CYBERCRIME
and the CA
AI is transforming cybersecurity, making attacks smarter, faster and harder to spot. And it’s finance professionals who now find themselves in the crosshairs, as Christian Koch reports
CYBERCRIME
and the CA
AI is transforming cybersecurity, making attacks smarter, faster and harder to spot. And it’s finance professionals who now find themselves in the crosshairs, as Christian Koch reports
However slick your business looks, however shiny your offices or spotless your balance sheets, chances are, beneath the bonnet, your IT team is engaged in a never-ending game of Whac-a-Mole against a cavalcade of cyber-attacks. Today, the average UK company faces a network breach every 44 seconds. Most are blocked, but when these assaults do sneak past the firewalls, the impact can be devastating. Just look at Jaguar Land Rover (JLR), Marks & Spencer, the Co-op or many other household names thrown into disarray by cyber-attacks last year.
No business is immune. In the same week JLR suffered the most expensive cyber-attack in British history (estimated cost to the UK economy: £1.9bn), hackers broke into the accounting system of Jeremy Clarkson’s Cotswolds pub, stealing £27,000. On a more sombre note, 2025 also brought confirmation of the UK’s first death linked to cybercrime, when King’s College Hospital confirmed a patient had “died unexpectedly” during a 2024 cyber-attack on its services.
“When we think about cybersecurity, we tend to focus on the big names,” says Karl Mcaree, Head of Technical Development at Mitigo, which provides cybersecurity services to high-risk sectors such as accountancy and legal firms.
“They’re still targets, but underprepared small businesses are now increasingly viewed as easy pickings for hackers and malicious gangs.”
Being reliant on legacy systems or having weaker IT infrastructure partly explains why SMEs are soft targets. But accountancy firms – along with CFOs and others who hold the purse strings – are particularly attractive.
As Mohammed Lateef CA, founder of cybersecurity firm CySecura, says, “Today, there are few cyber-attacks on companies where money isn’t involved. It’s the main reason finance professionals are targeted.”
Why AI is rewriting the rules
Cybercrime is evolving at breakneck speed, thanks in no small part to AI. Attacks on UK firms soared by 50% in the 12 months to September 2025, according to the National Cyber Security Centre (NCSC).
Until recently, it was relatively easy to identify a phishing attack (still the most commonplace method, responsible for 85% of attacks according to 2025’s Cyber Security Breaches Survey). It would be, says Mcaree, “the email from the ‘Nigerian prince’ asking you to transfer money, with the big giveaway being the bad English grammar”.
“Underprepared small businesses are now increasingly viewed as easy pickings for hackers and malicious gangs”
Karl Mcaree, Mitigo
Now AI is making life easier for cybercriminals. Hackers can craft a flawless email in ChatGPT – or even WormGPT, the generative AI tool hackers use to bypass the guardrails of mainstream AI models – within minutes. These emails are so convincing “even cybersecurity professionals fall for them”, says Mcaree. Here, he sketches out a likely phishing scenario.
A finance team receives an email from their CFO, who’s planning to run the Manchester Marathon. It lands in their inbox the day before the race, asking them to process payments because she’s “away from her desk”. The email, of course, is from a cyber-gang who have scoured the CFO’s social accounts – the TikTok videos showing her love of running, the JustGiving page asking for charity donations, maybe even her LinkedIn posts to sample her tone of voice – to help craft the email.
AI is also driving the rise of vishing (voice phishing). “Over the last 12 months we’ve noticed more firms getting WhatsApp messages, voice notes and glitch-free videos of CFOs indistinguishable from the real person,” says Lateef. “You can only imagine what this will look like in two or three years’ time.”
2025: A year in cyber-wars
APRIL
Marks & Spencer: A sophisticated cyber-attack over Easter weekend – apparently involving hackers impersonating one of the retail giant’s partners – forced Marks & Spencer to shutter its online store for seven weeks, causing a £300m dent to profits (and Percy Pig shortages).
The Co-operative Group: The group’s IT systems were shut down, its funeral parlours switched to paper-based services and shoppers faced shortages on shelves during a crippling cyber-attack which saw the Co-op lose an estimated £206m in revenue.
MAY
Legal Aid Agency: Barristers went unpaid and cases were rejected after the personal data of hundreds of thousands of legal aid applicants was compromised in a network attack.
HSBC: Cybersecurity is now the bank’s biggest expense, costing hundreds of millions of pounds a year, according to the CEO of its UK division.
JUNE
HMRC: A phishing scam on 100,000 taxpayer accounts hit the UK’s tax authority to the tune of £47m, MPs on the Treasury select committee were told.
