You don’t have to be a large company or work in a specific industry to face a cyber threat — everyone is a target.
“It doesn’t matter what kind of business you are,” says Paige Yeater, chief operating officer and chief information security officer at Mainstay Technologies in Manchester. “You have employees, which means that you have names, dates of birth. You have information that has value associated with it, and as a result, you’re potentially vulnerable.”
Cyber threats via phishing emails from criminals seeking to extract that sensitive information are becoming more sophisticated and commonplace.
Last year, 61 of 63 cyber incidents reported to the New Hampshire Public Risk Management Exchange began with a phishing email that compromised usernames and passcodes, according to the 2025 New Hampshire Cyber Threat Assessment.
“Identity-based attacks are expected to remain the primary method of attack against New Hampshire public and private sector organizations, as well as the state’s residents and businesses in 2025,” says the report, prepared by the Department of Information Technology at the Office of the Chief Information Security Officer.
As generative AI becomes more sophisticated, other threats New Hampshire-based IT officials might see from cybercriminal organizations include grifting, data breaches, ransomware attacks, text message links, and Business Email Compromise schemes, the report says.
Such email schemes use generative AI to trick employees into providing sensitive information, according to the report.
Then they monitor the company’s communications, conduct wire fraud, create fake invoices and more, for financial gain. Threat actors also use generative AI to create deepfake voices and video technology to “impersonate” executive leaders, increasing the chance that the recipient will take the email as authentic.
Yeater agrees the biggest threat to New Hampshire businesses is email schemes.
“We are seeing a huge uptick over the last couple of years of individuals who are clicking on links, who are falling for these trick emails,” she says. “They’re getting emails from somebody that they expect to get an email from.”
It’s no longer a question of “hacking” into someone’s account, they’re simply just logging in as “you.”
“They’re not even having to work at it,” Yeater says.
Once people provide the threat actor with sensitive information, the actor can log in as “you,” and perform fraudulent acts, like diverting the payment for an invoice to a different account.
“(The victim) makes the payment — they just make it to the wrong bank account, and then the threat actor has now committed fraud and has all of the money,” she says.
Yeater mentioned the fraud scam that targeted the town of Peterborough in 2021; about $2.3 million was stolen in the attack. She says the threat actor simply found a gap in Peterborough’s system and exploited it.
But placing blame on a business doesn’t help anyone.
“They’re certainly not the only municipality in the country that this has happened to. This is why understanding how these attacks are happening, and having that security posture in place, (can help),” Yeater says.
Fraudsters exploit weakness
Threat actors also target a person’s vulnerabilities and stress levels, Yeater says.
She gave the example of an accountant working long hours who is “buried under deadlines and is working at a pace that’s not sustainable,” like during tax season.
“Threat actors take advantage of the situation. They know that all accountants are under stress between Jan. 31 and April 31, right? So they’re an easy target,” she says.
No matter the business or profession, threat actors can create panic in the simplest of ways through email fraud.
“They take advantage of the stress.
They create situations where you’ll get an email where they’re like, ‘You’re gonna get locked out of your account. We are gonna shut down your credit card. We are gonna disable your bank access.’ They want to create that sense of panic for you. Because when we’re panicked, we’re not logical. (We) don’t make good choices. And that’s all because we’re human,” Yeater says.
But there are ways to protect your company.
Yeater suggests hovering over any and all links in an email to read a web address without clicking on it. If the address says something like “dropbox.freezeout.com,” for example, and not Dropbox.com, then you know something is off.
Yeater says people may have to rein in their curiosity a little bit.
“That’s where we have to stop ourselves and be like, ‘Hold on. This doesn’t feel right,’” Yeater says.
So rather than emailing them back to ask, “is this really you,” it’s best to call them directly to confirm that the email is legitimate.
Fraudsters are increasingly turning to text messages to create that kind of panic. A “smishing” scam targeting New Hampshire E-Z Pass users threatened potential legal action if the recipient did not pay an overdue toll bill.
“Recipients should never respond to these messages and should never click any links embedded in the message,” said a release issued in February by state Attorney General John M. Formella.
Know your strategy
Understanding what security measures a company already has in their IT department is critical, Yeater says.
“And that’s a piece that we see that gets missed a lot,” she says.
“(Businesses) need clear guidance.
They need to understand: What is the information that they have? Then we can figure out a strategy for how to protect it. That’s really the foundation of what we do,” she says.
Mainstay Technologies, a managed service provider, and its cybersecurity consultants work with client businesses as an “information security team” to provide protection and resources as fail-safes to limit a company’s risk.
Yeater says Mainstay uses a “defense in-depth strategy,” a multilayered security approach that monitors strange behaviors or malicious code, while firewalls can block traffic from global threats. Mainstay also protects a company’s sensitive email by enhancing the security to its G Suite of apps, including Gmail and Google Docs, to block outside actors.
But it’s more than just hiring someone to add security layers to your IT department’s arsenal.
“It’s a strategy, it’s an approach. It needs to be part of the fiber of how these organizations are functioning,” Yeater says.
The Department of Information Technology’s threat assessment says businesses suspecting a cyberattack should contact the New Hampshire Public Risk Management Exchange to open a claim. Public sector entities that aren’t a member of PRIMEX should contact the New Hampshire Department of Safety’s Information and Analysis Center, or nhiac@dos.nh.gov.
