to spin up scripts that power these attacks. And when fraudsters don’t want to write the code themselves, they can buy ready-made tools on the dark web.

This new “Fraud-as-a-Service” economy is thriving. It lowers the barrier for entry and accelerates the pace of attacks. Now, even young and inexperienced fraudsters can easily access sophisticated fraud tools that can be deployed with minimal technical knowledge and effort.

Agentic AI: The next challenge

On the horizon is agentic AI – autonomous bots that can shop, compare and complete purchases for consumers. It has the potential to reshape commerce, but it also creates new risks. These “good bots” look a lot like “bad bots” to current fraud systems: fast clicks, repetitive transactions, unusual IP addresses.

This creates a dilemma. We don’t want to shut down innovation, but we also can’t allow malicious bots to have free access. At Worldpay, we’re working with technology partners to define and standardise what good bot behaviour looks like. There’s even discussion of a “Know Your Agent” framework to help businesses distinguish between trusted bots and bad actors.

Why cybersecurity and fraud prevention must work together

Fraud and cybersecurity are deeply connected. A breach of customer data feeds fraud. Fraud attempts can overwhelm systems and expose new vulnerabilities. Separating them no longer makes sense. Small businesses need an integrated approach that combines data protection with fraud detection.

"Small businesses need an integrated approach that combines data protection with fraud detection."

Think of fraud protection like a fire alarm – you hope you never need it, but when you do, it can save you from catastrophe.

Steps small businesses can take today

• Acknowledge the risk. Fraudsters know small merchants are vulnerable. Don’t assume you’re too small to be a target.
• Invest in layered protection. Don’t rely solely on tools like CAPTCHA. Today’s bots can bypass them.
• Work with your payment provider. Ask what fraud detection tools are available and how they’re managed.
• Use dispute defense tools. Chargebacks are a hidden drain on revenue if not addressed.

A smarter way forward

At Worldpay, we’re combining fraud prevention and cybersecurity into one mission: protecting total revenue. With solutions like FraudSight – powered by AI-native technology from our acquisition of Ravelin – we’re blocking more than 95% of card testing activity while ensuring good transactions still get through. And with automated dispute defense, we’re helping small businesses recover revenue they might otherwise lose.

Fraudsters are evolving quickly, but so are we. By treating fraud and cybersecurity as part of the same challenge, small businesses can build resilience and thrive in the digital economy.