AUGUST
Jaguar Land Rover: On 31 August, the most expensive cyber-attack in British history took place, shutting the car manufacturer’s factories for six weeks and causing quarterly pre-tax losses of £485m. The government extended a £1.5bn loan guarantee to the company as thousands of workers faced redundancy across the supply chain.
SEPTEMBER
Kido: Hackers held the nursery chain to ransom, posting pictures of children online. The following month a government survey found that six out of 10 secondary schools had suffered an attack or breach.
OCTOBER
The Foreign, Commonwealth and Development Office: Newspapers claimed Chinese hacking group Storm 1849 were the culprits behind a major data breach (although the government responded it was “not clear” who was responsible).
Why AI is rewriting the rules
Cybercrime is evolving at breakneck speed, thanks in no small part to AI. Attacks on UK firms soared by 50% in the 12 months to September 2025, according to the National Cyber Security Centre (NCSC).
Until recently, it was relatively easy to identify a phishing attack (still the most commonplace method, responsible for 85% of attacks according to 2025’s Cyber Security Breaches Survey). It would be, says Mcaree, “the email from the ‘Nigerian prince’ asking you to transfer money, with the big giveaway being the bad English grammar”.
“Underprepared small businesses are now increasingly viewed as easy pickings for hackers and malicious gangs”
Karl Mcaree, Mitigo
Now AI is making life easier for cybercriminals. Hackers can craft a flawless email in ChatGPT – or even WormGPT, the generative AI tool hackers use to bypass the guardrails of mainstream AI models – within minutes. These emails are so convincing “even cybersecurity professionals fall for them”, says Mcaree. Here, he sketches out a likely phishing scenario.
A finance team receives an email from their CFO, who’s planning to run the Manchester Marathon. It lands in their inbox the day before the race, asking them to process payments because she’s “away from her desk”. The email, of course, is from a cyber-gang who have scoured the CFO’s social accounts – the TikTok videos showing her love of running, the JustGiving page asking for charity donations, maybe even her LinkedIn posts to sample her tone of voice – to help craft the email.
AI is also driving the rise of vishing (voice phishing). “Over the last 12 months we’ve noticed more firms getting WhatsApp messages, voice notes and glitch-free videos of CFOs indistinguishable from the real person,” says Lateef. “You can only imagine what this will look like in two or three years’ time.”
2025: A year in cyber-wars
APRIL
Marks & Spencer: A sophisticated cyber-attack over Easter weekend – apparently involving hackers impersonating one of the retail giant’s partners – forced Marks & Spencer to shutter its online store for seven weeks, causing a £300m dent to profits (and Percy Pig shortages).
The Co-operative Group: The group’s IT systems were shut down, its funeral parlours switched to paper-based services and shoppers faced shortages on shelves during a crippling cyber-attack which saw the Co-op lose an estimated £206m in revenue.
MAY
Legal Aid Agency: Barristers went unpaid and cases were rejected after the personal data of hundreds of thousands of legal aid applicants was compromised in a network attack.
HSBC: Cybersecurity is now the bank’s biggest expense, costing hundreds of millions of pounds a year, according to the CEO of its UK division.
JUNE
HMRC: A phishing scam on 100,000 taxpayer accounts hit the UK’s tax authority to the tune of £47m, MPs on the Treasury select committee were told.
AUGUST
Jaguar Land Rover: On 31 August, the most expensive cyber-attack in British history took place, shutting the car manufacturer’s factories for six weeks and causing quarterly pre-tax losses of £485m. The government extended a £1.5bn loan guarantee to the company as thousands of workers faced redundancy across the supply chain.
SEPTEMBER
Kido: Hackers held the nursery chain to ransom, posting pictures of children online. The following month a government survey found that six out of 10 secondary schools had suffered an attack or breach.
OCTOBER
The Foreign, Commonwealth and Development Office: Newspapers claimed Chinese hacking group Storm 1849 were the culprits behind a major data breach (although the government responded it was “not clear” who was responsible).
Where are the attacks coming from?
Russia
“The frontline is everywhere,” new MI6 head Blaise Metreweli said recently about the cyberthreat currently posed by Russia, where ransomware gangs such as LockBit are believed to operate from within the Kremlin.
North Korea
The pariah state is thought to be behind the biggest heist in history: the theft of around $1.5bn (£1.2bn) in virtual assets from cryptocurrency platform ByBit last year. FBI officials believe North Korea’s cyber and ransomware attacks are funding Kim Jong Un’s nuclear weapons programme.
