TL;DR: During National Small Business Week 2026 (May 3 to 9), the FTC, IRS, and NIST ran a coordinated push warning small businesses that AI has industrialized scams: convincing impersonation emails, deepfake voice and video, and fraudulent payment requests. VikingCloud's 2026 research shows cyberattacks are now the #1 SMB concern (75%), ahead of inflation (54%), and 46% of SMBs saw AI-generated phishing in the past year. North Carolina small businesses close the gap with email authentication, payment verification controls, employee training, and a managed security partner.
Key takeaway: The FTC's 2026 message is blunt: the scams have not changed in goal, only in quality. AI removes the spelling errors, accents, and awkward phrasing that used to give fraud away. Defense now depends on process and verification, not on spotting a bad email.
Worried your team can spot an AI-built scam? Contact Preferred Data Corporation at (336) 886-3282 for a small business security assessment, including email authentication, phishing-resistant MFA, payment-verification controls, and employee training. Serving High Point, Greensboro, Charlotte, Raleigh, and Winston-Salem businesses for 37+ years.
Why did the FTC focus National Small Business Week 2026 on AI scams?
The FTC focused National Small Business Week 2026 on AI scams because small businesses are now the primary target and the least prepared. The agency ran a virtual summit and dedicated webinars (a cybersecurity session and a scam-awareness session) during the week of May 3 to 9, 2026, alongside parallel warnings from the IRS about tax-themed fraud and a joint FTC and NIST event on building a small business cybersecurity team.
The data behind the focus is stark. According to VikingCloud's 2026 SMB Threat Landscape Report released February 24, 2026:
- 75% of SMBs say cyber incidents are most likely to harm their business in 2026, ranking ahead of inflation (54%) and recession (25%)
- 46% of SMBs experienced AI-generated phishing in the prior 12 months
- 29% saw deepfake schemes and 27% saw a customer data breach
- 84% of business owners still self-manage their cybersecurity program despite escalating AI risk
Small and mid-sized businesses accounted for roughly 70% of reported data breaches in 2025, and LLM-generated phishing has been measured as up to 4.5x more effective than traditional phishing. The FTC's core point during the week: the volume and quality of business-targeting fraud crossed a threshold in 2025 and 2026, and small teams are absorbing enterprise-grade attacks with consumer-grade defenses.
What AI-powered scams target North Carolina small businesses in 2026?
The scams targeting NC small businesses in 2026 are the same categories the FTC has warned about for years, now generated at scale by AI. Four patterns dominate.
Business email compromise and vendor impersonation. Attackers study a real vendor relationship, then send a perfectly written email requesting that future payments go to a new bank account. AI eliminates the grammatical tells that used to expose these messages.
Deepfake voice and video authorization. A finance employee receives a call or video meeting that looks and sounds like an executive authorizing an urgent wire transfer. The FTC and multiple 2026 reports flag this as one of the fastest-growing small business fraud vectors.
Tax and government impersonation. The IRS used Small Business Week 2026 to warn about scammers promoting bogus "self-employment tax credits" and impersonating IRS.gov with urgent payment demands and mismatched sender addresses.
Fake AI and software vendors. The FTC has separately taken enforcement action against deceptive AI marketers, including a ban on Air AI from marketing business opportunities after it misled entrepreneurs and small businesses.
For Piedmont Triad manufacturers, Triangle professional services firms, and construction companies that move large payments and purchase orders, vendor impersonation and deepfake authorization carry the highest dollar exposure.
How can NC small businesses defend against AI-generated scams?
NC small businesses defend against AI-generated scams with layered controls that do not depend on an employee detecting a fake. The FTC's 2026 guidance, paired with managed security best practice, comes down to a short, enforceable control set.
| Control | What it stops | Effort for an SMB |
|---|---|---|
| Email authentication (SPF, DKIM, DMARC) | Spoofed sender domains | Low (one-time setup) |
| Phishing-resistant MFA | Credential theft and account takeover | Low to medium |
| Out-of-band payment verification | BEC and vendor bank-change fraud | Low (policy + training) |
| Security awareness training with simulations | Human-targeted social engineering | Medium (ongoing) |
| EDR/MDR with 24/7 monitoring | Malware delivery and post-click compromise | Medium (managed) |
| Tested incident response plan | Slow, costly breach response | Medium (managed) |
Three controls deliver the most protection per dollar:
- Mandatory out-of-band verification for any payment or bank-detail change. Confirm by calling a known number, never a number in the request. This single policy neutralizes most BEC and deepfake authorization fraud.
