Skip to content
TECNICODESK

Updated weekly

Security Briefing for Small Businesses

Current cyber threats affecting law firms, accounting firms, construction companies, real estate, and growing businesses. Plain-English summaries with steps you can take now.

Last updated June 18, 2026

This page tracks the cyber threats most relevant to small businesses with 10 to 75 employees. It is updated weekly with findings from active threat monitoring, industry advisories, and patterns Tecnico Desk sees across the businesses we work with.

Each entry is written in plain English with specific steps your team can take. If something here applies to your business and you are not sure where you stand, a Security Fit Call is the fastest way to get a clear answer.

Active threats this week

High Business email compromise

AI-generated payment redirect emails targeting accounting and construction

Attackers are using AI to write convincing payment-change requests that impersonate vendors, subcontractors, and clients. The emails are grammatically clean, reference real invoice numbers or project names scraped from public records, and come from lookalike domains. Construction companies and accounting firms handling large wire transfers are the primary targets.

Industries affected: Construction, accounting, real estate, professional services

What to do:

  • Verify every payment-change request by calling a known number, not the number in the email.
  • Set a policy that no bank details are updated over email alone.
  • Enable DMARC on your domain so attackers cannot spoof your address to your own clients.
High Credential theft

Microsoft 365 token theft bypassing MFA

Adversary-in-the-middle phishing kits intercept the authentication session after a user enters their password and MFA code. The attacker captures the session token and uses it to access the mailbox without triggering another MFA prompt. This technique bypasses standard MFA and has been used against law firms and financial services companies.

Industries affected: Law firms, financial services, all Microsoft 365 users

What to do:

  • Enable Conditional Access policies that restrict sign-ins to managed devices or trusted locations (requires Microsoft 365 Business Premium or Entra ID P1).
  • Deploy phishing-resistant MFA (passkeys or FIDO2 keys) for administrator and high-value accounts.
  • Monitor sign-in logs for logins from unusual locations or impossible-travel patterns.
  • Review your Microsoft 365 security settings if you have not done so recently.
High Ransomware

Ransomware groups targeting law firms for client-data extortion

Ransomware operators increasingly target law firms specifically because the data they hold is privileged and time-sensitive. The threat is not just encryption but publication: attackers threaten to release client files unless paid. Small firms are disproportionately vulnerable because they hold high-value data but typically lack dedicated security staff.

Industries affected: Law firms, accounting firms, financial services

What to do:

  • Maintain tested, offsite backups that are isolated from your main network. Confirm you can actually restore from them.
  • Restrict administrative access: no daily user account should have admin privileges.
  • Enable endpoint detection and response on every device, not just antivirus.
  • Review your cyber insurance readiness to make sure your coverage and controls are aligned.
Medium Data exposure

Overshared SharePoint and Google Drive links leaking sensitive files

Many small businesses have SharePoint sites or Google Shared Drives with "anyone with the link" permissions set months or years ago. These links are sometimes indexed by search engines or found through leaked URLs. We routinely find client contracts, financial statements, and employee records exposed this way during security reviews.

Industries affected: All industries, especially firms that share files with external clients

What to do:

  • Audit external sharing settings in SharePoint and OneDrive or Google Drive.
  • Disable anonymous sharing links by default. Require sign-in for external access.
  • Review existing shared links and revoke any that are no longer needed.
Medium Account takeover

Former employee accounts used to access business systems

When an employee leaves and their accounts remain active, the risk is not hypothetical. We see it in nearly every security review: former staff with active Microsoft 365 mailboxes, VPN access, or cloud app logins. In some cases, departing employees have forwarded company email to personal accounts for weeks after leaving.

Industries affected: All industries, remote and hybrid businesses especially

What to do:

  • Disable accounts same-day on departure. Do not wait for IT to "get around to it."
  • Revoke active sessions and app passwords, not just the login.
  • Check for mail forwarding rules set before departure.
  • See our employee offboarding security guide for a full checklist.

Industry watch

Law firms

Bar associations in multiple states are tightening expectations around client data protection. Firms should be prepared to demonstrate specific controls including MFA, email encryption for sensitive communications, and documented access policies. A security review now is easier than responding to a bar inquiry later.

Accounting and CPA firms

The FTC Safeguards Rule requires tax preparers and financial service providers to maintain a written security program. Enforcement is active. If your firm has not documented its security controls and designated a qualified individual to oversee them, this is a compliance gap, not just a security gap. See our IT support for accounting firms page for context.

Construction and trades

Wire fraud and fake invoice scams remain the top threat. The Denver metro area is an active construction market, and the volume of electronic payments between GCs, subs, and suppliers creates daily opportunities for attackers. Payment verification procedures are the single most impactful control a construction company can put in place.

Real estate

Wire fraud at closing is still the most damaging attack in real estate. Attackers monitor email threads between agents, title companies, and buyers, then send convincing wire instructions from a spoofed or compromised account at the exact right moment. DMARC, verified wire procedures, and MFA on every email account are non-negotiable.

Remote and distributed businesses

Without a central office network, identity is the perimeter. Every access decision depends on who is logging in and from what device. Businesses with remote teams need stronger identity controls, managed devices or at minimum device compliance policies, and clear offboarding procedures that account for personal devices and home networks.

One thing to check this week

Check your external sharing. Open your Microsoft 365 admin center or Google Workspace admin console and look at your sharing settings. If anonymous or "anyone with the link" sharing is enabled by default, change it to "specific people" or "people in your organization." Then review your active shared links and revoke any that should not be open. This takes 10 minutes and closes one of the most common gaps we find.

Frequently asked questions

How often is this security briefing updated?

This page is updated weekly with the most relevant threats affecting small businesses, with a focus on law firms, accounting firms, construction companies, real estate, and professional services in the Denver metro area and nationwide.

What should I do if a threat here applies to my business?

Each threat entry includes specific steps you can take. If you are unsure whether your business is exposed, book a Security Fit Call for a quick assessment of your environment.

Are these threats specific to Denver businesses?

Most cyber threats are not location-specific, but some targeting patterns like wire fraud in real estate and construction are more common in active markets like Denver. This briefing covers threats relevant to small businesses nationwide, with notes on local relevance where applicable.

Can Tecnico Desk fix these issues for my business?

Yes. Every threat listed here maps directly to controls Tecnico Desk implements for clients: MFA hardening, email security, backup verification, sharing audits, offboarding procedures, and endpoint protection. A Tecnico Ready security review identifies which gaps apply to your specific environment.

Not sure if these threats apply to you?

Book a Security Fit Call. We will tell you exactly where your business stands and what to fix first.

Book a Security Fit Call More resources