English-speaking hacker community
The Com (short for Community) is a loose union of young cybercriminals and mainly native English speakers. Its tendrils include the Scattered Spider group, associated with last year’s hacks against M&S and the Co-op.
Teens’ bedrooms
“What we’re finding is attacks are increasingly being done by UK teenagers,” says Mcaree. “Gangs are finding these teens on dark web forums and technical discussion boards, before hiring them.” In October, two 17-year-olds were arrested in Hertfordshire over the ransomware hack of the Kido nursery chain. In July, 21-year-old student Ollie Holman was jailed for seven years for selling phishing kits linked to £100m of fraud.
Agentic AI – which can operate autonomously – could unleash even more chaos. Because it learns and operates without human intervention, agentic AI can carry out all the usual cyber-villain’s tasks (such as writing malware, encrypting data and sending ransomware demands) at a much greater scale than today. If that wasn’t enough, the next decade raises the spectre of quantum hackers, who can decrypt data currently considered secure. Not for nothing is the NCSC now urging UK organisations to prepare for quantum attacks by 2035.
The UK might be the world’s second-most targeted nation for cybercrime (after the US), but it remains ill-equipped to deal with the menace. In December, Richard Horne, CEO of the NCSC, warned that the UK is underestimating the gravity of the threat it faces. While 62% of small businesses have some form of cyber-insurance, that figure drops below half (45%) among all UK businesses, according to the government’s Cyber Security Breaches Survey, with larger companies being less likely than SMEs to hedge against attacks. Incredibly, JLR didn’t have a cyber-insurance policy when it was hacked last year.
“Things are only going to get worse,” adds Lateef. “The onus will be on companies to start paying more attention to this than they already do.”
Risk-reduction tips
Mohammed Lateef CA on the steps needed to minimise your exposure
Invest in training and pen testing
“The best technology in the world won’t prevent these criminals from getting into your systems. Consider having pen [penetration] testing once a year, where an external provider visits your premises and tests for vulnerabilities. Also, don’t forget most attacks happen because of human error – such as somebody clicking on an email link.
Cybersecurity training and assessment should be mandatory for all employees twice a year, and part of the induction process for all new starters.”
Get insured
“Big corporations with billions of dollars can survive a cyber-attack. But if you’re a small business with a modest turnover, a ransomware payment of £40,000 could wipe out your livelihood – and, by the way, ransom demands should never be paid.”
Be extra alert when your business makes the news
“Any public announcement – such as a press release telling the world you’ve raised tons of money – immediately makes your business more vulnerable. Look out for strange emails from ‘external consultants’ and don’t open any suspicious attachments.”
Don’t use ChatGPT-generated emails
“As accountants, we’re often stereotyped as robotic. However, if we compose our emails that way, cybercriminals can easily impersonate this tone. It’s fine to use AI to check spelling and grammar, but written communication should always be personable.”
Target number one
CFOs are in cybercriminals’ crosshairs, not least because they oversee payroll and payment processing. “These are areas where money is coming in and out of the business – and where most [phishing] emails will ask you to make payments,” says Lateef.
Senior finance professionals also have a bullseye on their backs because their jobs require them to handle sensitive data such as clients’ financial statements, bank account details, tax records and national insurance numbers – all of which can be sold on the black market or used to launch ransomware attacks.
“Although many finance departments know the red flags of a cyber-attack, all this goes out of the window under extreme pressure – all it takes is one momentary lapse”
Mohammed Lateef CA, CySecura
To add to the CFO’s woes, cybercriminals know exactly when teams could be taking their eyes off the ball. “Although many finance departments know the red flags of a cyber-attack, all this goes out of the window when under extreme pressure, such as hitting deadlines or preparing year- or quarter-ends,” says Lateef. “All it takes is one momentary lapse…”
A few seconds of forgetfulness can be reputationally and financially disastrous, triggering a plummeting stock price and a string of cancelled orders. Businesses could also face regulatory penalties, as happened last October to outsourcing giant Capita, which was fined £14m after hackers stole the personal data of 6.6 million people in a 2023 attack.
Back to the future?
The strongest line of defence against a paralysing cyber-attack may lie in a 32-year-old concept that’s rapidly picking up steam in the cybersecurity world: ‘zero trust’ is an approach which has nothing to do with technology, but rather with using the power of human judgement and gut instinct.
Zero trust – as its name implies – assumes you or your organisation will be attacked or may already have been breached. As a result, no users or devices should be trusted by default – even if they are connected on your corporate network. In other words, “never trust, always verify”, as its mantra goes.
