The cyber attack
On the first day of the attack, Paige noticed that her business emails had been opened. Although it would have been easy to dismiss this, it is important to note that business emails are often the first target of a cyber criminal as they often contain customer and business information.
On the second day, she received an email that appeared to be sent by PayPal, instructing her that someone in India had breached her business account and had successfully taken money out of her account. The email requested she supply her business details in order to cancel the transaction.
This type of attack is often referred to as a phishing attack. It happens when a cyber criminal creates a website and email that mimics a legitimate website with the aim of tricking the victim into disclosing their details.
On the third day, a second phishing email was sent to Paige taking her to a well-designed but fictitious OneCard site which attempted to trick her into submitting her email and password. Behind the scenes, this gave Jason access to her business postal address, work Visa and Supermarket OneCard which are all registered under her business address.
By reading her emails, Jason could see that she had made a customer services request to Vodafone. Using this to his advantage, he had one of his colleagues call her to gain her Vodafone login details. Jason later informed Paige that he could in fact have transferred her savings to a different account, or purchased anything under her name once he did this.
Saving your credit card details to sites even if it makes things quicker and more convenient for you, compromises your security. Once someone has your login, Jason informed Paige, it’s only a matter of going through the retail sites you frequent to see which site has saved your entire credit card number.
On day four of the cyber attack, Paige woke to find she had been locked out of her business’s website server and WordPress accounts where all of her customer data was stored. She was unable to cancel or book appointments and could not access her clients data. She realized her customer data had been compromised, along with employee details which were also held on the server.
Although it is not yet mandatory to notify customers in New Zealand if customer data has been lost, it is in Australia and it is likely New Zealand will one day follow suit. Losing customer data can severely compromise your business reputation and brand.
Paige received a call on the fifth day from her bank alerting her to a possible breach attempt which had been repelled by the bank, but on the sixth day, she was the target of a successful breach.
A man called and identified himself as a representative of Vodafone, requesting she confirm her address and Vodafone login details in connection with an inquiry she had made to have fibre broadband connected. After the phone call ended and she had given out her address, it occurred to her that the number wasn’t Vodafone’s and her account may have been breached.
In reality, Jason now had access to her Visa card number that had been saved in her Vodafone account.
Paige was forced to cancel her Visa card which caused her even more inconvenience. She also had to contact her stock supplier, who received automatic payments from her card to let them know what had happened and she also had to order a new card.
By day seven, Jason had also managed to gain access to Paige’s laptop through a hidden PDF file that was encrypted to open on her device. As soon as she opened the blank email a malware programme installed itself onto her device.
This malware was powerful enough to shut down her entire system operations, including her business’s social media platforms and website. Jason was now able to deface her website or post any information on it that he wanted to and Paige was powerless to stop it.