A Real-Life Email Scam

by | Jan 7, 2024 | Business, Cybersecurity

Small Business Cyber Security: A Practical Example of an Email Scam 

Understanding the potential risks that cyber threats pose to businesses can be challenging. It’s helpful to hear stories highlighting real-life examples of the sophistication of some attacks. I heard the following real-life story recently and it serves as a reminder that cybercriminals will go to great lengths to breach even small companies. 

 In this story, a small business searched for a new IT service provider after experiencing a breach in their email system. Although they believed they had stopped the breach, they accepted a quick review of their email account to ensure their safety. What was discovered was a highly sophisticated attack that went beyond the usual methods. 

 In this case, the attacker: 

  • Accessed an employee’s mailbox responsible for handling payments and located emails containing attached invoices. 
  • Created a fake domain name closely resembling the original company’s domain. 
  • Set up a new email account using the fake domain, mimicking the employee’s email address. 
  • Copied the email conversation from the original account, including invoices, and added it to a new email in the fake account. 
  • Altered the entire email conversation to replace legitimate email addresses with fake ones, making the emails appear non-malicious. 
  • Sent a convincing message to the company’s clients, claiming a change in payment method and providing new bank details for wire transfers. 

The attacker’s plan was foiled when an attentive client noticed something off and contacted the targeted company. Even though financial damage was likely avoided, there is still the potential for reputational damage to the affected business, especially since one of their clients informed them, resulting in embarrassment at minimum. 

This story emphasizes the significance of proper monitoring and thorough investigations. To help protect your business from similar incidents, consider implementing the following basic security measures: 

  • Employee training: Educate your team about potential threats and how to identify and avoid them, such as phishing emails and social engineering attacks. 
  • Secure email systems: Implement email security tools that filter out spam and malicious emails to protect accounts from unauthorized access. 
  • Multi-factor authentication: Encourage using unique, complex passwords and emphasize the importance of multi-factor authentication (MFA) for added security, as it requires users to provide multiple forms of identification before gaining access to an account. 

The business size is not a deterrent despite many leaders’ beliefs. Cybercriminals often cast a wide net, targeting thousands of small companies simultaneously. Once criminals find a vulnerability in a specific business, they zero in and exploit it. 

By sharing these cautionary tales and providing actionable steps, I encourage businesses to prioritize cyber security awareness and invest in the necessary measures to protect their valuable digital assets. Always be vigilant, as attackers are constantly evolving their methods, and ensure that you have the necessary precautions to safeguard your business from potential breaches and the reputational damage that may follow.