inMotion report says AI is accelerating website attacks

By AI, Created 4:56 PM UTC, May 18, 2026, /AGP/ – inMotion Real Estate Media says AI has helped drive a sharp rise in website attacks over the past 18 months, with bot traffic, exploit speed and SMB exposure all worsening. The report argues the new threat landscape leaves small businesses and their vendors far more exposed than many owners realize.

Why it matters: - AI tools are lowering the cost and skill needed to attack websites, which raises risk for small and mid-sized businesses that may not have enterprise-level defenses. - The report says website compromise can trigger legal, financial and operational fallout, including breach notices, FTC scrutiny, CCPA exposure, indemnification claims and SOC 2 consequences. - Research cited in the report says 60% of small businesses close within six months of a serious cyberattack.

What happened: - inMotion Real Estate Media released a report on May 11, 2026, about the shift in website security threats over the past 18 months. - The New York-based commercial real estate marketing agency says the surge is tied to the mainstreaming of AI tools among attackers. - The report, Why Websites Are Getting Hacked More Than Ever, draws on threat intelligence from Anthropic, IBM, Microsoft, Cloudflare, Imperva, Wordfence, Patchstack and the FBI’s Internet Crime Complaint Center. - The report is aimed at owners of B2B small and mid-sized businesses. - The full report is available as a free download at the full report.

The details: - AI-enabled bot attacks against websites rose from 2 million per day to 25 million per day in one year. - The average time between public disclosure of a security flaw and attacker exploitation fell from 32 days in 2023 to 5 days in 2024. - Some exploitation is now occurring before public disclosure. - About 80% of U.S. small and mid-sized businesses experienced at least one cyberattack in 2025. - Wordfence blocked more than 54 billion malicious requests in 2024. - Wordfence also blocked 8.7 million attacks against two plugin vulnerabilities in a 48-hour period in October 2025. - The report cites breaches at Change Healthcare, Coinbase, Marks & Spencer and Jaguar Land Rover, with damages ranging from $400 million to more than $2.5 billion. - Anthropic’s August 2025 threat intelligence report documented one individual using AI tools to extort 17 organizations in a single month. - Researchers have called that pattern “vibe hacking.” - The report includes a practical website protection framework. - The framework covers warning signs of compromise, questions to ask agencies and vendors with site access, and guidance on cyber liability insurance.

Between the lines: - Jonathan Phillips, CEO of inMotion Real Estate Media, said the economics of cybercrime have changed in the last 18 months and that attackers can now sweep the internet with automated tools. - Phillips said unknown status is no longer protection because attackers no longer need to choose targets one by one. - Nicole Wallach, marketing director at inMotion Real Estate, said many clients launch a site and then face a threat environment that has changed materially 12 to 18 months later. - The report argues the agency that built a website is part of the security perimeter, which extends responsibility beyond internal IT teams. - The findings suggest SMBs may be underestimating how fast attack methods are evolving compared with the pace of their own security updates.

What’s next: - inMotion says business owners should review vendor access, monitor for compromise and reassess cyber liability coverage. - The report urges companies to treat website security as an ongoing obligation rather than a one-time launch task. - Businesses that rely on third-party agencies or integrations may need tighter security questions and clearer contract terms.

The bottom line: - AI has made website attacks faster, cheaper and more scalable, and the report says SMBs need continuous protection instead of periodic checkups.