It’s easy to think of hacking as just one individual gaining access to sensitive financial data – however, there are more ways to hack a business than simply going for their computers and networks. While that’s certainly the most commonly-known method, there are other vulnerabilities within a business that organisations tend not to think about.
Here are some real-life hacking stories that don’t focus just on computer hardware – and cause just as much damage.
1. Phone system hack
You might wonder who still has a phone system in 2022, where everyone is available on mobile.
Businesses do. Business’ phone systems are integrated with the internet and publicly available. You can even call the business of your choosing from a web browser, and while businesses are still tied to premium rates for international numbers, the cost is far less than it is for individuals.
As the number is both publically available and accessible online, it needs to be secured. When a phone system is not secured, hackers can easily take advantage of your phone system and place premium calls that add up to billions of dollars – and with telecom companies not caring who placed the phone call, only that it was placed, it makes it difficult for victims to fight back.
In 2013, a small business in the United States – Foreman Seely Fountain Architecture – saw a phone bill of $166,000 worth of premium-rate calls to Gambia, Somalia, and the Maldives over a single weekend – a rate that would have taken them 34 years to make via legitimate calls. Their phone line had been hacked, and revenue generated in their absence.
2. Fax hacking
Although hacking a fax machine might seem a little out of the ordinary, in todays’ modern tech fax machines have become an online service, and from a cybersecurity perspective it makes perfect sense: since “fax machine” is now tied to the internet. As an oversight it’s usually forgotten from a cybersecurity perspective.
Hackers who gain access to an internet fax system also gain access to the email and the phone system. In one scenario, a hacker gained access to a company fax serviceand sent faxes to premium numbers. While the system couldn’t deliver them, the delivery attempt alone resulted in a significant overcharge bill that the victim had to pay to the telco provider.
3. Website hacking
Malware is an insidious virus. Not only can it be packaged into a seemingly innocuous email or file, it can take a significant amount of time to clean up, and do a lot of damage in the process – not just monetarily, but also to your business’ reputation. A website that is suspected to have malware is usually tagged on browsers such as Google Chrome and Microsoft Edge as ‘unsafe’. While a user can circumvent this and still access the website, the ‘unsafe’ labelling is a significant problem for businesses that rely on their website for profit as it can give them a reputation as being a scam. Furthermore, if the user doesn’t circumvent the browser’s recommendation, that is missed traffic.
A similar problem is hosting phishing pages, where the page itself can mimic a legitimate login but be created entirely to steal user credentials.
One of Eurograbber’s forms specifically attached itself to bank web-pages, and when users logged into their account to make a transaction, the virus was deployed through a request to enter mobile information, number, and operating system credentials. From there, it was also downloaded to the mobile device and gave attackers the leeway to transfer money out of a victim’s account.
In both examples, the website is rendered unusable for several months while the malware and phishing is removed, however there might be a greater issue at stake which is that the browser would no longer register the website as safe and would require detailed proof to delist it as a dangerous website. All of this will cost time and money.
4. Website email service hack
If your website automates its emails through services such as SendGrid or MailChimp, it can be vulnerable to an attack that sends emails through that subscription but at a much higher volume than normal. Most email service providers such as SendGrid have a cap on emails per month, and when you go over the limit, the fee increases.
A victim reached out to us after sendgrid blocked their account. , It was found out that the customer’s website was hacked and the amount of emails sent through SendGrid increased rapidly until SendGrid noticed there was a spike in usage and blocked the service. Not only did this render the website unusable for email delivery, the invoice for SendGrid was much higher due to the excessive amount of emails sent.
5. Business owner hack
Although it’s more likely that IT people will have full system access, some companies also allow full system access to the owner or the CEO. This is especially true for small businesses where the network is set up in the early days before they have an IT team on staff. Some of these accounts are not as well-secured as they could be, especially if they were set early on in a business’ life cycle, and hackers can easily gain access to the entire network through such an account.
From there, it’s easy to legitimise the hacked account by sending emails to users.
A victim reached out to us after they started sending emails without them actually sending them. It was found out that the exchange server was compromised, and though the server was put offline and cleaned thoroughly, the entirety of the mailbox had already been copied over. For a full year later, customers of the victim’s company were still getting fraudulent emails from the hacked account, which badly affected the company’s reputation.
6. IoT hacking
There’s been several cases in the news about hackers controlling baby monitors or wireless-enabled devices such as Alexa. This is because IoT devices are very often unsecured as they’re usually set up quickly and often forgotten about so long as they’re fulfilling their function without any issues. For example, when you set up a wifi-enabled home security system, very few people go to the trouble of using a complicated password.
IoT hacks can cost a lot of money to resolve for businesses, but the implications for personal safety are just as worthy of consideration. Additionally, there’s also attacks such as the Mirai botnet to consider: an October 2016 DDoS attack that used IoT devices to bring down big sections of the internet, such as Reddit, Twitter, and Netflix.
7. Mailbox spying
Some of the most devastating attacks aren’t immediately noticeable. Sometimes, a hacker gains access to a network and sits on that access until there’s a better opportunity to strike. In the case, a hacker gained access to a notary’s mailbox and waited until they saw an email they could exploit: a refund on a deposit for a deed of sale on a property.
They managed to change the IBAN’s number to their own without the notary noticing, and were sent the funds, after which they abandoned the account and moved the money to another bank, rendering it untraceable.
8. Email phishing
We’ve written extensively about email phishing in some of our previous blogs, however it still bears repeating: email can be a very vulnerable asset for businesses, and practising excellent email security should become second nature. In this case, hackers created a fictitious thread between a business owner and a third-party contractor so they could send an invoice attached to the company under the business owner’s address, threatening legal action.
The finance member sent the money ahead without checking that the email was the same as had been previously used, and only realised there’d been a mistake when the bank called to verify the transfer – after which, the financial advisor called the business owner and was told that none of the communications she’d seen were his.
Conclusion
Cybersecurity only grows more and more important as businesses onboard different technologies and platforms in order to increase their productivity and efficiency. As a result, some things can get overlooked, and when things are overlooked, hackers are there to exploit the vulnerabilities.
If you’re worried about your business’ vulnerability to cybersecurity threats, we have training services that can help you see what you might miss – and keep you, and your business, on the safe side of the internet and technology.
Human error is the leading cause of cybersecurity threats to corporations. See how well-prepared your employees are and run a simulated phishing attack to make sure your employees know exactly how to spot a scam.
Here’s how it works:
- available for up to 100 users.
- customisable language selection, landing page, and test templates.
- identifiable red flags and explanations.
- PDF emailed within 24 hours with phish-prone %
- rank your organisation against others in your industry
