ANN ARBOR – Small businesses across Michigan—from auto suppliers in Oakland County to cannabis retailers in Detroit—are facing a growing and costly threat: cybercrime.

A new national survey by the Public Private Strategies Institute (PPSI), conducted by Morning Consult, shows fraud, scams and ransomware are draining an estimated $131 billion annually from U.S. small businesses, effectively acting as a “hidden tax” on entrepreneurs.

With nearly three-quarters of small businesses reporting at least one attack in the past year, the data suggests Michigan companies are not just at risk—they are likely already paying the price.

“We’re Seeing This Across Michigan Businesses”

Cybersecurity experts say the trend is already visible across the state.

“Small and mid-sized businesses in Michigan are being targeted at a much higher rate than they realize,” said Dan Lohrmann, a Michigan-based cybersecurity expert and former state chief security officer. “Attackers know these companies often lack the resources of large enterprises, but still have valuable data and financial access. That makes them ideal targets.”

Lohrmann added that AI-driven attacks are accelerating the problem, allowing criminals to launch more convincing and scalable campaigns than ever before.

A Real-World Example: One Email, $80,000 Gone

For many businesses, it only takes one incident.

A mid-sized manufacturing firm in Southeast Michigan—part of the automotive supply chain—recently fell victim to a business email compromise scam, according to Michigan-based cybersecurity firms that track fraud incidents across the region. The firm involved declined to be identified.

In a typical case, an employee receives what appears to be a legitimate invoice request from a known vendor. But today’s attacks are far more sophisticated. Using artificial intelligence, cybercriminals can generate highly convincing emails, replicate vendor branding, and even create realistic-looking invoices that match prior transactions.

In some cases, attackers study real email threads or public information to mimic tone, timing, and internal workflows—making the request nearly indistinguishable from legitimate business communication.

The result: a fraudulent payment transfer that can exceed $50,000 to $100,000 before the error is detected.

The Most Common Types of Attacks

The PPSI survey highlights several types of cyberattacks now hitting small businesses:

  • Payment fraud – Unauthorized or manipulated transactions
  • Business email compromise (phishing) – Fake emails impersonating vendors or executives
  • Ransomware – Malware that locks systems until a payment is made
  • Social engineering scams – Manipulating employees into revealing sensitive data
  • Account takeovers – Hackers gaining access to financial or operational systems

Among these, payment fraud and phishing are the most common, but ransomware remains one of the most disruptive—capable of shutting down operations entirely.

The Financial Hit: $60K to $90K Per Incident

The financial damage is significant.

The survey found:

  • Payment fraud averages nearly $60,000 per incident
  • Email compromise attacks exceed $90,000

For Michigan businesses operating on tight margins, losses of that size can delay hiring, stall expansion, or erase annual profits.

AI Is Fueling the Next Wave of Attacks

Business owners are increasingly concerned that the problem is about to get worse.

71% say artificial intelligence will make fraud and ransomware attacks more frequent, according to the PPSI survey.

Even more concerning, 76% of businesses that experienced attacks said AI played a role, enabling more realistic phishing emails and automated scams.

“AI has lowered the barrier to entry for cybercriminals,” Lohrmann said. “You no longer need to be highly technical to launch a convincing attack.”

A Direct Drag on Growth

Cybercrime is not just a cost—it’s a growth constraint.

Small business owners say these threats are:

  • Making it harder to accept payments (43%)
  • Hurting customer trust (40%)
  • Slowing innovation (39%)

In Michigan’s interconnected economy, those impacts can ripple across supply chains, especially in manufacturing and retail.

Businesses Know the Risk—but Aren’t Ready

Despite widespread awareness, preparedness remains low.

  • Only 44% feel prepared for payment fraud
  • Just 41% are ready for email compromise
  • Only 30% say they are prepared for ransomware

That gap leaves many Michigan businesses exposed.

Top 5 Protections: How to Stop AI-Driven Invoice Scams

If you don’t want this to happen to your company, experts say the most effective defense starts with training—especially in your accounts payable department.

1. Verify Every Payment Request

Confirm any invoice or payment change directly with the vendor using a known contact—not the email.

2. Use Multi-Factor Authentication

Enable MFA across email, accounting, and banking systems.

3. Watch for Urgency and Subtle Changes

Flag last-minute payment requests, altered email domains, or unusual tone.

4. Separate Duties on Payments

Require dual approval for large transactions to prevent single-point failure.

5. Conduct Regular Training and Audits

Train employees to recognize evolving scams and regularly review payment processes.

Cybercrime is no longer just an IT issue—it’s an economic threat.

And as artificial intelligence makes fraud more convincing and scalable, Michigan businesses that fail to adapt may find themselves paying this growing “hidden tax.”