A new client came to me after they had lost $325,000 in a hack. How did it happen?
While I’m always happy to take on a new client, it’s not always under fortuitous circumstances. Earlier this year, I was referred to someone who was a bit panicked. An attacker had stolen $325k from this new client via a simple digital compromise. But what really happened, and how?
Cindy was embarrassed, and more than that, she was terrified. This wasn’t just about losing money; it was the reputation of her business and the trust of her clients at stake. She hadn’t done anything wrong, though.
Cindy used a monolithic domain registrar company with a large sales team to host her website and email. They assured her if she paid extra money every month, her email and web domain would be safe. The extra security package included email filtering that hadn’t been configured, archiving that wasn’t very helpful, and a serious lack of security controls. The sales team had done a good job explaining to her that it would all be fine. And how was Cindy to know? She’s not a cybersecurity expert. Nor should she be. She was busy focusing on running a business.
How it happened:
This all transpired when a malicious cyber threat actor slipped into Cindy’s email unnoticed. It appears that Cindy experienced a Business Email Compromise (BEC), which is where a threat actor gained access to Cindy’s email. Cindy was reusing passwords, and her email provider was not enforcing MFA (Multi-factor Authentication) while claiming to provide a secure service. For clarification, claiming to have great security, and not enforcing MFA, are completely incongruent concepts.
According to the FBI, between 2013 and 2023, there have been over $55 billion in reported losses due to Business Email Compromises. The real value lost is likely higher.
When Cindy reused her email password on another service, and that password was leaked in a data breach, threat actors took advantage of a classic low-tech attack called “credential stuffing.” In this attack, hackers use previously stolen passwords to gain access to accounts on different websites, including email.
The Key Security Gaps
Because there was no MFA on the account, the threat actor was able to sail right on into Cindy’s email. Once there, the threat actor started performing reconnaissance. At this stage, the threat actor reads emails going both in an out of the account. They see everything Cindy sees… including details about a pending payment for $325k. Before Cindy could send the invoice for the full amount owed to her, with Cindy’s bank account info on it, the threat actor sent a fake invoice, with the threat actor’s bank info on it.
The threat actor not only closely monitored her email for any correspondence from Cindy’s client, but they also created sneaky email rules that would move any emails coming in from the client into an email folder that would prevent the email from being seen in Cindy’s inbox. Cindy would never see the threat actor’s email leave or enter her account.
Failed Client Side Controls
The client made the mistake of not calling Cindy to confirm that her bank account info had actually changed. Failing to confirm banking information changes is sadly more common than one would think. I’ve seen this happen numerous times. When bank info changes for any large payment you are processing, it is a good idea to call and confirm that change was made by the recipient on purpose. This is a strong control that can help prevent fraud from taking place. While it does provide some protection, these protections begin to erode with advanced voice cloning technology that has become widely available.
Weak passwords and no MFA create an open door for attackers. Microsoft notes that MFA prevents 99.9% of account compromises.
The Aftermath and Changes Made
After the money had been paid to threat actor, it was a serious wake up call for Cindy. A week or so passed after the incident before Cindy was referred to me and started the process of moving her away from her existing email provider, changed her weak reused passwords to randomly generated long ones stored in a password manager, and added MFA to every important account possible.
We also added (properly configured) advanced email filtering, Microsoft 365 account compromise detection, DNS threat filtering, computer monitoring, antivirus/EDR (endpoint detection and response), strong MFA to Cindy’s accounts, enrolled her with a managed password manager, and enacted policy secure her Microsoft 365 tenant.
Cindy is still fighting to get her money back, but at least we can rest easier that this likely won’t happen again in the future. It all started with a single missing payment… $325,000, gone in an instant. But with the right precautions, you can prevent this nightmare scenario from unfolding in your own inbox.
How to Prevent This
Don’t reuse passwords – Password reuse makes breaking into your online accounts trivial, especially when you don’t have two-factor authentication turned on. A password manager helps with this process and saves your time and energy in the long run.
Always enable MFA – A simple way to prevent 99.9% of attacks on your accounts, according to Microsoft research.
Verify large money transfers by phone – For first-time payments or any changes in banking information, use a “second factor” (such as a phone call) to confirm payment details.
Hire a professional – Not everyone has time to tinker with cybersecurity tools. An expert can help you set up and maintain proper security protocols.
Be Co Wants to Help
Be Co is actively seeking clients who want to prevent situations like Cindy’s from happening in their own businesses. Don’t wait until a cyber criminal steals your next big payment; let’s put safeguards in place now. At Be Co, we believe “an ounce of prevention is worth a pound of cure.” There’s no need to experience this kind of breach personally. Schedule a consultation today to see how we can protect your organization.
