August 2025
The 2025 Certainty Project

Vendors and Vulnerabilities: The Cyberattack Squeeze on Mid-Market Firms

Social engineering attacks are growing problem for middle-market companies. Nearly half experienced fake invoice scams in the last year, with phishing and ransomware attacks also common. Third-party vendors and other outside partners often play the role of unwitting accomplice after themselves being compromised.

Get Unlimited Access
Complete the form below for free, unlimited access to all our Data Studies, Trackers, and PYMNTS Intelligence reports.

Thank you for registering. Please confirm your email to view all our Trackers.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    Just last week, Google released a statement that its Threat Intelligence Group—the tech giant’s elite security unit—had discovered a massive security breach. A group known as ShinyHunters contacted employees by phone and tricked them into granting access to a malicious app within a third-party platform used by Google. It was a textbook case of a social engineering threat that enabled the hackers to steal customer information.

    If it could happen to Google’s own cybersecurity team, it could happen to anyone. For that reason, middle-market firms are coming to grips with the growing danger of such attacks. Social engineering threats involve manipulating people by exploiting trust, fear or urgency. For example, fraudsters could impersonate a familiar vendor to trick an employee into paying a bogus invoice. In other cases, hackers want to capture sensitive information or systems to engage in extortion—think ransomware or blackmail.

    Very often, hackers use social engineering to breach third-party vendors or suppliers as the first step in an attack. By doing so, they can initiate malicious contact with target companies using the friendly front of a trusted partner, for example, by emailing urgent payment requests from a stolen email account. Compromised third parties can also open software or infrastructure backdoors into systems at an otherwise well-protected target company.

    The Social Engineering Payments Threat

    PYMNTS Intelligence’s latest research zooms in on social engineering in the context of payments. The head of payments at nearly every middle-market firm we surveyed—defined as having annual revenue between $100 million and $1 billion—reported at least one incident in the last 12 months. Fake invoice scams, phishing and ransomware were the most common types of attacks, and they typically involved a compromised third-party partner.

    These are just some of the findings detailed in “Vendors and Vulnerabilities: The Cyberattack Squeeze on Mid-Market Firms,” a PYMNTS Intelligence report. It draws on insights from a survey of 60 heads of payments from U.S. companies generating annual revenue between $100 million and $1 billion fielded from June 12, 2025, to June 26, 2025.

    The Uncertainty Factor

    The 2025 Certainty Project divides middle-market firms into low-, medium- and high-uncertainty groups based on responses from the executives we survey. These classifications reflect the level of operating certainty as indicated by respondents’ commercial and economic outlooks. In June, the share of high-uncertainty firms fell for the second straight month, reversing the spike seen in April, when the tariff shock arrived in full force.

    The Social Engineering Threat

    Nearly nine in 10 middle-market firms express concerns about social engineering attacks targeting payments.

    The survey found widespread fears about social engineering targeting payments, with 87% of mid-market firms at least somewhat concerned. Many have endured incidents like the recent ransomware attack on U.K. retail giant Marks & Spencer. The breach shut down online sales and disrupted logistics, leading to an estimated GBP 300 million ($403 million) loss in operating profits.

    High-uncertainty firms face the greatest pressure: Three in four companies indicate that they are very or extremely concerned about payments-targeted social engineering attacks. Smaller companies in the $100 million to $400 million annual revenue range are also much more likely than average, at 61%, to have heightened fears. Firms that focus on goods are much more likely than those concentrated in services to be highly concerned, at 62% and 37%, respectively. This likely reflects the high volume of invoices and transactions typical of firms selling physical goods and the prominent role that vendors and other third parties unwittingly play in many attacks.

    Unwitting Accomplices

    Fake invoice scams, phishing and ransomware are often tied to third-party vendors.

    In today’s highly interconnected economy, companies rely widely and routinely on third parties for necessary goods and services, including sensitive digital infrastructure and software. This creates dangerous backdoors. Take a concrete example: Hackers impersonating an employee at the target company could ask a payment system provider to reset their password, giving them access to sensitive data and funds. Or hackers could use phishing—fake emails that purport to be authentic—to get access to a vendor’s billing system and send every customer a bogus invoice with fraudulent payment instructions.

    Overall, 97% of mid-market firms report at least one case of social engineering attack or fraud in the last year. The most common tactic is a fake invoice scam, experienced by 47% of firms. Phishing emails impersonating vendors or partners occurred nearly as often, at 42% of firms. Other major incident types include ransomware (25%), impersonation requesting urgent payment (25%) and fraudulent requests to “update” payment information (23%).

    In most of these cases, third-party partners were breached first and became the backdoor for the attacks. This is most true for fake invoice scams, with 38% of the impacted firms experiencing an incident due to a vendor or supplier. Similarly, 43% of companies that reported phishing email incidents said that third-party partners were the cause. These findings put the spotlight on the effectiveness of social engineering attacks and the need for effective anti-fraud systems to combat them.

    The Cost of Defense

    Smaller firms are paying a higher share of revenue on defending against social engineering threats.

