The professional services sector has seen significant growth over the past few years, spurred by globalization. However, this growth is also accompanied by increased exposure to risks, especially those of a technological nature. Beazley’s latest Cyber Services Snapshot report revealed that professional service firms are increasingly being targeted by cyberattacks.
According to the report, professional services companies have seen a higher volume of fraudulent instruction attacks and almost as many business email compromise incidents so far in 2022 compared to the whole of 2021.
Bala Larson (pictured above), head of client experience at Beazley, told Corporate Risk and Insurance that professional services firms are lucrative targets for cybercriminals due to their data-rich environments, including data about their own B2B clients.
“In some cases, they might hold onto data for very long periods of time, even after it is no longer useful,” Larson said. “This is especially dangerous because some of that data might be sensitive, such as passwords and access to business clients’ IT systems and infrastructure. If leveraged, this data could give a threat actor a good idea as to who their next targets should be.”
Hackers may also exploit a professional services firm’s good name and reputation to bypass the defenses of that firm’s clients, as they are often part of trusted email domains and other whitelists.
“This is one of the reasons why fraudulent instruction and business email compromises are so common with these organizations,” Larson said. “Not only are these firms often trusted by other parties, but they also usually have intimate knowledge of legitimate transactions with large financial consequences. These transactions present lucrative opportunities for threat actors to hijack conversations and misappropriate the trust of these firms for their financial gain.”
According to Larson, fraudulent instruction occurs when someone is tricked into making a payment or transferring money by someone purporting to be a vendor, client, or authorized employee. These often involve spoofed emails and communications from compromised vendors.
“What makes this form of attack so appealing to threat actors is the low barrier for entry,” Larson said. “Rather than attack computers, most of these deceptions target the relationships between people. Because attackers leverage the bonds of trust in these attacks, some people may not push back on unusual requests to redirect funds because these are unusual times. Resistance to these attacks may also be lower in relationships when there is significant trust, or when a new relationship is in its early stages and there is a greater desire to make the other party happy.”
Larson provided several tips on how professional services firms, as well as other businesses, can mitigate risks related to fraudulent instruction. These are:
Larson also highlighted general cybersecurity guidelines contained in the Cyber Security Snapshot report. Risk managers and decision-makers should not only understand these but also communicate these to the entire organization.