Kaspersky Reports Rise in Fake AI Tool Attacks on SMBs

Kaspersky released a 2026 threat analysis for small and medium-sized businesses ahead of International SMB Day on June 27, 2026. Per Kaspersky's Securelist report, in the first four months of 2026 Kaspersky solutions detected over 33,300 cyberattacks on SMBs pretending to be popular AI tools, nearly five times the volume recorded in 2025 and 39% more than detections for office and collaboration tool disguises. The report also documents almost 415,000 attacks using fake messenger apps and video conferencing software. Kaspersky names Claude and OpenClaw among the AI-themed lures and notes that the majority of initial accesses offered on the dark web are allegedly accesses to SMBs.

Kaspersky states its analysis leveraged anonymized telemetry from the Kaspersky Security Network (KSN) and data collected from users of Kaspersky solutions for SMBs. The report categorizes threats including malware and potentially unwanted applications (PUAs) disguised as legitimate services, social-engineering lures via communication platforms, and fraud campaigns that use fake AI tooling to extract payments or credentials. Kaspersky provides real-world examples illustrating these vectors.

A broader May 2026 Kaspersky report on worldwide AI-lure attacks (Security MEA) found over 92,000 attacks globally from January to early May 2026, confirming the AI-branding trend is not limited to SMBs; fake ChatGPT applications accounted for 49% of all detections, with Claude and Gemini each at 18%. The Silver Fox APT group was separately identified distributing fake Claude apps in a targeted campaign (Security MEA).

Attackers adopting popular product names as lures is a well-documented pattern in phishing and supply-chain social engineering. Companies and defenders seeing a surge in brand-targeted malware should consider that attackers commonly follow mainstream adoption curves, repackaging known malware families or PUAs with convincing installers and social media bait. Kaspersky's finding that many initial-access records on the dark web are allegedly SMB accounts aligns with broader reporting that less-protected vendors and contractors can serve as pivot points for attacks against larger enterprises.

Monitor telemetry for AI-branded installer filenames and messaging-app lures, validate vendor access controls, and track dark-web chatter for SMB access listings. Kaspersky's report supplies data points to prioritize detection rules and user-awareness training around AI-themed scams.