First coined by PhD student Steve Marsh in his 1994 University of Stirling doctoral thesis, this approach has gained traction in an era when cloud software, remote working and mobile devices have made it easier for malicious entities to break through. It should extend across an entire organisation and include practical measures such as pre-agreed verification methods, always checking ad-hoc calls and limiting single-person authority paths.
Finance teams can also use zero-trust principles to guide their own day-to-day work. “Assume an instruction is wrong until it has been independently verified, even if it looks like it came from the CFO,” one cyber-risk expert, speaking anonymously, told CA magazine. “For example, if you’ve received an email or WhatsApp asking you to act, verify it through another ‘channel’: call a number you already have for that person, or speak to them in person.
“All unexpected calls, messages or LinkedIn requests should be treated as untrusted. If one individual can move money or sensitive data based on trust alone, that’s a structural weakness.”
That may be one way to combat the growing problem. One thing everyone is agreed on, however, is that leadership must come from the top. “When it comes to annual cybersecurity training, many senior managers opt out because they’re ‘too busy’,” says Mcaree. “CEOs or CFOs often don’t take cybersecurity training as seriously as they should.”
For more resources visit the ICAS cybersecurity hub
Target number one
CFOs are in cybercriminals’ crosshairs, not least because they oversee payroll and payment processing. “These are areas where money is coming in and out of the business – and where most [phishing] emails will ask you to make payments,” says Lateef.
Senior finance professionals also have a bullseye on their backs because their jobs require them to handle sensitive data such as clients’ financial statements, bank account details, tax records and national insurance numbers – all of which can be sold on the black market or used to launch ransomware attacks.
“Although many finance departments know the red flags of a cyber-attack, all this goes out of the window under extreme pressure – all it takes is one momentary lapse”
Mohammed Lateef CA, CySecura
To add to the CFO’s woes, cybercriminals know exactly when teams could be taking their eyes off the ball. “Although many finance departments know the red flags of a cyber-attack, all this goes out of the window when under extreme pressure, such as hitting deadlines or preparing year- or quarter-ends,” says Lateef. “All it takes is one momentary lapse…”
A few seconds of forgetfulness can be reputationally and financially disastrous, triggering a plummeting stock price and a string of cancelled orders. Businesses could also face regulatory penalties, as happened last October to outsourcing giant Capita, which was fined £14m after hackers stole the personal data of 6.6 million people in a 2023 attack.
Back to the future?
The strongest line of defence against a paralysing cyber-attack may lie in a 32-year-old concept that’s rapidly picking up steam in the cybersecurity world: ‘zero trust’ is an approach which has nothing to do with technology, but rather with using the power of human judgement and gut instinct.
Zero trust – as its name implies – assumes you or your organisation will be attacked or may already have been breached. As a result, no users or devices should be trusted by default – even if they are connected on your corporate network. In other words, “never trust, always verify”, as its mantra goes.
First coined by PhD student Steve Marsh in his 1994 University of Stirling doctoral thesis, this approach has gained traction in an era when cloud software, remote working and mobile devices have made it easier for malicious entities to break through. It should extend across an entire organisation and include practical measures such as pre-agreed verification methods, always checking ad-hoc calls and limiting single-person authority paths.
Finance teams can also use zero-trust principles to guide their own day-to-day work. “Assume an instruction is wrong until it has been independently verified, even if it looks like it came from the CFO,” one cyber-risk expert, speaking anonymously, told CA magazine. “For example, if you’ve received an email or WhatsApp asking you to act, verify it through another ‘channel’: call a number you already have for that person, or speak to them in person.
“All unexpected calls, messages or LinkedIn requests should be treated as untrusted. If one individual can move money or sensitive data based on trust alone, that’s a structural weakness.”
That may be one way to combat the growing problem. One thing everyone is agreed on, however, is that leadership must come from the top. “When it comes to annual cybersecurity training, many senior managers opt out because they’re ‘too busy’,” says Mcaree. “CEOs or CFOs often don’t take cybersecurity training as seriously as they should.”
For more resources visit the ICAS cybersecurity hub
Follow the code
Cybersecurity expert and consultant, Bruce McDougall CA, outlines the UK government’s Code of Practice – and why it is fast becoming a cornerstone of good governance
Follow the code
Cybersecurity expert and consultant, Bruce McDougall CA, outlines the UK government’s Code of Practice – and why it is fast becoming a cornerstone of good governance
With cyber-attacks escalating, business leaders must manage their risk to protect both the business and their own reputations. The UK government’s Cyber Governance Code of Practice offers a useful means to structure your approach.
