Businesses are facing dual challenges from a pickup in cyber attacks and increasingly aggressive state regulators who are growing more sophisticated in enforcement strategies, a new law firm report indicates.
US companies across different industries still struggled with managing vendor risk, securing wire transfers, and mitigating social engineering attacks in 2024, Baker & Hostetler LLP’s report found. The report, released Tuesday and based on the 1,250 incidents the firm worked on for its clients last year, warned that as attack methods continue to evolve, businesses will also have to face regulators better prepared to enforce security laws going forward.
“They’re more resourced. They have bigger offices. They’ve hired more people. They’ve had settlements that fund the ability to grow their office. They’ve had more experience,” said Craig A. Hoffman, partner and digital risk advisor at Baker & Hostetler. “It’s definitely a different game.”
Industry Breakdown
The health-care industry emerged as the sector most affected by security incidents in 2024, the firm found. The February 2024 hack against
But it’s not necessarily because of inadequate cybersecurity processes or even a deliberate target by bad actors that the industry sits at the top of the list, Hoffman said.
Health-care entities are subject to stringent incident disclosure requirements, including under the Health Insurance Portability and Accountability Act, compared to other industries, which means they report incidents that involve as few as one individual.
“They have more of a process to detect, analyze, and provide notice. So they can be small incidents, like one nurse looked at the chart of a patient she shouldn’t have looked at,” Hoffman said, which creates more scenarios that qualify as incidents.
The definition of personal health information under HIPAA is also broad, he said, compared to data in scope in other businesses.
Businesses across industries and of all sizes—from local water utilities to well-known multinational corporations—get attacked by cyber criminals every year.
“As long as you are connected to the internet, you’re at risk,” Hoffman said. Attackers search for vulnerabilities online, and “wherever they find and land—that’s who they attack.”
Phishing 2.0
Even organizations with the most sophisticated data protection systems were breached through phishing attacks—a technique in which cyber criminals attempt to trick employees into sharing credentials, usernames, or passwords.
“They’re changing their tactics to get access credentials. It’s not always about click on this file which downloads malware, because a lot of companies have tools on their systems that block that,” Hoffman said.
Emerging types of social engineering show that attackers have adapted to companies’ defenses, the report found. Bad actors have started to embed malicious QR codes in emails and other documents, for example, a practice known as quishing, or to use phone calls featuring AI-generated voices to trick employees into divulging credentials, sensitive information, or wire funds.
Wire Fraud Spike
Some of those techniques were behind the exponential surge in fraudulent fund transfers in 2024, the law firm found.
The total amount of fraudulent transfers jumped from $35 million in 2023 to $109 million in 2024—signaling a growing vulnerability for many companies in 2025.
“You usually don’t see big spikes like this with some issue that’s been around for a long time,” Hoffman said. But the fraudulent transfers occur because companies aren’t aware of the risk or of cybercriminals’ evolving tactics.
“They’re really good at orchestrating how to play all the parties off of each other to really convince whoever’s making the wire to send it to them,” Hoffman said, “They’ve gotten really good at their tradecraft.”
In response, organizations will have to re-examine their authentication mechanisms and add two-step verification if needed. It will also require awareness across corporate departments, not just within the IT and cyber teams.
Vendor Management
Vendors were the source of 27% of security incident matters handled by the firm in 2024. Incidents like the Change Healthcare breach, which paralyzed much of the US health-care system, highlighted the interconnected relationship between vendors.
Baker & Hostetler, for example, represented 125 businesses in relation to the Change Healthcare breach.
“I put that in the very hard bucket,” Hoffman said. Even supply-chain vendor management programs with diligence pre-procurement, contractual requirements, and oversight after adoption can be “hard to execute.”
Some vendors don’t always tailor their terms to clients. Marketing teams may buy new tools before going through security-approved procurement, or decades-old agreements with suppliers may fall through the cracks.
While the spike in vendor-caused incidents has led some organizations to get “a little more rigid” with vendors, Hoffman said, many continue to tap more suppliers, growing their supply-chain, and risk in doing so.
No AI?
A buzzword that was less prevalent in the firm’s cybersecurity portion of the report is AI. Last year’s incidents showed that while some attackers have tapped into easily accessible AI tools to help write phishing emails or translate text more easily and accurately, they aren’t yet deploying artificial intelligence in a meaningful way as part of their attack strategy.
“What they’ve been doing still works, so they haven’t really needed help from AI,” Hoffman said.
Instead, the technology has been more prevalent among potential targets using behavior-based tools that can recognize patterns and flag bad activity.
“I think on the defense side we probably see it used more than on the offense side,” he added.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.