This is a real story of how a small business fell victim to a cybercrime, and the devastating consequences that followed. For privacy and protection, we will not be sharing the name of the company.
Most importantly. you’ll learn how this could have been avoided and what to do to strengthen your current security.
The Text Message
Imagine, on a casual Friday evening, you get an alert from your bank stating a payment of $43,000 was issued to a company you’ve never heard of!
This is what happened to a small business just a few weeks ago! The money was gone in the blink of an eye, and there was nothing the owner or the police could do to get it back.
Even though it was a huge hit, luck had it that they weren’t taken for more, and the company was able to recover.
You might not be so lucky.
The E-mail
Imagine receiving a convincing e-mail with zero red flags. You don’t even think twice before you act. This isn’t a failure of judgment; it’s proof of the sophistication of modern cyber threats.
In this company, an employee working in the accounting department received an email from the “CEO” instructing them to make a payment to a new partner they started working with.
This type of email was fairly common from the CEO, and the amount requested wasn’t exorbitant to arouse any suspicion. The only telltale clue could have been that the email was sent on Friday afternoon and the urgency of the matter.
Thinking he’s following orders, the employee set up the attacker’s company in the system and made a payment. Within minutes, the money was never to be seen again.
It wasn’t until the CEO received notification of the transfer that alarm bells started to ring. But by then, it was too late!
The Hack
It’s difficult to know exactly the cause that stirred this chain of events. Most probably, another employee, or even the owner, opened a phishing email a few weeks or months before, giving the cyber criminal access to some of the company’s system.
Instead of attacking immediately, the hacker waited. Observing the employees’ behaviour and gaining access to the company’s communications, they developed the plan to make it look like the CEO needed a vendor to be paid urgently.
When the time was right, they sent that one email and walked away with $43,000!
This kind of attack is called spear phishing. Cyber criminals target a person within an organization who they believe could fall victim to a scam similar to what happened in this case.
The scary fact is, your system could be compromised right now, and you would have no way of knowing it, until an attack happens.
The Need to Knows
Cyber criminals look for companies who aren’t well protected and target them. Even if you cannot be 100% safe from cyber attacks, it is crucial to have layers of protection to deter any attacks.
Here are three things you should do right now:
1. Enable Multi-factor Authentication (MFA)
MFA is a shield against the relentless cyber threats. An example of MFA is when you need to input a code on your phone to log into a web program. While it may seem like a nuisance, this extra layer protects your account even if your login details get compromised.
2. Train Your Employees
Employees are your first line of defense. They NEED to know about the common scams, how to avoid them, and what to do if they suspect malicious threats. Ask your IT provider to provide training at least two times a year. Even if it’s tedious for employees, those 15 minutes of training could keep you out of the news and your money in your pocket.
3. Set up Cyber Security Practices
Firewall and a virus scan are not enough anymore. Work with a qualified cyber security specialist to develop comprehensive security practices.
The News
Right after the incident, the company in question posted a video on social media to explain what happened and educate other business owners not to fall for the same scam.
While their intentions were good, they put a bigger target on their back. It’s like having your house broken into, then going online and telling people how they did it – you are inviting more cyber criminals to try their attack.
If this ever happens to your business, lay low, and resolve the situation as quickly and quietly as possible.
The Next Step
Make sure your business is properly protected. Get a FREE Cyber Security Risk Assessment. Out team will review your entire system so you know exactly if and where you’re vulnerable to an attack.
Schedule your Assessment today.
p.s. Forward this to anyone who handles online payments, or better yet, your entire staff.
