Human cost of a phishing attack (Part 1)

Egress | 22nd Jul 2021

After years of long hours in junior roles, Emma finally landed her dream job in the finance team of a prestigious law firm. She proudly updated her LinkedIn profile, sharing the news with her ex-colleagues. Two weeks later though, her new organisation would be a national news story, desperately trying to keep hold of existing clients after a devastating case of business email compromise.

And Emma would be looking for a new job.

This scenario is fictional – but it’s not fantasy. Incidents like this happen every day. Egress research shows that 94% of organisations have suffered a data breach in the last 12 months, with 73% experiencing a serious breach directly from a phishing attack. The business costs of remediating a breach, paying regulatory fines, and losing customers through damaged reputation are well-reported.

However, there’s an often-overlooked human cost to factor in too. In this post, we’ll explore how a highly targeted phishing attack plays out and how it can affect a business from top to bottom. Here’s how easily a normal workday can turn into a disaster for a whole cast of human characters.

The phishing victim

It’s Friday afternoon and Emma is working remotely. She’s rushing to get her inbox down so she can finish and get on with her plans for the evening. As she’s working, an email from the company CEO pops into her inbox with the subject line, “Urgent – please complete asap.” Emma is frustrated to be given a new task so late in the day, but she hasn’t spoken with the CEO since joining and doesn’t want to disappoint the most senior member of the team.

The CEO is requesting that she processes an urgent invoice to a partner organisation. It’s a large sum of money. Emma hesitates, wondering if she should ask her line manager for help, but decides she wants to prove herself capable of handling c-suite requests on her own. She knows her manager is in meetings and doesn’t want to disturb her with a video call. Emma makes the transfer and carries on with the rest of her tasks.

As the afternoon wears on, Emma starts to feel uncomfortable about the payment. It hadn’t followed the normal process she had been using during her time at the firm. Remembering her cybersecurity training, she re-opens the email and checks the CEO’s email address – it was genuine. And she knows for a fact that the partner organisation is real.

Still feeling unsure, she calls her line manager. As her line manager makes a few checks on his computer, his face drops, and he says he needs to call the CISO immediately. Emma’s heart sinks. Her situation is deeply stressful but sadly not unique – our research shows that 48% of employees within the legal industry have been targeted with executive impersonation over the last 12 months.

The CISO

It has turned into a late Friday night for the law firm’s CISO. She has difficult questions to field from the CEO and other members of the c-suite about how a mistake this big has been allowed to happen: Why have their security systems failed? Why weren’t proper process followed by the finance department? When was cybersecurity training last carried out?

Worse still, she receives some further bad news from the security team. They’ve investigated the incident and discovered that the source of the business email compromise was not email spoofing, but account takeover. The cybercriminals have gained access to the CEO’s login credentials, and accessed other applications beside email. They have exfiltrated confidential data alongside the scam payment.

The CISO puts her head in her hands, as she now faces the task of contacting the firm’s clients to let them know their data has been put at risk. She feels like the damage has already been done and she is fast losing control of the scale of situation. Unfortunately, her firm is not alone. Only 27% of IT leaders across all industries say they would be alerted to a breach in real time by their security technology.

The CEO

At first, the CEO is furious. He cannot believe that an employee made such a disastrous mistake. He is one of the founders of the firm, and has spent years building its reputation. The CISO had tried to deflect blame onto outdated security. If she had been given budget to upgrade to a more intelligent anti-phishing solution, the incident would have been caught. But he doesn’t want to hear excuses.

The CISO messages him, asking if he knew how his account details could have been compromised? Had he seen any signs of his computer being hacked? Does he share passwords with anyone? How many applications does he use the same password for?

As the CEO calms down and stops to think, he begins to worry. He remembers the previous week, he received an email asking him to log in to the company payslip viewing service – or he’d lose his access. After he entered his email address and password into the portal, the screen had refreshed and he’d had to do it again. He had already been stressed out and busy, so chalked the refresh up to a minor bug and dismissed it.

With a sinking feeling, he retrieves the reminder email. This time he reads it carefully, noticing the “You’re” instead of “your” in the subject line. The .ru domain name as he hovers over the link. The ever-so-slightly incorrect application name in the spoofed email address. He reluctantly picks up the phone to the CISO, knowing that someone of his profile may have to resign. In 23% of organisations, employees hacked via phishing emails are fired or leave voluntarily.

Ready for part 2?