As a technologist and cybersecurity professional, I’m generally happy to take on new clients, but sometimes it’s not under the best circumstances.
Earlier this year, for example, a panicked business owner was referred to me, not an advisor but a financial services professional, nonetheless.
An attacker had stolen $325,000 from this new client via a simple digital compromise. But what really happened, and how?
This business owner, who we will call Cindy, was embarrassed, and terrified. This wasn’t just about losing money; it was the reputation of her business and the trust of her clients at stake.
She had not done anything intentionally wrong, rather she was unprepared for the rapidly evolving types of threats we all face when it comes to cybersecurity.
Cindy, who is a small, independent business owner serving the financial service sector, had used a monolithic domain registrar company, one that regularly advertises nationally and has a large sales team, to host her website and email. They assured her if she paid extra money every month, her email and web domain would be safe.
The extra security package included email filtering that hadn’t been configured, archiving that was not very helpful, and a serious lack of security controls. The sales team had done a good job convincing her that it would all be fine.
And how was Cindy to know? She’s not a cybersecurity expert and was busy focusing on the many other things required to run and grow a small business.
How It Happened
This all transpired when a malicious cyber threat actor slipped into Cindy’s email unnoticed. It appears that Cindy experienced what we refer to as a business email compromise, or BEC, which is where a threat actor gained access to Cindy’s email. She was reusing passwords, as far too many business owners and clients do, and her email provider was not enforcing multi-factor authentication, while claiming to provide a secure service.
According to the FBI, between 2013 and 2023, there have been over $55 billion in reported losses due to business email compromises. The real value lost is likely higher.
To clarify, claiming to have great security and not enforcing MFA are completely incongruent concepts if you purport to provide cybersecurity oversight as this domain registrar does.
When Cindy reused her email password on another service, and that password was leaked in a data breach, the threat actor took advantage of a classic low-tech attack called “credential stuffing.” In this attack, hackers use previously stolen passwords to gain access to accounts on other websites, including email.
The Key Security Gaps
Because there was no MFA on the account, the threat actor was able to sail right on into Cindy’s email. Once there, the threat actor started performing reconnaissance. At this stage, the threat actor read emails going both in and out of the account. They saw everything Cindy would see … including details about a pending payment for $325,000. Before Cindy could send the invoice for the full amount owed to her, with Cindy’s bank account information on it, the threat actor sent a fake invoice, with the threat actor’s bank information on it.
The threat actor not only closely monitored her email for any correspondence from Cindy’s client, but they also created email rules that would move any incoming emails from the client into a folder that would prevent the email from being seen in Cindy’s inbox. Cindy would never see the threat actor’s email with the invoice for $325,000 and the attacker’s wire info leave or enter her account.
Weak passwords and lack of MFA create an open door for attackers. Microsoft notes that implementing MFA can prevent up to 99.9% of account compromises. Phishing resistant MFA (such as FIDO2 hardware keys) can also greatly decrease your chance of being compromised.
Failed Client-Side Controls
The client made the mistake of not calling Cindy to confirm that her bank account information had changed. Failing to confirm banking information changes is more common than one would think. I’ve seen this happen numerous times.
When bank information changes for any large payment you are processing, it should be standard procedure to call and confirm that the change was made by the recipient on purpose. This is a strong control that can help prevent fraud from taking place. While it does provide some protection, these protections have begun to erode with advanced voice cloning technology that has become widely available.
The Aftermath and Changes Made
This incident has proven to be an ongoing ordeal for Cindy. A week after the incident, she was referred to me, and we started the process of migrating her away from her existing email provider, changed her weak, reused passwords to randomly generated longer, more secure ones stored in a password manager, and added MFA to every important account possible.
We also added (properly configured) advanced email filtering, Microsoft 365 account compromise detection, DNS threat filtering, computer monitoring, antivirus, endpoint detection and response (known as EDR), added strong MFA to Cindy’s critical accounts and implemented a plethora of secure policies designed to protect her data and Microsoft 365 environment from threats.
A Prevention Recap
Don’t reuse passwords – Password reuse makes breaking into your online accounts trivial, especially when you don’t have two-factor authentication turned on. A password manager helps with this process and saves your time and energy in the long run.
Always enable MFA on important accounts.
Verify large money transfers by phone or some other means. For first-time payments or any changes in banking information, use a “second factor” (such as a phone call) to confirm payment details.
Hire a professional – Not everyone has time to tinker with cybersecurity tools. An expert can help you set up and maintain proper security protocols.
While some midsize and most larger firms invest in endpoint security and employ email encryption or rely on secure managed networks—whether those networks are theirs or a provider’s—many smaller firms and solo practitioners simply do not.
For many professionals, investing in cybersecurity adds a layer of protection that is often worth every penny—though for some this is recognized only in hindsight. These proactive steps require effort, but they cost far less than discovering too late that your defenses were not enough.