How cyber criminals set their sights on professional services firms
Law, accounting and consulting firms have become prime targets for cyber crime. Now they’re facing both conventional encryption-based attacks and a more human-centred approach: targeted social engineering combined with data theft. The cyber team at Gallagher examines the threats and how to overcome them.
Understanding the current cyber crime threat landscape is vital for professional services firms as they become targets for this type of activity.
The threats include both:
- social engineering – a manipulation technique that exploits human error to gain information
- data exfiltration – the unauthorised copying, transfer or theft of data from a computer or network
Recognising and addressing this change in approach is important so firms can ensure they have the right governance in place.
This will reduce risk, while also increasing the firm’s ability to guide clients towards better resilience.
Why professional services firms are such attractive targets
A recent report by ransomware recovery response firm Coveware, shows that in the first quarter of 2025, professional services firms, including legal, accounting and consulting, accounted for 14% of all ransomware incidents, ranking among the highest sector-specific figures.
The situation worsened in the next quarter when these firms became the most heavily impacted sector, accounting for nearly 20% of the attacks.
Professional services firms hold sensitive client data, financial information, legal work and strategic advice that criminals can use for maximum benefit.
They usually have flatter IT structures, limited security budgets and sometimes a lack of awareness of the risks they face due to their small size.
The 2025 survey shows that mid-sized firms with between 11 and 1,000 employees represented 64% of ransomware victims in the second quarter. The median number of employees in an affected company was 228.
These firms are large enough to present a ransom opportunity to cyber criminals, yet often lack the relevant security infrastructure.
The evolution of attack tactics: social engineering meets data theft
Coveware’s recent report highlights that targeted social engineering attacks now drive the ransomware landscape, replacing opportunistic strikes.
Prominent groups have abandoned mass attacks in favour of tailored impersonations targeting helpdesks, employees and external service providers.
Impersonation techniques, such as masquerading as internal IT staff or vendors, allow attackers to exploit trust and gaps in processes and procedures.
They often use familiar tools, such as:
- phishing
- vishing (video phishing)
- sending deceptive security tests
- exploiting remote services like virtual private networks (VPNs)
Data theft becomes the new norm
One of the most alarming shifts is that data theft, or exfiltration, has overtaken encryption as the main method of extortion, playing a role in 74% of all incidents in the quarter two report.
Cyber criminals now focus on harvesting sensitive client records and threatening to release them, a tactic known as double extortion.
Ransom demands have also increased to reflect this shift, with the average ransom payment soaring to $1.13m, which is a 104% increase from the first quarter.
Small and medium-sized enterprises (SMEs) at risk
Another area of concern is the lack of cyber insurance cover for SMEs, when they make up around 99% of all UK business and 43% of all surveyed UK businesses reported to have suffered some form of cyberattack in 2024.
It becomes more critical than ever that SMEs have protection, particularly as criminals are increasingly targeting this space.
Being proactive to mitigate risks
There are some key ways that firms can act to protect themselves from the ever-evolving threat of cyber crime.
Strengthen defences
Employee awareness must be front and centre. Training programmes can simulate attacks such as:
- mass phishing
- impersonation
- helpdesk spoofing
- vishing via collaboration platforms
Improve identity and access controls
Enforce multi-factor authentication (MFA). As Coveware has noted in previous reports, no successful ransomware cases involved domain accounts with truly robust MFA.
Implement least-privilege policies and continuously monitor remote management (RMM) tools and services.
Elevate resilience and recovery capabilities
Invest in effective data backups, employ rapid incident response planning, legal and PR strategies and make sure insurance policies include remediation, legal costs and negotiation support.
How insurance can protect your firm from cyber crime
The role of cyber insurance brokers now extends beyond compensation for loss.
Clients must be helped and guided through a landscape dominated by ransomware threats that target people directly and have a significant financial cost.
For professional services firms, coverage should reflect the business value of their data and reputation.
It should also promote proactive resilience, which means using defences such as training, identity controls and detection mechanisms.
There must also be consideration for your firm’s policies to make sure extortion, reputational harm and data exfiltration scenarios are written into policy language and limits.
The latest Coveware findings give a clear message: social engineering combined with data exfiltration means more risk for professional services firms.
This can be addressed through insurance planning and robust risk mitigation.
Partner information
Gallagher offers cyber insurance for the legal sector – helping you protect your law firm from cyberattacks.
Find out more
Gallagher is one of the world’s largest insurance brokerage, risk management and consulting firms.
Find out more about exclusive cyber insurance and risk management services for Law Society members.