You are about to read a real story showing how cybercriminals can devastate a business in the blink of an eye. Most importantly, we’ll share several ways this could have been avoided. Remember to forward this to anyone making online payments and,
better yet, your entire staff. The name of the company and principals have been withheld so they don’t become a further target.
$43,000 Gone in The Blink of An Eye
Imagine, on a normal Friday night after a long week of work, you glance down at your phone and see an alert from your bank.
You open it to find that you’ve just paid a company you’ve never heard of $43,000!
This was an all-too-real situation for one small business owner a few weeks ago – and there’s NOTHING the owner, or police, or anyone else can do to get that money back. It’s gone forever.
Thankfully, for this company, $43,000 was a loss they could absorb, but it was still a huge hit, and frankly, they are lucky they weren’t taken for more.
Here’s what happened and how you can keep this from happening to you.
The E-mail That Started It All
Imagine receiving an e-mail so convincing, so utterly devoid of red flags, that you find yourself compelled to act. This isn’t a failure of judgment; it’s a testament to the sophistication of modern cyber threats.
In this case, an employee in the accounting department received an e-mail from the company’s “CEO” saying they were starting to work with a new company and needed to get them set up in the system and make a payment to them right away.
This was NOT an abnormal type of e-mail, nor was the amount anything that aroused suspicion – they made and received large amounts of money often.
The only telltale clue might have been that it came in on a Friday afternoon and it was made clear that it was an urgent matter that had to be handled right away.
The employee, thinking they were doing exactly what their boss wanted, set the attacker’s company up in the system, including their bank routing number, and made a payment. And the minute they hit “Send,” the money would never be seen again.
It wasn’t until the CEO called minutes later, after receiving notification of the transfer, that alarm bells started to ring! But by then, it was all too late.
So, What Happened?
While it’s impossible to know what exactly occurred to kick off this chain of events, the most likely culprit is that an employee, possibly even the owner, received an e-mail sent by a cybercriminal weeks or even months earlier that allowed this person to gain access to some of the company’s systems.
In all likelihood, the e-mail looked normal and had a link that, when clicked, downloaded software onto the recipient’s computer, and that’s where things started to go wrong.
Over the following weeks, the cybercriminals accessed company communications, figured out who the players were, and devised a plan to make it look like the CEO needed a vendor to be paid urgently.
And when the criminals determined the time was right, they “attacked” and walked away with $43,000 for their efforts.
Home Alone
While this scenario may sound far-fetched, it’s not new.
If you remember seeing the classic movie Home Alone, would-be thieves watched houses immediately preceding Christmas to determine which families would be away for the holidays so they could break into those homes.
Cybercriminals do the same thing, but from a distance, and you’d never know they were ever there.
The scary fact is that your system could be compromised right now, and you would have no way of knowing it until an attack happens.
In the cybercrime world, the kind of attack this company suffered is referred to as spear phishing. Criminals identify a single point or person in an organization who they believe could fall victim to a scam like the one that happened here. They then engineer a scheme to target them specifically.
What You and Your Employees Need To Know To Help Thwart Attacks
The sad fact is that there is no 100% safeguard against cybercriminals. But, just like our robbers in Home Alone, cybercriminals go after the low-hanging fruit. If your house has a gated entry, security system, outside cameras and lights, and has three vicious-looking dogs roaming around, would-be thieves are much more likely just to move on to a house without all these layers of security.
Cybercriminals operate in the exact same fashion, looking for companies that aren’t protected and then targeting them specifically. So, the best thing you can do is have layers of protection for your company, along with education for your employees.
3 Things To Do Right Now To Protect Your Company
- Multi-factor authentication (MFA), or two-factor authentication (2FA), is like a superhero's shield against bad guys on the internet. Imagine when you're trying to get into an app, and it asks for a special code that it sends to your phone. You need to type in this code to get in. While often deemed a nuisance, MFA isn’t an inconvenience – it’s the digital equivalent of locking your doors at night. It's a simple step, but it can really save your business from trouble. .
- Employees are your first line of defense. Think of your staff as the first people who can stop trouble from happening. It's like teaching your kids not to open the door to strangers. You MUST teach your workers about the bad stuff online, like scams, how to stay away from them, and what they should do if they accidentally click on something phishy. Engage your IT folks, like 10D Tech, to train your team, and they usually have special programs that your employees can do a few times a year to learn all this stuff. They even get quizzed to make sure they understand it well. Sure, no one really gets excited about these training sessions, but spending just 10 to 15 minutes on it a few times a year could save you from being in the news for the wrong reasons and keep your money safe!
- Get cyber security services in place. MFA is just the start of a comprehensive security plan. You need to talk to a qualified IT Services company (not your uncle Larry who helps you on the side) about getting more than a firewall and virus scan software. What worked a decade or two ago – and may still be helpful on a home network – would be like protecting a bank vault with a ring camera. It’s just not going to cut it. NOTE: 10D Tech offers various security services for Oregon companies and can certainly talk to you about options that make sense for your situation.
Whatever You Do, Don’t Do This!!!
Maybe the worst thing the owner of the company that lost $43,000 did was they then posted a video and story on social media.
While their intentions were good because they wanted to warn other business owners not to fall victim to the same scam, they might as well have had T-shirts made with a big target on the back.
It’d be like having cash from your house taken, then going online and telling people exactly how it happened – you’re just inviting more people to come try to take your cash.
Not Sure If You’re As Protected And Prepared As You Should Be?
Get a Cyber Security Risk Assessment to ensure you're adequately protected. During this assessment, we’ll review your system so you know exactly if and where you’re vulnerable to an attack.
Schedule your assessment with one of our senior advisors by calling us at 541-243-4103 or going to www.10dtech.com/risk.