- Email authentication and phishing-resistant MFA. DMARC enforcement blocks domain spoofing; FIDO2 or app-based MFA blocks the credential theft that follows a successful phish.
- Quarterly training with realistic simulations. Employees cannot spot AI-built emails by quality anymore, so training shifts to process: verify, slow down, and report.
For North Carolina businesses without a dedicated security team, a managed cybersecurity provider implements and maintains this stack as a service, which is the model the FTC and NIST jointly recommended during Small Business Week 2026.
What should an NC business do in the first hour after a suspected scam?
In the first hour after a suspected scam, an NC business should contain the financial loss, preserve evidence, and report. Speed determines whether funds can be recovered.
- Contact your bank immediately and request a fraud recall or hold on any transferred funds. Wire and ACH recovery windows are short, often measured in hours.
- Preserve the original email, headers, and any voicemail or recording. Do not delete the message; forensic detail determines scope and law enforcement options.
- Reset credentials and revoke sessions for any account that may have been exposed, starting with email and finance systems.
- Report the incident. File with the FBI Internet Crime Complaint Center (IC3), report to the FTC, and notify the North Carolina Attorney General if personal information was involved under the North Carolina Identity Theft Protection Act.
- Engage your IT and security partner to determine whether the incident is isolated fraud or evidence of a wider compromise.
A managed IT services partner with a tested incident response playbook compresses this from a scramble into a rehearsed sequence, which is often the difference between recovering funds and absorbing the loss.
Frequently Asked Questions
When was National Small Business Week 2026 and what did the FTC say?
National Small Business Week 2026 ran the week of May 3 to 9. The FTC used it to warn small businesses that AI has made scams (impersonation, payment fraud, deepfakes) far more convincing, and to push verification-based defenses rather than relying on employees to spot fraud. It ran a virtual summit and dedicated cybersecurity and scam-awareness webinars.
Why are AI scams harder for small businesses to detect in 2026?
AI removes the language errors, awkward phrasing, and generic templates that traditionally exposed scams. Attackers now generate fluent, context-aware emails and even deepfake voice and video at scale. LLM-generated phishing has been measured as up to 4.5x more effective, so detection by "looking wrong" no longer works.
What is the single most effective control against business email compromise?
Mandatory out-of-band verification for any payment or bank-detail change. Confirming the request by calling a known, pre-verified number (never a number supplied in the message) neutralizes most BEC and deepfake-authorization fraud regardless of how convincing the message is.
Are North Carolina small businesses required to report a scam or breach?
If personal information is exposed, the North Carolina Identity Theft Protection Act requires notifying affected NC residents and the NC Attorney General. Businesses should also report fraud to the FBI IC3 and the FTC. Regulated industries (healthcare, financial) have additional notification obligations. Confirm specifics with legal counsel.
Should a small business outsource cybersecurity instead of self-managing it?
For most small businesses, yes. VikingCloud's 2026 research found 84% of owners still self-manage security despite rising AI risk, and SMBs account for roughly 70% of breaches. A managed security provider delivers the email authentication, MFA, monitoring, and incident response that an in-house team of one or two cannot maintain.
How quickly can stolen funds be recovered after a wire fraud scam?
Recovery windows are short, often within hours of the transfer. Immediate contact with your bank to request a fraud recall, combined with a fast IC3 report, materially improves recovery odds. Delays of even a day frequently make funds unrecoverable.
How does Preferred Data Corporation help NC SMBs defend against AI scams?
Preferred Data Corporation deploys layered defenses including managed cybersecurity with EDR/MDR, email authentication (SPF/DKIM/DMARC), phishing-resistant MFA, payment-verification policy design, employee training with simulations, and tested incident response. We support manufacturers, contractors, and professional services firms across High Point, the Piedmont Triad, Charlotte, Raleigh, and Winston-Salem.