Why Plumbing and Other Mobile Professionals Are Prime Targets for Phishing Attacks

Why Plumbing and Other Mobile Professionals Are Prime Targets for Phishing Attacks – and How to Safeguard Your Business

Phishing may seem like a distant threat if you run a plumbing or HVAC business. After all, you’re in a truck, not behind a desk. Yet cyber‑criminals increasingly target mobile service businesses because they handle sensitive customer data, schedule work remotely, and often rely on poorly configured software. In September 2024, security researchers uncovered a wave of attacks that exploited default credentials in FOUNDATION accounting software, a system popular with construction and trade contractors. Attackers brute‑forced the built‑in MS SQL accounts and infiltrated customers in the plumbing, HVAC, and concrete industries. In another incident, the City Plumbing & Electric Supply Co., a major distributor of plumbing and electrical products, had more than 77 GB of sensitive corporate and customer data exposed during a ransomware attack in March 2025. These examples highlight how mobile professionals have become lucrative targets.

The Unique Threat Landscape for Mobile Service Businesses

Field service companies like plumbers, electricians and HVAC contractors rely heavily on mobile devices and cloud applications. Technicians use smartphones and tablets to receive dispatches, order parts, collect signatures, and process payments. These digital tools improve efficiency but also create multiple entry points for attackers. Reasons that make mobile service firms particularly attractive include:

• Distributed workforce and weak Wi‑Fi – Technicians connect from job sites, coffee shops, or personal hotspots. Unsecured networks and out‑of‑date devices make them easy prey.
• Legacy software with default credentials – Accounting and project‑management tools such as FOUNDATION often ship with high‑privilege accounts (e.g., “sa” and “dba”). Security researchers observed attackers scanning the internet for exposed MS SQL servers and brute‑forcing these accounts.
• Lack of centralized IT – Small companies often have no dedicated IT staff. Passwords are shared over text message, software updates are skipped, and employees are rarely trained to recognize scams.
• High‑value data – A plumbing firm stores addresses, payment details, and access codes for hundreds of homes. When this data is stolen, criminals can commit identity fraud or plan burglaries.

Cyber‑criminals know that a single stolen password can grant them access to a wealth of data. The 2025 Verizon Data Breach Investigations Report found that small and medium‑sized businesses (SMBs) experienced breaches at nearly four times the rate of large enterprises. Ransomware is particularly devastating: 88 % of SMB breaches involved ransomware attacks. Attackers also use stolen credentials to compromise supply chains; small tradespeople often become the entry point to larger contractors or utility providers.

Real‑World Attacks: More Than Just Hypotheticals

The threat isn’t theoretical. Consider two high‑profile breaches:

FOUNDATION accounting software exploited

In September 2024, cybersecurity firm Huntress reported that threat actors were brute‑forcing FOUNDATION accounting software installations that were accessible over the internet. Many installations had never changed the default “sa” and “dba” passwords. Huntress observed about 35,000 brute‑force login attempts against a single MS SQL server before attackers gained access. Out of 500 monitored hosts running FOUNDATION, 33 were publicly accessible using default credentials. Once in, hackers could run arbitrary OS commands via the xp_cmdshell function, install ransomware, or exfiltrate financial records. The victims included plumbing, HVAC, concrete, and other construction‑related companies.

City Plumbing & Electric Supply Co ransomware incident

In March 2025, the AKIRA ransomware gang listed the City Plumbing & Electric Supply Co. on its leak site. This company, a large distributor of plumbing and electrical products, reported that attackers stole over 77 GB of corporate documents, including employee and customer contact information, financial data, contracts, and confidential licenses. The leak served as a reminder that supply distributors are just as vulnerable as the trades they serve. Exposed customer information can lead to identity theft or targeted social engineering attacks, while stolen pricing and contract data undermine competitive advantage.

Common Attack Vectors: Phishing and Weak Credentials

Most attacks on home‑service businesses start with social engineering. Phishing emails or SMS messages impersonate dispatch software, suppliers, or even your own office manager. A technician on the road may be more likely to click a link or download an attachment without scrutinizing the sender. Attackers then install malware or harvest login credentials. Once inside, they move laterally through the accounting system or remote desktop solutions.

The Huntress investigation showed that many companies never change default database passwords. Attackers take advantage of these vulnerabilities, scanning for open ports and using automated tools to brute‑force credentials. Without multi‑factor authentication (MFA) or password rotation policies, mobile professionals are essentially leaving the front door unlocked.

