How $43,000 Got Stolen From A Small Business In The Blink Of An Eye

You are about to read a real story. It shows you how cybercriminals can devastate a business in the blink of an eye. Most importantly, I’ll share several ways this could have been avoided. Make sure to forward this to anyone who might be making online payments and, better yet, your entire staff. The name of the company and principals have been withheld so they don’t become a further target.

$43,000 Gone In The Blink Of An Eye

Imagine glancing down at your phone on a normal Friday night. You’ve had a long week of work. Suddenly, you see an alert from your bank.

You open it to find that you’ve just paid a company you’ve never heard of $43,000!

This was an all-too-real situation for one small business owner a few weeks ago. Unfortunately, there’s NOTHING the owner can do to get that money back. The police can’t do anything either. No one else has a way to retrieve it. It’s gone forever.

Thankfully, for this company, $43,000 was a loss they could absorb. However, it was still a huge hit. Frankly, they are lucky they weren’t taken for more.

Here’s what happened and how you can keep this from happening to you.

The E-mail That Started It All

Imagine receiving an e-mail so convincing, so utterly devoid of red flags, that you find yourself compelled to act. This isn’t a failure of judgment; it’s a testament to the sophistication of modern cyberthreats.

In this case, an employee in the accounting department received an e-mail from the company’s “CEO.” It said they were starting to work with a new company. They needed to get them set up in the system. They also needed to make a payment to them right away.

This was NOT an abnormal type of e-mail. The amount did not arouse suspicion. They made and received large amounts of money often.

The only telltale clue might have been that it came in on a Friday afternoon. It was made clear that it was urgent and had to be handled right away.

The employee thought they were doing exactly what their boss wanted. They set the attacker’s company up in the system. They included their bank routing number and made a payment. And the minute they hit “Send,” the money was never to be seen again.

It wasn’t until the CEO called minutes later, after receiving notification of the transfer, that alarm bells started to ring! But by then it was all too late.

So What Happened?

It’s impossible to know the exact event that started this chain of events. However, the most likely culprit is that an employee received an e-mail sent by a cybercriminal. This employee could have been the owner. It was received weeks or even months earlier. This electronic message allowed the cybercriminal to gain access to some of the company’s systems.

In all likelihood, the e-mail looked normal. It had a link that, when clicked, downloaded software onto the recipient’s computer. That’s where things started to go wrong.

Over the following weeks, the cybercriminals accessed company communications. They figured out who the players were. They devised a plan to make it look like the CEO needed a vendor to be paid urgently.

And when the criminals determined the time was right, they “attacked” and walked away with $43,000 for their efforts.

Home Alone

While this scenario may sound far-fetched, it’s not new.

If you remember seeing the classic movie Home Alone, you might recall how would-be thieves watched houses immediately preceding Christmas. They wanted to determine which families would be away for the holidays. Then they could break into those homes.

Cybercriminals do the same thing, but from a distance, and you’d never know they were ever there.

The scary fact is, your system could be compromised right now. You would have no way of knowing it until an attack happens.

In the cybercrime world, the kind of attack this company suffered is referred to as spear phishing. Criminals identify a single point or person in an organization. They believe this person could fall victim to a scam like the one that happened here. Then, they engineer a scheme to specifically target them.

What You And Your Employees Need To Know To Help Thwart Attacks

The sad fact is that there is no 100% safeguard against cybercriminals. But, just like our robbers in Home Alone, cybercriminals go after the low-hanging fruit. If your house has a gated entry, security system, and outside cameras, it becomes less attractive to thieves. Adding lights and three vicious-looking dogs makes it even more secure. Would-be thieves are more likely to move on to a house without all these layers of security.

Cybercriminals operate in the exact same fashion, looking for companies that aren’t protected and then targeting them specifically. The best strategy is to have layers of protection for your company. Educating your employees is also crucial.

3 Things To Do Right Now To Protect Your Company

1. Multi-factor authentication (MFA), also called two-factor authentication (2FA), is not just a tool. It is also a shield against the relentless barrage of cyberthreats. An example of MFA is when you try to log into a program. The program sends a code to your cell phone via text. This code needs to be entered before granting access to the program. While often deemed a nuisance, MFA isn’t an inconvenience – it’s the digital equivalent of locking your doors at night. It’s a simple yet profoundly effective measure that can be the difference between a secure business and a cautionary tale.
   
   
2. Employees are your first line of defense. Just as you teach your kids not to open the door to strangers, educate your employees. Teach them about malicious threats. It is crucial to teach them about common scams and how to avoid them. Also, explain what to do if they think they’ve inadvertently clicked a link they shouldn’t have. You need to ask your IT company to provide this training. Often, they have programs that you can require your employees to go through a couple of times a year. The program then quizzes them to ensure they know. While this process isn’t something you or they will look forward to, it only takes 10 to 15 minutes. The reality is that it is a quick commitment. This small effort a couple of times a year can keep you out of the news. It can also keep your money out of someone else’s account!
   
   
3. Get cyber security services in place. MFA is just the start of a comprehensive security plan. You need to talk to a qualified company. Make sure it’s not your uncle Larry who helps you on the side. Talk to them about getting more than a firewall and virus scan software. What worked a decade or two ago might still be helpful on a home network. However, it would be like protecting a bank vault with a ring camera. It’s just not going to cut it. NOTE: We offer a variety of security services for companies of all sizes. We can certainly talk to you about options. These options will make sense for your situation.

Whatever You Do, Don’t Do This!!!

The owner of the company lost $43,000. Then, they might have made their worst decision. They posted a video and story on social media.

Their intentions were good. They wanted to warn other business owners not to fall victim to the same scam. However, they might as well have had T-shirts made with a big target on the back.

It’d be like having cash taken from your house. Then you go online and tell people exactly how it happened. You’re just inviting more people to come try to take your cash.

Not Sure If You’re As Protected And Prepared As You Should Be?

To make sure you’re properly protected, get a FREE, no-obligation Cyber Security Risk Assessment. During this assessment, we’ll review your entire system so you know exactly if and where you’re vulnerable to an attack.

Schedule your assessment with one of our senior advisors by calling us at 252-329-1382 or going to dtinetworks.com/discovery-call.