The code, published last year, provides a clear course of action to govern your cybersecurity. The evidence it generates could also help defend your position if challenged by third parties following an incident, for example if the data protection authority decides on a fine for a GDPR breach; however, this requires faithfully following the code to avoid ‘compliance theatre’.
To highlight evidence-based governance, the code repeatedly uses the phrase “gain assurance that…”. The key is knowing the evidence to ask for and how to challenge it, rather than allowing IT and others to decide.
You are not expected to be an expert, but you must understand the fundamentals and the business impact to manage the risks, and the code requires you to “undertake training to improve your own cyber literacy”. In my experience, this helps you avoid developing the same blind spots as your control providers.
Overview
The Cyber Governance Code of Practice’s action list is structured around five ‘principles’:
• Risk management: This is incorporating cyber-risk, including supply chain risk, into your wider risk management. I recommend assessing your security across people, operations and technology, because that is what attackers are doing. Remember that supply chain risks are upstream and downstream, for example clicking on a OneDrive link in an email from a customer whose systems have been compromised.
• Strategy: This includes aligning and embedding your cyber-strategy into your wider business strategy.
• People: Research shows that up to 90% of cyber-incidents involve people, so the code requires business leaders to “promote a cybersecurity culture” at all levels.
• Incident planning, response and recovery: This is an impactful principle. Recently, the government urged all organisations to rehearse responding to a cyber-attack, including one involving the loss of all your computer systems. There is no point rehearsing a scenario designed by IT to showcase everything running smoothly – better a rehearsal led by an impartial expert to take everyone into ‘what if’ scenarios that can help flush out incorrect assumptions.
• Assurance and oversight: The code requires leadership to review cyber metrics on a quarterly basis; it is unusual in prescribing a frequency, although this aligns with leading practice. As above, the leadership should determine the metrics based on impartial expert advice, and from experience it can take months to achieve a robust dashboard of reliable data.
Other regulations and frameworks
The code supports other established frameworks for cybersecurity, such as the National Institute of Standards and Technology Cybersecurity Framework (also known as NIST CSF) that underpins regulations in various countries and sectors. It can also help fulfil requirements for governance, such as the UK financial services Senior Managers and Certification Regime.
I would encourage you to include discussion of all this at your next board meeting to enhance your governance framework. For many, this is a journey, and proportionality is important, so committing to the code and how it will be followed over time is an ideal starting point.
Lastly, I would also advise including objective specialist support and upskilling to enhance your cybersecurity governance.
Bruce McDougall CA is the Cyber Risk, Governance and Compliance Lead at cyber consultant and information security specialist blackarrowcyber.com
Overview
The Cyber Governance Code of Practice’s action list is structured around five ‘principles’:
• Risk management: This is incorporating cyber-risk, including supply chain risk, into your wider risk management. I recommend assessing your security across people, operations and technology, because that is what attackers are doing. Remember that supply chain risks are upstream and downstream, for example clicking on a OneDrive link in an email from a customer whose systems have been compromised.
• Strategy: This includes aligning and embedding your cyber-strategy into your wider business strategy.
• People: Research shows that up to 90% of cyber-incidents involve people, so the code requires business leaders to “promote a cybersecurity culture” at all levels.
• Incident planning, response and recovery: This is an impactful principle. Recently, the government urged all organisations to rehearse responding to a cyber-attack, including one involving the loss of all your computer systems. There is no point rehearsing a scenario designed by IT to showcase everything running smoothly – better a rehearsal led by an impartial expert to take everyone into ‘what if’ scenarios that can help flush out incorrect assumptions.
• Assurance and oversight: The code requires leadership to review cyber metrics on a quarterly basis; it is unusual in prescribing a frequency, although this aligns with leading practice. As above, the leadership should determine the metrics based on impartial expert advice, and from experience it can take months to achieve a robust dashboard of reliable data.
Other regulations and frameworks
The code supports other established frameworks for cybersecurity, such as the National Institute of Standards and Technology Cybersecurity Framework (also known as NIST CSF) that underpins regulations in various countries and sectors. It can also help fulfil requirements for governance, such as the UK financial services Senior Managers and Certification Regime.
I would encourage you to include discussion of all this at your next board meeting to enhance your governance framework. For many, this is a journey, and proportionality is important, so committing to the code and how it will be followed over time is an ideal starting point.
Lastly, I would also advise including objective specialist support and upskilling to enhance your cybersecurity governance.
Bruce McDougall CA is the Cyber Risk, Governance and Compliance Lead at cyber consultant and information security specialist blackarrowcyber.com
Built with Shorthand