How managed IT services can help

A robust defense starts with a layered security strategy—and for most small service businesses, partnering with a managed IT service provider is the most cost‑effective way to achieve this. Here’s how a managed provider like Senroc Technologies can help:

1. Harden your infrastructure – Managed IT professionals audit software configurations, close unnecessary ports, and enforce strong password policies. They ensure that vulnerable services like MS SQL are not exposed to the public internet and that default credentials are changed.
2. Implement multi‑factor authentication – MFA makes it much harder for attackers to access email, remote‑desktop tools, and accounting systems, even if passwords are compromised.
3. Deploy advanced email security – Next‑generation email filtering blocks phishing attempts and malicious attachments before they reach technicians’ inboxes.
4. Monitor devices and networks 24×7 – Continuous monitoring detects suspicious activity, such as unusual login attempts or data exfiltration, enabling rapid containment.
5. Regularly back up and test your data – Off‑site, encrypted backups ensure you can quickly recover from ransomware without paying a ransom.

Cybersecurity Best Practices for Mobile Professionals

Alongside professional services, business owners and technicians can adopt several practical steps:

• Train your team – Train your technicians how to spot phishing emails and fake text messages. Emphasize that legitimate vendors will never ask for passwords or payment information via email.
• Use secure Wi‑Fi and VPNs – Provide mobile hotspots or require technicians to connect via a VPN. Avoid performing business tasks over public Wi‑Fi without encryption.
• Update software and operating systems – Keep smartphones, tablets, and laptops up to date. Software updates often include critical security patches.
• Separate personal and business devices – Encourage technicians to use company‑issued devices for work. Personal devices may not have the necessary security controls.
• Adopt secure password practices – Use unique, complex passwords for each application and rotate them regularly. Consider a password manager.

Leverage Microsoft 365 and End‑User Training

Migrating to Microsoft 365 gives mobile teams enterprise‑grade email, file storage, and collaboration tools. Microsoft 365 integrates advanced threat protection, data‑loss prevention, and Conditional Access policies, which restrict access based on device health or location. When configured by IT professionals, this environment reduces the risk of phishing and credential compromise.

End‑user training is critical. Regular workshops and simulated phishing campaigns build a security‑first culture. Employees learn to recognize suspicious links, verify requests before sharing information, and report incidents promptly.

Ready To Protect Your Data and Your Business?

Protect Your Business Before the Next Attack Hits — Partner With Senroc Technologies

Plumbing companies, HVAC contractors, electricians, HOAs, and other mobile service professionals can’t afford downtime or data loss. If you’re ready to secure your team, train your staff, and put real cybersecurity protections in place, Senroc Technologies is here to help.

As Denver’s trusted Managed Service Provider, we deliver proactive monitoring, Microsoft 365 management, end-user training, and iron-clad cybersecurity built for the way mobile businesses operate.

Don’t wait for a phishing attack to expose your business.

Contact Senroc Technologies today for reliable, local IT support in Denver, CO, and the surrounding areas — and keep your business running securely, efficiently, and confidently every day.

Call (303) 350-4055

Frequently asked questions

Why are mobile professionals like plumbers more vulnerable to phishing?

Field technicians often operate under time pressure, juggling multiple jobs. They may open emails or text messages quickly without verifying the sender. Attackers know this and craft phishing messages that mimic dispatch notices, invoices, or customer inquiries. Without robust training and email filtering, mobile workers are more likely to click on malicious links.

What is phishing and how does it affect plumbers and HVAC technicians?

Phishing is a form of social engineering in which attackers impersonate trusted entities to trick recipients into revealing sensitive information or downloading malware. For plumbing and HVAC firms, a successful phishing attack can lead to stolen customer data, unauthorized access to accounting systems, and even physical security risks if addresses or lock codes are leaked.

How can managed IT services protect my home‑service business?

A managed IT provider implements layered security controls—firewalls, MFA, secure backups, and monitoring—and helps you maintain them. They also deliver regular security training, ensure software and devices are up to date, and respond quickly if an incident occurs. For a small business without a dedicated IT staff, this partnership provides enterprise‑level protection at a predictable cost.

Do I really need to worry about default credentials in my software?

Yes. Many accounting and dispatch platforms come with default administrator accounts. Attackers routinely scan the internet for devices using these credentials. Changing default passwords, disabling unused services, and limiting remote access are simple yet powerful steps to prevent unauthorized entry.