6 October 2025

Professional services firms are increasingly in the sights of cyber-criminals

Understanding the current cyber threat landscape for professional service firms is imperative to staying ahead of the evolving threats. These entities, law, accounting, and consulting firms, have become prime targets, now facing not just conventional encryption-based attacks but a more insidious and human-centred approach: targeted social engineering combined with data exfiltration. Recognising and addressing this shift is vital to promote internal governance that reduces risk, whilst also increasing the firm’s ability to guide clients towards better resilience.

Why professional services firms are such attractive targets

Coveware’s recent reports indicate that in Q1 2025, professional services (including legal, accounting, and consulting) accounted for 14.4% of all ransomware incidents, ranking among the highest sector-specific figures. The situation worsened in Q2 2025, when professional services firms became the most heavily impacted sector, accounting for 19.7% of the attacks.

Professional service firms hold sensitive client data, financial information, legal work, and strategic advice that criminals can leverage for maximum benefit. They also tend to have flatter IT structures, limited security budgets, and, due to their own perceived small size, a lack of awareness of the risks they face.

Mid-sized firms with between 11 and 1,000 employees represent 64% of ransomware victims in Q2 2025. The median victim size in Q1 2025 was 228 employees, with companies of 11–100 and 101–1,000 employees together accounting for about two-thirds of incidents. These firms are large enough to present a meaningful ransom opportunity yet often lack a mature cybersecurity infrastructure.

The evolution of attack tactics: social engineering meets data theft

Coveware’s Q2 2025 report highlights that the current primary vector is targeted social engineering attacks that now drive the ransomware landscape, replacing broad, opportunistic strikes. Prominent groups, such as Scattered Spider (M&S attackers), Silent Ransom, and Shiny Hunters, have abandoned mass attacks in favour of tailored impersonations targeting help desks, employees, and external service providers.

Impersonation techniques, masquerading as internal IT personnel, vendors, or via helpdesk messages, allow attackers to exploit human trust and procedural gaps. They often use familiar tools, such as phishing, vishing over Microsoft Teams, sending deceptive CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), or exploiting remote services like VPNs, Fortinet, Ivanti, or VMware. The increasing use of social engineering reveals the enduring vulnerability of human-centric defences.

Data exfiltration as new norm

One of the most alarming shifts is that data theft has surpassed encryption as the prevailing method of extortion. In 74% of all Q2 2025 incidents, exfiltration played a role. Threat actors now focus on harvesting sensitive client records and then threatening to release them, a tactic known as double extortion,with ransom demands reflecting this heightened leverage.

The financial impact reflects this shift: the average ransom payment soared to USD1.13 million (a 104% increase from Q1), while the median payment doubled to USD400,000.

Although the overall payment rate remained steady at 26%, payment rates for data exfiltration-only cases are notably higher, underscoring the critical importance of reputation and confidentiality for these firms.

SMEs at risk

Another area of concern is the lack of cyber cover or underinsurance in the SME space, with SMEs equating for 99% of all UK business (2) and 43% of surveyed UK businesses reporting to have suffered some form of cyber-attack in 2024. It becomes ever more critical that SME’s have the correct mechanisms are in place to prevent and restore, particularly as criminals targeting the SME space increases.

Proactive risk mitigation: what firms must do

Strengthen human defences

Employee awareness must be frontline. Training programs should simulate nuanced attacks-not just mass phishing, but impersonation, helpdesk spoofing, and vishing via collaboration platforms.

Harden identity and access controls

Enforce MFA, particularly for privileged accounts. As Coveware noted in older reports, no successful ransomware cases involved domain accounts with truly robust MFA. Implement least-privilege policies and continuously monitor RMM tools and remote services. Monitor for anomalous enumeration (e.g. network mapping tools), deception tech (honeyfiles, decoy credentials) can help catch threats in the reconnaissance phase.

Elevate resilience and recovery capabilities

Given the normalisation of data exfiltration and multi-extortion tactics, firms should:

• Invest in effective data backups and immutable backups.

• Employ rapid incident response planning, legal and PR strategies.

• Ensure insurance policies encompass remediation, legal costs, and negotiation support.

Summary

As cyber insurance brokers, our role now extends beyond indemnification; we must guide clients through a landscape dominated by human-targeted, financially escalated ransomware threats. For professional services firms:

• Quantify risk continuity: Coverage should reflect the business value of data and reputation.

• Promote proactive resilience: Advocating for layered defences -training, identity controls, detection mechanisms.

• Shape modern policies: Ensure extortion, reputational harm, and exfiltration scenarios are baked into policy language and limits.

In summarising the latest Coveware findings, the message is clear: social engineering combined with data exfiltration equals asymmetric risk escalation for professional services firms. Addressing that through holistic insurance planning and robust risk mitigation should be our guiding principle.

Let's talk


Nick Barker

Technology and Cyber Practice Leader

Nick_Barker@ajg.com

Will Slater

Executive Director

Will_Slater@ajg.com

James Wall

Executive Director

James_Wall@ajg.com

Back to Home

Share on social

The Walbrook Building he Walbrook Building 25 Walbrook London, EC4N 8AW

Legal & Regulatory Privacy Policy Cookie policy

Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher (UK) Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.