Up until then, I had considered myself careful and cautious. I don’t open emails with attachments that come from people I don’t know. I don’t even usually open attachments from people I do know if I’m not expecting them. However, that is exactly how I exposed my business to risk. I tried to log into my Microsoft Office account through a link that had supposedly come from my accountant.
I thought I was being very careful. When I saw the email, I emailed back to ask whether the document was intended for my eyes. In hindsight, I can see this was a reckless error. Since the email was a spoof, of course the hacker wrote back to say the attachment was intended for me. I could not open my Office account, because the attachment was fake, and I had the presence of mind to change my password almost immediately. But I did not discover until the following day that my accountant’s email had been hacked.
That was enough time for the hacker to get into my emails and send off some fake emails to three of my clients, asking them to pay their invoices on an expedited basis, because I was supposedly “cash-strapped”. Two of the clients contacted me, and we were able to establish that the emails did not come from me. However, the third client had a lengthy email exchange with the hacker, which resulted in them sending money to a bank account in Quebec. No doubt the funds have long since left that bank account.
The hack resulted in my having to report to the Law Society, the Lawyers Insurance Fund, all my clients, my bank, my insurance company, and the police. Even though the monetary amount lost is relatively small, the amount of time I’ve spent agonizing over what happened, trying to ensure my system is now safe, and dealing with the fallout is the biggest loss.
The lesson I have learned, and I pass this on to you for what it’s worth, is that you can never be careful enough. If an email seems in the least bit strange, pick up the phone and call the person who supposedly sent you the email. And DON’T USE THE PHONE NUMBER IN THE EMAIL! Call the number you know or look it up.
In retrospect, my clients could see the language in the email was not language I would use. And I would certainly never say I was short of money. But in the heat of the moment, it’s easy to gloss over our initial surprise and try to help someone we know.
Here are some tips to help keep your business safe: