The cyber and digital landscape poses unique and never before seen types of dangers for all businesses, but especially family business owners. Owners of such companies rarely have the types of robust corporate IT departments that the big MNC’s have. Fraudsters know this, and specifically target such owners as they perceive them to be easy targets. The below fictional case is based upon my years of investigating frauds and crimes in this space.
Rhea Chandan had a guilty pleasure. At 44, being the CEO of a mid-sized financial family business firm, she had to maintain a certain image. Reading trendy fashion magazines and subscribing to select, fashion aggregator newsletters to keep up to date on the latest developments in the fashion world may strike some as unusual interest area for a high-powered corporate executive and mother of two daughters. Yet Rhea did not let societal and corporate expectations distract her from her weekly Wednesday reading of the Zenith newsletter, which she had stumbled upon many months ago while reading about fashionable skirts on a website.
It was May 2016 on a Tuesday, when she received the newsletter in the middle of a tense meeting she was having with her CFO. While the CFO droned on, she absentmindedly opened the newsletter on her Android phone. At the back of her mind she noticed that it seemed near identical to last Wednesday’s newsletter, save for a prominently displayed link at the top. She clicked the link and was directed to website that contained some text in Russian. Confused, she went back to her email and clicked it once again. The same thing happened again. She closed her phone’s browser and deleted the email, rationalizing that the author of the newsletter probably sent it out by mistake. She refocused on her discussion with the CFO. Half an hour later, while explaining a potential acquisition, her phone beeped and as she picked it up, she realized it felt very hot. Plus, the battery had drained. “Phones seem to barely last a few months these days”, she muttered as she plugged her phone into her laptop for charging and continued with the rest of the discussion.
Several months later, at the annual board meeting, Rhea was facing the heat of her past decisions. The business had suffered massive losses in recent months and she wasn’t able to explain what happened. All the firm’s recent bids for work had been undercut on price by their main competitor. To make matters worse, the competitor was seemingly always one step ahead of them in developing new product offerings, many of which Rhea had thought were her firm’s original ideas. Rhea had thought bringing in a professional management board was a good idea, but now they were giving her an ultimatum! – either improve in the next 6 months, or they would push her out of her own family business.
She spent the rest of the year trying to understand what may have gone wrong. Her father hadn’t been able to help her, besides telling her this was common in business. Six key staff members had left the firm for better opportunities. The innovation team’s request for funding had been turned down and it appeared that in 3 months, all team members would leave. The CFO had suggested cutting down on the marketing budget and a war of words had ensued between him and the marketing leader. Plus, the media had published an article on the state of affairs in the firm, in effect questioning her leadership. Dealing with all this was made worse by her laptop and old phone slowing down significantly, losing battery within 30 minutes and frequently hanging. She hoped the next year would give her some respite.
Fortunately, it did. She got her laptop upgraded and recently received an iPhone as a gift for her wedding anniversary. Soon after, her spate of bad luck with bids for work changed and suddenly the firm was looking to be in the black. Unknown to her, her upgrade of devices had just saved her job and restored her company’s fortunes – all through a simple upgrade of her laptop.
What went wrong?
In February 2016, Rhea signed up for the Zenith newsletter by clicking on an ad she saw while browsing the webs on fashionable skirts. Unknown to her, the website recorded all ad clicks and matched that data against user profiles to identify who clicked on the ad. The website in question suffered a massive data breach shortly after, which they did not disclose to the public. The breached data swirled around the dark web for some time, before it found its way into the hands of a corporate espionage hacker group. They searched the data for high profile targets and found Rhea’s details. They hatched their plan shortly after.
It was a simple plan: send out a spear-phishing email to Rhea, imitating the Zenith newsletter. They sent it on a Tuesday, a day before the original newsletter was released, so that Rhea would be enticed to open it thinking that it may be an exclusive invitation to check out a new brand. They entirely copied the previous week’s newsletter except for the link, which directed the user to a domain that would silently download and install malware onto the user’s device.
The plan worked. Once Rhea had connected her phone to her laptop, the malware was able to transfer onto the laptop as well. Both on her phone and laptop, the malware silently executed a number of scripts which had the effect of uploading all Word, Excel, Powerpoint and Outlook files to a remote server controlled by the hackers. Crucially, it only did so when it detected that the devices were connected to her home WiFI network, so that her corporate IT team would not notice the anomalous data transfer. Pinpointing her location was easy, since they had her home address, which she had indicated on Facebook while creating a profile five years go.
The hackers sold all the information uploaded by the malware to Rhea’s firm’s main competitor who used it to price its bids differently and launch new products ahead of Rhea’s firm. However, once she changed her laptop and phone, the hacker’s access to her data was cut off. Subsequently, the new software installed by the IT team on her laptop was powerful enough to detect another attempt at spear-phishing (via the same modus operandi adopted previously) and automatically deleted the email received, marking it as spam.