Insight Archive | Subscribe to our insights >>

Aon | Professional Services Practice

From Phishing to Deepfakes: Social Engineering Risks are Intensifying for Professional Service Firms

Release Date: April 2026

Responsible for significant amounts of client funds and valuable data, professional service firms are perennial targets for social engineering attacks. Generative AI, deepfakes and increasingly sophisticated business email compromise schemes are enabling criminals to convincingly mimic partners, clients and counterparties, often in the context of live matters and large fund movements. Effective risk management is vital in the face of this evolving risk.

Key Takeaways

The social engineering risk environment has fundamentally changed. Attacks now leverage AI, deepfakes and live deal intelligence, making them harder to detect and more likely to involve significant client funds.
Professional service firms remain favored targets for social engineering attacks. Firm access to sensitive client financial information and the handling of client funds make them attractive targets for increasing sophisticated attacks.
Understand what insurance responds. Depending on the nature of the attack and the terms of the policies there is potential coverage in both crime and cyber policies.

The Evolving Threat for Professional Services Firms

Attacks have moved well beyond generic, typo ridden phishing emails:

Matter specific fraud. Threat actors study public filings, deal announcements and firm communications to identify active transactions, then alter payment instructions for closings, settlements or large retainers at precisely the moment funds are expected to move.
AI enabled impersonation. Generative AI tools allow attackers to use the firm’s legal and technical language, to mirror firm style and even recreate past email threads, eroding traditional “red flag” indicators.
Deepfake and multi channel reinforcement. Email instructions may now be “confirmed” through spoofed domains, messaging platforms or deepfake voice calls purporting to be from partners, CFOs or client contacts, making time sensitive transfers particularly vulnerable.

For firms that routinely handle escrow, trust, Interest on Lawyers' Trust Accounts, settlement or transaction funds, a single successful incident can lead to multimillion dollar losses, client claims and reputational damage.

Why Existing Limits May Be Misaligned with Exposure

Many professional services firms assume their crime or cyber policies will “take care of” social engineering losses. In practice:

Social engineering is often subject to low sublimits. Crime and cyber policies frequently respond to social engineering or fraudulent instruction only via small sublimits that can be out of step with the dollar value of payments routinely processed by the firm.
Client funds may not be fully addressed. Policy language may focus on the firm’s own assets or define covered property narrowly, creating uncertainty around misdirected monies held in trust, escrow, or similar arrangements.
Professional liability implications are complex. When client funds are lost, matters can quickly move beyond first party loss to alleged failure to exercise appropriate professional care, potentially engaging E&O coverage, but PI policies may only trigger for transfers occurring while rendering professional services. In addition, other PI fraud related exclusions or other limitations may apply.

Given the scale of funds moving through professional service firms, periodic review of social engineering limits and related terms is increasingly important.

Summary

Social engineering risk faced by professional service firms has changed in both nature and scale, driven by AI, deepfakes and more targeted exploitation of client fund movements.

Firms should be examining this risk in the context of their crime and cyber policies to better align their insurance programs with today’s reality.

Contact

The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this insight, please contact Evan Gidez.

Evan-Gidez

Evan Gidez
Senior Vice President and Executive Director
New Jersey

About Aon

Aon (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues provide clients in over 120 countries with the clarity and confidence to make better risk and people decisions that help protect and grow their businesses.

Follow Aon on LinkedIn, X, Facebook and Instagram. Stay up-to-date by visiting Aon’s newsroom and sign up for news alerts here.

Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.

The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.

Professional Services Practice
Article Subscription Form

Sign up here to receive our insights on an automatic basis, as soon as they are available

_{All fields marked with an asterisk are required}

First Name * Last Name * E-mail (articles will be delivered to this address) * Industry segments: *
Law Firms
Accounting Firms
Consulting Firms
Design & Construction Firms
Location * Aon and other Aon group companies will use your personal information to contact you from time to time about other products, services and events that we feel may be of interest to you. All personal information is collected and used in accordance with our privacy statement.

Please click here to manage your communication preferences.
You may unsubscribe from PSP Thought Leadership by using the “unsubscribe” feature on the article notification email.