This page translates real, active cyber threat intelligence into plain English for UK business owners. No acronyms. No jargon. Just what you need to know and what you should do about it.
Last updated: 23 June 2026 · Week 26 / 2026 · Next update: 30 June 2026
Every week we assess the overall risk level for UK small businesses in financial services — insurance brokers, financial advisers, mortgage intermediaries, and professional services firms. This is based on real intelligence from the UK's National Cyber Security Centre (NCSC), US cyber agencies, and industry reporting.
Seven criminal and state-sponsored groups are currently running active operations targeting UK businesses in your sector. Attacks involving fake payment requests, account takeover, and ransomware are all running at higher-than-normal frequency. This does not mean an attack on your specific business is imminent — but it does mean your defences are more likely to be tested than they would be in a quieter period.
Each week we identify the single highest-risk attack technique that is seeing a spike in use against UK businesses. This week:
The UK's National Cyber Security Centre issued a specific alert this week about an active global campaign targeting Fortinet firewall and VPN equipment — the kind of devices that sit at the edge of business networks and control who can connect remotely.
A dataset known as "FortiBleed" contains administrator usernames and passwords for nearly 74,000 Fortinet devices across 194 countries. Security researchers believe many of these credentials are still valid — meaning attackers may already have the keys to affected networks without needing to exploit any new vulnerability. They simply log in.
The attack works like this: criminals have built up huge databases of usernames and passwords from previous breaches, malware infections, and automated scanning. They then systematically try these credentials against every Fortinet device they can find on the internet. If your VPN or firewall uses a password that has ever appeared in a breach — or hasn't been changed in a long time — it may be in that database.
There is an additional technical wrinkle that makes patching alone insufficient. Fortinet's newer software uses a stronger method to store passwords, but older passwords stored on the device do not automatically upgrade to the new format. They remain in the weaker format until someone logs in and resets them. This means a fully patched, up-to-date device can still be carrying a vulnerable password hash that criminals can crack.
If your business uses Fortinet equipment — this is not a "deal with it next week" situation.
These are confirmed, active criminal and state-sponsored groups currently running operations against UK financial services businesses. They are not hypothetical — these groups have successfully attacked businesses similar to yours in recent months.
This group specialises in one thing: intercepting payments. They break into a business email account — usually by phishing someone's password — then quietly read emails for days or weeks, learning how the business operates. When they see a payment being arranged — a solicitor's invoice, a supplier payment, a client refund — they step in at the right moment and change the bank account details to their own. The money lands in their account, not the intended recipient's. By the time anyone notices, it's gone.
Insurance brokers and financial services firms are their primary target because they handle client money, arrange regular payments, and deal with solicitors and other third parties who are also being impersonated.
LockBit is not a single group — it's a criminal franchise. The developers build and maintain the ransomware software, then rent it out to dozens of "affiliate" attackers who do the actual breaking-in. The affiliates keep most of the ransom money; LockBit takes a cut.
Ransomware means your files get encrypted — locked with a code only the attacker knows — and you cannot access anything: client records, accounts, emails, documents. You're handed a ransom demand, typically between £20,000 and £150,000, with a countdown timer. Pay, and you might get your files back. Don't pay, and your data may be published publicly.
SMEs are actively preferred targets because they typically have weaker defences than large corporations, but still have money and data worth holding to ransom.
Scattered Spider are unusually effective because they don't rely heavily on technical hacking — they manipulate people. They are known to call IT helpdesks pretending to be a staff member who has been locked out, convincing support teams to reset passwords and bypass security checks. They also use SIM swapping — convincing a mobile network to transfer someone's phone number to a SIM card they control, giving them access to SMS-based login codes.
Once they have account access, they move quickly to steal data, set up persistent access, and often deploy ransomware from other groups as a final step.
Similar to LockBit but with an additional pressure tactic — before encrypting your files, they first steal a copy of your data. This means even if you have backups and refuse to pay the ransom, they threaten to publish your client data, financial records, or confidential communications publicly unless you pay.
They target professional services firms specifically because client confidentiality is a regulatory requirement — making the threat of publication particularly damaging.
This group works for Russian foreign intelligence (SVR). They are sophisticated, patient, and specifically interested in financial sector data — transaction information, client lists, business communications, and anything that gives Russia economic intelligence about UK businesses and their clients.
They typically enter through carefully crafted phishing emails that look completely legitimate, then sit quietly inside a network for weeks or months gathering information before they're detected — if they're ever detected at all. The goal is intelligence gathering, not financial theft.
Linked to Iran's Ministry of Intelligence, MuddyWater targets professional services and financial firms primarily through phishing emails and by exploiting known security weaknesses in popular business software. Their goals are a mix of intelligence gathering and causing disruption to UK and Western business operations.
Linked to China's Ministry of State Security. APT40 focuses on stealing financial data and business intelligence. They primarily get in through unpatched software on internet-facing systems — VPNs, firewalls, and web applications that haven't been updated. Once in, they move systematically through the network looking for valuable data.
