An hour ago, I found Cheryl’s profile on LinkedIn. I know who she is, because she’s in a picture with the CEO on their company’s Instagram feed. And I know what the CEO looks like, because I saw his picture in a publication recently. They aren’t a very big business, and this will help.
It’s Monday about 9:30am her time. Cheryl is usually dealing with client billing, there’s always an invoice with a mistake. Today there are more than usual.
My bot has been busy for the last few weeks helping me find a door into their network. It didn’t take long to get someone to enter their username and password into my fake vendor emails. I gained access to a computer, a couple hours of hacking around, another weak admin password, and now I have full access to everything.
That weak admin password – that’s how I know there are more invoicing mistakes than usual – and that Cheryl has a company credit card.
Small biz think they are safe because they aren’t a big enough target, but I’m more than happy to target the millions of small businesses that never make the news, flying below the radar is where I love to be. This company thinks their antivirus software will protect them, but that doesn’t stop me from running remote scripts. But their Achilles heel? Trust. They know each other well, and a side errand won’t seem weird.
They could have easily prevented this with some phishing awareness training for their staff, and better email security. I’ve also been stopped in my tracks by strong passwords and important accounts locked behind multifactor authentication. I can get a password, but I can’t easily get to the security code, it’s just not worth the time when there are so many other people without these protections.
Sorry, I’ve got to go… I’m ready to send my final message, it’s a spoof email to Cheryl, from her boss, the CEO. She’s distracted and probably freaking out about the invoices, so she won’t pay much attention to my request. I should have a few untraceable gift card codes in my inbox shortly.
We meet these people every day, doing our job right means our clients never know. Ignite Solutions Group is a cloud technology and consulting services firm empowering Hawaii businesses, non-profits, and education institutions to achieve more. View and download a copy of our “7 Ways to Spot a Phishing Email” infographic.
Ignite Solutions Group
1110 Nuuanu Ave B12, Honolulu, HI 96817
(808) 450-2693 | ignitetheday.com