The following narrative depicts a true account of how a business can be devastated by cybercriminals in the blink of an eye. Above all, I’ll share several ways this could have been avoided. Make sure to forward this to anyone who might be making online transactions and, better yet, your entire staff. The company’s name and principals have been withheld so they don’t become a further target.
$43,000 Gone in The Blink of An Eye
Imagine, on a normal Friday night after an exhausting week of work, you glance down at your phone and see an alert from your bank.
Upon opening it, you find that you’ve just paid a company you’ve never heard of $43,000!
This unfortunate scenario unfolded for one small business owner a few weeks ago – and there’s NOTHING the owner, or police, or anyone else can do to get that money back. It’s gone forever.
Fortunately, for this company, $43,000 was a loss they could absorb, but it was still a huge hit and, frankly, they are lucky they weren’t taken for more.
Below is an account of what happened and how you can keep this from happening to you.
The Email That Started It All
Imagine receiving an email so persuasive, so utterly devoid of red flags, that you find yourself compelled to act. This does not represent a lapse in a judgment; rather it’s a testament to the sophistication of modern cyberthreats.
In this case, a staff member in the accounting department received an email from the company’s “CEO” saying they were starting to collaborate with a new company and needed to get them set up in the system and make a payment to them right away.
This was NOT an abnormal type of email, nor was the amount anything that aroused suspicion – they frequently made and received large amounts of money.
The only telltale clue might have been that it came in on a Friday afternoon and it was made clear that it was an urgent matter that had to be addressed right away.
The employee, under the impression that they were fulfilling their boss’s instructions, set the attacker’s company up in the system, including their bank routing number, and made a payment. And the minute they hit “Send,” the money was never seen again.
The alarm bells didn’t start ringing until the CEO called a few minutes later, upon being notified about the transfer. But by then it was all too late.
So, What Happened?
It’s hard to pinpoint the exact cause of these events, but it’s highly probable that an employee, possibly even the owner, received an email sent by a cybercriminal weeks, or even months, earlier that allowed this person to gain access to some of the company’s systems.
Chances are, the email looked normal and had a link that, when clicked, downloaded software onto the recipient’s computer, and that’s where things started to go wrong.
In the weeks that followed, the cybercriminals accessed company communications, figuring out who the players were, and devised a plan to make it look like the CEO needed a vendor to be paid urgently.
And when the criminals determined the time was right, they “attacked” and walked away with $43,000 for their efforts.
Home Alone
This situation might seem unlikely, but it’s not a new occurrence. If you remember seeing the classic movie Home Alone, would-be burglars scoped out houses right before Christmas to determine which families would be away for the holidays so they could break into those homes.
Cybercriminals operate in a comparable way, but they do it remotely, leaving no trace behind.
It’s a frightening reality that your system might be compromised at this very moment without you even realizing it until an attack happens.
The type of cyberattack that targeted this company is commonly known as spear phishing. Criminals often pinpoint a particular individual or weak point within an organization, whom they believe could fall victim to a scam like the one that happened here, and they engineer a scheme to specifically target them.
What You and Your Employees Need to Know to Help Thwart Attacks
The sad fact is that there isn’t a foolproof defense against cybercriminals. Like the burglars in Home Alone, cybercriminals go after the low-hanging fruit. If your home is equipped with a gated entry, a security system, outside cameras and lights, and has three vicious-looking dogs roaming around, would-be thieves are much more likely just to move on to a house without all these layers of security.
Cybercriminals work in a similar manner, seeking out companies that aren’t protected and then targeting them specifically. Having multiple layers of protection for your company, coupled with providing education for your employees, is the most effective approach.
3 Things to Do Right Now to Protect Your Company
- Multi-factor authentication (MFA), also called two-factor authentication (2FA), serves as both a powerful tool and a protective shield against the constant stream of cyberthreats. An example of MFA is when you attempt to access a program and a code is sent to your cell phone via text that needs to be entered before granting access to the program. MFA is sometimes seen as a hassle, but it’s not an inconvenience - it’s like securing your home by locking the doors before bed. It’s a simple yet profoundly effective measure that can be the difference between a secure business and a cautionary tale.
- Employees are your first line of defense. Just like you’d instruct your kids not to open the door to strangers, you NEED to teach your employees about malicious threats. Educating them about the common scams, how to avoid them and what to do if they think they’ve inadvertently clicked a link they shouldn’t have, is key. Make sure to request training from your IT company; they usually offer programs that your employees go through a couple of times a year. The program subsequently assesses their understanding to verify their knowledge. While this process isn’t something you or they will look forward to, the reality is that it could take just 10 to 15 minutes a couple times a year to keep you out of the news and your money out of the wrong hands!
- Make sure you have cybersecurity services in place. Getting an MFA is just the start of a solid security plan. You need to talk to a qualified company (not your uncle Larry who helps you on the side) about upgrading your security measures beyond just a security system and virus scan software. What worked a decade or two ago – and may still be applicable for a home network – would be like protecting a bank vault with a ring camera. It’s just not going to cut it. NOTE: We offer a variety of security services for companies of all sizes and can certainly talk to you about options that make sense for your situation.
Whatever You Do, Don’t Do This!!!
Perhaps the biggest mistake made by the company owner who lost $43,000 was sharing a video and story on social media afterwards.
While their intentions were good by trying to warn other business owners about the same scam, they practically painted a big target on their backs.
It’d be like having cash from your house taken, then going online and telling people exactly how it happened – you’re just inviting more people to come and try to take your cash.
Not Sure If You’re as Protected and Prepared as You Should Be?
To make sure you’re properly protected, get a FREE, no-obligation Cyber Security Risk Assessment. During this assessment, we’ll review your entire system, so you know exactly if and where you’re vulnerable to an attack.
Click here to schedule a call with one of our senior advisors or call us at 281-646-1200.