Most people imagine a cyber attack as a sudden dramatic event — a hacker hammering at a keyboard and then everything goes dark. The reality is more like a quiet burglary. Here is what actually happens, step by step, in most attacks on businesses like yours.
Attackers don't usually "break in" dramatically — they find something that's already open. The three most common entry points are: a phishing email that tricks someone into entering their password on a fake website; software on your systems that hasn't been updated and has a known security hole; or a password that was stolen in a previous data breach somewhere else and is still being used.
Once in, most attackers don't immediately do anything visible. They explore — looking at what files exist, what systems are connected, who has what level of access, and what data is valuable. They may try to gain higher levels of access — moving from a junior staff member's account towards an administrator account that can access everything. This phase can last days, weeks, or even months.
Many attackers create a secondary way back in — a hidden account, a remote access tool, or a piece of software that gives them a persistent foothold. This means that even if you change the password that was compromised, they may still have access. It's the equivalent of a burglar making a copy of your key before leaving.
The final stage depends on who the attacker is and what they want. Criminal groups typically either deploy ransomware (locking you out of everything and demanding payment), commit financial fraud (intercepting payments or making fraudulent transactions), or steal and sell your data. State-sponsored groups usually take data quietly without ever revealing they were there.
Understanding the attacker's goal helps you understand what you're protecting against. These are the three primary outcomes attackers are working towards when they target UK financial services SMEs.
All your files, emails, and systems are encrypted. You cannot access anything. A ransom demand arrives — typically between £20,000 and £150,000 — with a deadline. Even if you pay, recovery is not guaranteed. Even if you have backups, restoring everything takes weeks.
An attacker with access to your email intercepts a payment at the right moment, swapping legitimate bank details for their own. The money arrives in their account. Bank reversals succeed in fewer than 40% of cases. This is the number one financial loss vector for UK financial services SMEs.
Client records, financial data, confidential communications, and personal information are copied and taken. The attacker either sells this data, uses it for further fraud, or threatens to publish it unless you pay. Publishing client data may trigger ICO investigation and FCA scrutiny.
No security provider covers everything — and we think it's important to be honest about that. Here is a plain English summary of what the GET-IT stack addresses, where it partially helps, and where there are genuine gaps that we would want to discuss with you.
MITRE-Lite draws on three public intelligence sources, all updated regularly by government cybersecurity agencies. We filter and translate them so you don't have to read them yourself.
Based on the current threat picture, these are the three highest-value actions for a UK financial services business right now. You do not need a technical background to do any of them.
This is the most time-sensitive action in any MITRE-Lite edition to date. If your business uses a Fortinet FortiGate firewall, a Fortinet VPN, or any Fortinet network security product, your IT provider needs to know about the FortiBleed campaign and the NCSC alert issued 18 June 2026. Ask them specifically: have all administrator and user passwords been reset since this alert? Has multi-factor authentication been enabled on the management interface and VPN? Is the management interface restricted so it cannot be accessed from the open internet? These are not difficult fixes — but they will not happen automatically, and they will not happen from patching alone. The credential reset is the step that matters most and the one most likely to be skipped.
Why now: NCSC issued a formal alert on 18 June 2026. The campaign is active and ongoing. Valid credentials from this dataset may already be in use by attackers on affected networks.
FortiBleed is a credential reuse attack, which means it relies on passwords that appear in old breach databases or have not been changed in a long time. Even if your business does not use Fortinet equipment, this is a useful prompt. When did your staff last change their VPN passwords? Are any of those passwords reused from personal accounts or other work systems? Have you had any staff changes in the past year where access was not properly revoked? A quick audit of who has remote access to your systems, what credentials they use, and when those credentials were last rotated is a worthwhile hour of work this week — regardless of which VPN or firewall product you use.
Why now: Credential reuse is the mechanism behind the majority of network perimeter breaches. FortiBleed is a high-profile example of an attack that requires no technical sophistication — just a valid username and password.
If your business uses multi-factor authentication — sometimes called MFA or two-step verification — on your VPN, email, and remote access systems, a stolen password alone is not enough for an attacker to get in. They also need the second factor: the code from an app, a text message, or a hardware token. Multi-factor authentication would not prevent credentials from appearing in a database like FortiBleed, but it would stop those credentials from being used to access your network. If MFA is not enabled on your VPN or remote access system, that is the single most impactful security improvement your business can make this week. Ask your IT provider to enable it. If they say it is too complex or too disruptive, ask them to explain why — the answer will tell you something important about your current security posture.
Why now: The FortiBleed campaign succeeds because credentials alone are sufficient to log in. MFA removes that single point of failure entirely.
A GET-IT resilience scan maps your current defences against the active threat techniques on this page and tells you exactly where your gaps are — in plain English, with costs to fix them.
Book a Free Resilience Scan → View Technical Version