    While social engineering attacks pose a serious threat, middle-market firms have limited resources and must carefully decide how much they can spend on defense. Overall, 57% of the companies surveyed say they spend 1%-2% of their annual revenue combating social engineering attacks, including third-party security solutions that all cover other cybersecurity areas. Another 25% spend 3%-5%, while 13% spend less than 1%.

    Notably, smaller firms tend to spend more than their larger peers. Just over six in 10 of those in the $100 million to $400 million annual revenue range allocate upwards of 3% of their annual budgets. Nine percent budget 6%-8%. Among firms in the $400 million to $1 billion range, just 15 out of 100 spend 3%-5%. No firms spend more than 5%.

    The wide range of budget allocations reflects a lack of consensus about how to tackle the problem. This suggests that many mid-market firms may lack confidence in the amount they should dedicate to defending against social engineering attacks and cybersecurity. At a minimum, companies should assess whether their social engineering strategy is up to date in light of the rapidly evolving threat landscape.

    Read More

    PYMNTS Intelligence is the leading provider of information on the trends driving Midmarket responses to macro-level shifts in trade policies and practices. To stay up to date, subscribe to our newsletters and read our in-depth reports.

    Methodology

    This edition of the 2025 Certainty Project, “Vendors and Vulnerabilities: The Cyberattack Squeeze on Mid-Market Firms,” is based on a survey conducted from June 12, 2025, through June 26, 2025. It examines the growing threat of social engineering attacks faced by mid-market firms. The survey collected responses from 60 heads of payment at U.S. companies with annual revenues between $100 million and $1 billion.

    About

    PYMNTS INTELLIGENCE

    PYMNTS Intelligence is a leading global data and analytics platform that uses proprietary data and methods to provide actionable insights on what’s now and what’s next in payments, commerce and the digital economy. Its team of data scientists include leading economists, econometricians, survey experts, financial analysts and marketing scientists with deep experience in the application of data to the issues that define the future of the digital transformation of the global economy. This multilingual team has conducted original data collection and analysis in more than three dozen global markets for some of the world’s leading publicly traded and privately held firms.

    The PYMNTS Intelligence team that produced this report:
    Lynnley Browning: Managing Editor
    Yvonni Markaki, PhD: SVP, Data Products
    Daniel Gallucci: Senior Writer
    Ignacio Marquez: Senior Analyst

    We are interested in your feedback on this report. If you have questions or comments, or if you would like to subscribe to this report, please email us at feedback@pymnts.com.

    Disclaimer

    The Certainty Project may be updated periodically. While reasonable efforts are made to keep the content accurate and up to date, PYMNTS MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, REGARDING THE CORRECTNESS, ACCURACY, COMPLETENESS, ADEQUACY, OR RELIABILITY OF OR THE USE OF OR RESULTS THAT MAY BE GENERATED FROM THE USE OF THE INFORMATION OR THAT THE CONTENT WILL SATISFY YOUR REQUIREMENTS OR EXPECTATIONS. THE CONTENT IS PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS. YOU EXPRESSLY AGREE THAT YOUR USE OF THE CONTENT IS AT YOUR SOLE RISK. PYMNTS SHALL HAVE NO LIABILITY FOR ANY INTERRUPTIONS IN THE CONTENT THAT IS PROVIDED AND DISCLAIMS ALL WARRANTIES WITH REGARD TO THE CONTENT, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT AND TITLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES, AND, IN SUCH CASES, THE STATED EXCLUSIONS DO NOT APPLY. PYMNTS RESERVES THE RIGHT AND SHOULD NOT BE LIABLE SHOULD IT EXERCISE ITS RIGHT TO MODIFY, INTERRUPT, OR DISCONTINUE THE AVAILABILITY OF THE CONTENT OR ANY COMPONENT OF IT WITH OR WITHOUT NOTICE.

    PYMNTS SHALL NOT BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND, IN PARTICULAR, SHALL NOT BE LIABLE FOR ANY SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE, OR LOSS OF USE, ARISING OUT OF OR RELATED TO THE CONTENT, WHETHER SUCH DAMAGES ARISE IN CONTRACT, NEGLIGENCE, TORT, UNDER STATUTE, IN EQUITY, AT LAW, OR OTHERWISE, EVEN IF PYMNTS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    SOME JURISDICTIONS DO NOT ALLOW FOR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, AND IN SUCH CASES, SOME OF THE ABOVE LIMITATIONS DO NOT APPLY. THE ABOVE DISCLAIMERS AND LIMITATIONS ARE PROVIDED BY PYMNTS AND ITS PARENTS, AFFILIATED AND RELATED COMPANIES, CONTRACTORS, AND SPONSORS, AND EACH OF ITS RESPECTIVE DIRECTORS, OFFICERS, MEMBERS, EMPLOYEES, AGENTS, CONTENT COMPONENT PROVIDERS, LICENSORS, AND ADVISERS.

    Components of the content original to PYMNTS and the compilation produced by PYMNTS are the property of PYMNTS and cannot be reproduced without its prior written permission.