Real-world small business hacking case studies illustrating attack vectors, situations, remediations, and lessons. Share to raise awareness.
Invoice hack
Through social engineering, a malevolent actor gained access to a fabrication business supplying the mining industry. They replicated a large invoice with altered bank details, sending it to the accounts department, who paid it.
The money could not be recovered. The company nearly collapsed but is still trading, retaining the accounts person who paid the invoice. The fraud was not reported.
On large invoices, check that bank details are the same as previously used.
Ransomware
The owner's laptop, not covered by backups, was compromised with ransomware, which spread to the corporate server. Backups restored the server, but the owner paid a ransom for his laptop data.
The payment resulted in 85% of files being restored. We removed hidden ‘heartbeat’ malware to prevent future extortion attempts.
Security should be layered. An audit is worth the investment to identify weaknesses before they are exploited.
Fake invoice
Scammers cloned a client’s website and email address, requesting a statement and using it to generate a fake invoice for a six-figure payment with changed bank details.
The accounts department verified the change, preventing the fraud. We traced the attempted hack back to a salesman who had deleted related emails, thinking he was at fault.
1. Always corroborate changes to bank details. 2. If a mistake is made, do not cover it up.
Email interception
A purchaser paid over $150K to what they believed was their settlement agent. The funds were intercepted by scammers and lost.
No recovery was possible.
Email addresses can be spoofed. Verify suspicious requests by checking the 'Original Message' in Gmail or calling the sender.
Invoice fraud
Inoteq paid a fraudulent invoice of $192,000 due to a supplier’s breached systems. They attempted to withhold payment from the supplier but lost in court.
Inoteq incurred legal costs and was held liable for the payment.
Courts place the responsibility for verifying payment details on the paying business.
Impersonation
A cybercriminal impersonated the business founder via a similar email address, convincing the manager to transfer over $50,000.
Only a portion of the funds was recovered.
Any unusual funds transfer requests should be verified in person or via phone with another team member.
Phone scam
A scammer posing as a Telstra technician convinced the business to reset its modem, gaining access and redirecting a $50,000 payment.
The bank did not cover the loss.
Never provide access or passwords to unsolicited callers. Confirm technician identities by calling Telstra directly or using the My Telstra app.
Fake invoice
Scammers compromised a supplier’s email and sent a fake invoice, nearly costing the business $900,000.
Bendigo Bank recovered the funds due to quick action.
Always verify bank detail changes by phone.
Ransomware
A ransomware attack encrypted systems, halting operations completely.
The business survived and rebuilt its cybersecurity systems. Costs and ransom payment details were not disclosed.
Proactive security measures are less costly than post-attack remediation.