To start, I feel it’s important to note that this story is written based on an amalgamation of experiences we’ve had as an IT support company. It is unfortunately not infrequent that we meet a business calling regarding a breach of their systems and data or monetary loss.

Every business believes cybercrime is something that occurs but doesn’t happen to them. Especially as our clients are small to medium size businesses, a common misconception is that they are “too small to be targeted”. It depends on a multitude of factors;
what cybercrime and forum they get attacked by, and how much time, effort and money the hackers will have put in. The common Nigerian prince asking to deposit money into your account is a low-cost attack but means that it easily separates the vulnerable internet users. The case that has lost clients over £10,000 (not including the downtime they experienced) was slightly more comprehensive…

So, it’s a Monday morning and my inbox needs clearing as it’s been collecting emails throughout the weekend. I am skimming through, deleting the ones which I have just mindlessly been cc’ed into and I come across a password reset on my Microsoft account. It tells me that I need to reset my password in the next 72 hours (and that was sent on Saturday evening) otherwise I will be locked out of my account. Firstly, the idea of prolonging clearing my inbox for any longer fills me with dread and the last thing I want to do is be locked out of my account and have to contact my IT team.

So, I logically click the email and go to reset my password. This makes sense for the following reasons:

1. The email address it came from was the noreply@email.microsoftonIine.com. That seems incredibly legit, right? Even if I copy the address and put it into Google, it wouldn’t pick up that the “l” in online was actually a capitalised i.

2. It looked exactly like Microsoft emails I’d received before, it was the same branding, display, and process

3. My emails are on Microsoft, they had to be a part of Microsoft to know that and it’s been a while since I have reset I password

I click, it asks me to type in my account details which I do willingly because I obviously need to access my account to change my password. I even get to a webpage that asks me to put in my brand-new password so the whole process is complete. It informs me that my password has been changed and the process has been completed – perfect!

I carry on my normal day to day tasks, nothing suspicious happens and I even get to the stage where I forget that a password reset occurred. Weeks, even months pass and everything is fine, no breaches and no reason to be concerned.

But then I go on holiday, I’ve put it in my calendar in Outlook, so staff can see when I am returning. I come back, and really odd things seem to be happening. My accounts team come up to me with strange queries, money from clients that should have been paid into the company account but hasn’t, money that adds up to around £10,000. I speak to a couple of clients it concerns, they promise they have paid but they mention that they got an email saying that the payment details have changed and even weirder than that, it had come from my account.

I now decide it’s time to contact my IT support company and get them to run a full investigation into what has happened. I assume it’s a hacker, someone who has got into my computer and taken control of my email from there. Maybe it’s connected to a breach that happened on an account with the same password as my email, I don’t know but I’m pretty sure it’s nothing I’ve done.

They launched a full investigation and discovered a lot of strange things. Firstly, that someone was accessing my account from a country I’d never even visited before and this had been going on for months. Secondly, they had created a rule in my email to automatically forward on emails concerning the words “payment” or “invoice” to a specific email address and to simultaneously delete them from my inbox. Once this was discovered, we backtracked all my emails to see if anything suspicious happened on the date they first accessed my account and that’s when I saw that highly convincing password reset email. They identified that as an illegitimate email and the highly suspected reason for the hack. The hacker had been on my account for months waiting for the perfect opportunity to attack. They chose the time they knew I’d be less able to detect it, when I was on holiday. All the payments clients had sent to that account were completely gone and it took days to ensure that no other clients had been sent this change of payment or anything else that was suspect.

That attack cost me over £10,000 and was something I could have prevented.

There are so many things you can do as a business to reduce your chances of experiencing this attack, whether it’s internal training or cybersecurity software. Let us know if this is a concern of yours and we can help you to put policies and protection in place to get it sorted.