For all the media coverage that cyber security has attracted over the past couple of months, many businesses I speak to still struggle to understand how cyber crime can target small business.
The reality is that cyber attacks and scams are increasingly common, with the ACCC’s Targeting Scams report showing businesses lost $132 million to scams in 2019.
Don’t think you or your business will ever be the target of a cyber attack? We recently had a client approach us after she experienced a cyber attack. Her story might surprise you.
— — — — —
Rachel* is a smart, tech-savvy lawyer and sole trader in her own practice.
She receives and sends emails and documents constantly throughout the day — these can contain evidence for a case, invoices, meeting notes or any number of other things. A lot of these exchanges contain sensitive information.
One day, Rachel receives an email requesting her to click on a link to access a legal brief via a document sharing service. The email, sent by Peter*, an administrative employee at an established law firm, looks legitimate and consistent with other briefs Peter’s firm commonly sends Rachel.
The link in the email takes Rachel to a fake Microsoft login page that also looks 100% legitimate and prompts her to put in her user ID and password.
She frequently has to enter passwords to access different document management services, but she has not heard of this particular service so she acts carefully. Googling the document management service shows it as a ‘document exchange service’.
She scans the results and briefly checks if there are any other Google entries — there is nothing to indicate it is a scam or anything suspicious. Figuring there is nothing out of the ordinary, Rachel enters her username and password and then moves on to other work duties.
Returning to her desk 20 minutes later she discovers arbout 30 text messages, phone calls, emails, and even a LinkedIn message from people (including complete strangers) saying “I think you have been hacked”. Her heart sinks when she realises what has happened.
Within minutes of Rachel logging in, the virus had taken control of her Outlook email and sent an email to every single person in her inbox, including anyone who had been a recipient or CC on any email. All of her clients, and even complete strangers who had received group emails or newsletters, had received a message from her.
The outgoing message itself was inconsistent with Rachel’s writing style, causing some recipients to treat it as suspicious and call her to confirm.
Others called her to check why Rachel had shared a document via a link, something she hadn’t done before.
Thankfully, many of her email filters of her friends and clients managed to detect the malicious email and blocked it before it could cause harm.
The attacker was sophisticated; if someone sent an email to Rachel to ask if her document-sharing link was genuine, an automated rule they’d set up would immediately reply saying it was legitimate and to give it another go.
Rachel didn’t know this was happening until someone told her and she found a bunch in her Outlook sent folder.
Rachel later learnt that one person who received the malicious email from her hacked account had become a victim as well. They had to pay an expert to get back into their own system (and change hard drives).
Peter’s firm also had to pay a significant ransom to get back into their computer system.
Unfortunately, cases like Rachel’s aren’t rare. Last year, $231 million was lost to Australians to ransomware, and these are just the cases reported.
Cyber criminals research the businesses they are targeting and often have tools at their disposal to make emails look real and legitimate. Victims are often embarrassed when something like this happens, and would rather pay money to make the issue go away.
Even though Rachel was embarrassed about what happened, she wanted to do something about it. She had her PC re-built, ensured two-factor authentication for passwords and learnt more about how she can better manage her cyber risk in the future.
If her story has made you wonder what sensitive information your business might have, and the vulnerabilities that could be exploited by cyber criminals, then consider taking similar steps to safeguard your business for the future.
*Names have been changed to protect the identity of those involved.