Menu
By Cian Fitzpatrick | 9th September 2025
Mergers and acquisitions are always big news. And when two companies come together in a merger or acquisition, there is a list of priorities competing for attention. Leadership teams are rightly consumed with the big-ticket items: valuations, synergies, regulatory sign-off and cultural alignment.Â
This means that the spotlight shines on balance sheets and strategy decks. However, while all the attention is elsewhere, a quieter threat lurks in the background. And it’s one that can unravel months of negotiation and wipe billions off the table: phishing attacks.
This is way more than the everyday nuisance of junk mail or clumsy spam. When it comes to the M&A context, and the riches that can be pillaged from it, phishing is sharper, more convincing and much more destructive.Â
Certain conditions are present in every M&A deal: lots of urgency, uncertainty and disruption. These conditions also create the perfect environment for phishing attacks to happen.Â
A single well-timed email can expose sensitive data, derail integration or even trigger fraudulent transfers.
For boards and C-suites, it’s a grave mistake to believe phishing vulnerabilities is a “technical issue” to leave to IT. It’s far more accurate to view phishing as a strategic business risk. And manage it accordingly.
M&A are laborious, time-intensitive processes. Two organisations are seeking to join forces and become one. And there is a prolonged state of flux to achieve this outcome.
Nothing could make a malicious actor happier than this state of affairs and they exploit it ruthlessly.Â
Here’s why:
As exciting as an M&A deal may be, they come with a lot of uncertainty as well. Employees need to get used to a lot of change, from adjusting to new hierarchies to shifting reporting lines. In a climate such as this, an urgent email “from the CEO” or “from HR” looks plausible. Cybercriminals play into that anxiety with a lot of success.
During a deal, documents fly between internal teams, banks, legal advisors, regulators and consultants. Always remember however that while confidentiality agreements may be watertight, human behavior is not. Caution slips when ongoing time pressure is rampant. A phishing email framed as a data-room update or due diligence query can bypass even seasoned professionals.
Unfortunately, restructuring means redundancies. Employees who know they’re leaving may be less vigilant. Others, overwhelmed by uncertainty, may stop paying attention. Either way, both groups become easy targets. And cybercriminals will take the opportunity to target them for sure.
Integration teams are busy consolidating IT platforms, migrating systems and keeping the lights on. That leaves monitoring gaps. Business Email Compromise (BEC), which includes fraudulent payment requests that look legitimate, often succeeds at this stage because finance and legal staff are overwhelmed.
Unlike an internal reorg, M&A is visible. Journalists cover it, analysts speculate and employees gossip. Hackers don’t need inside intelligence; they can scrape the headlines to time their attacks. Make no mistake; “phishing campaign” launched the day a deal is announced is no coincidence.
These aren’t theoretical risks. Several high-profile deals have shown how cyber vulnerabilities, including phishing, can shift valuations, stall negotiations or damage reputations:
Â
Â
The lesson for boards is clear: cybersecurity failures, which can arise by something as simple as a phishing email, can materially alter M&A deals.Â
Here are the key moves that separate resilient deals from vulnerable ones:
Boards demand answers on legal and financial exposure. Cyber must be treated the same way. That means asking for evidence of phishing resilience: incident history, email authentication (SPF, DKIM, DMARC), employee awareness scores and third-party risk posture.
Phishing thrives on confusion. Leaders should enforce clear, verified channels for sensitive communications: wire transfers, HR updates, legal correspondence. Multi-step verification for high-value transactions should be non-negotiable.
C-suites are prime targets for impersonation. Executives need bespoke training, not a generic 30-minute e-learning module. A CEO forwarding credentials or requesting an urgent payment under pressure is the perfect storm for BEC.
If a phishing breach happens mid-deal, it’s not only an IT problem. It’s a boardroom crisis. Executives should pre-agree a response playbook covering legal, comms and finance, so a breach doesn’t turn into a full-blown reputational disaster.
The real work starts after signing. Retiring old accounts, rationalising permissions and aligning policies must be done with urgency. A “security-first integration” sends the right cultural signal while closing the gaps attackers exploit.
Three metrics boards should watch
Executives don’t need to wade into technical dashboards. Instead, they must demand three simple KPIs that reveal cultural resilience:
High reporting rates, in particular, are a leading indicator of healthy awareness.
Phishing during M&A is a risk that preys on uncertainty and distraction. One convincing email can undo more value than months of financial modeling.
The leaders who succeed in M&A are those who see cybersecurity as a strategic safeguard of deal value. Treat phishing with the same seriousness as financial or legal risk. Doing so protects more than data it protects reputation, integration success and the very credibility of leadership.
Phishing is one of the simplest yet most damaging risks in mergers and acquisitions. At Topsec, we help leadership teams and boards build resilience with advanced email security, continuous monitoring, and executive-level awareness programmes.
Speak to our team today to safeguard your organisation’s reputation. And the true value of your deal!
