An Entrepreneur’s Cyber Security Nightmare Story

Barry the Enterpreneur

Barry the founder and CEO of Curbtech is often in the midst of the battle. He brings new ideas to life, finds great talent and ensures he can pay the 120 employees of his rapidly growing company. Barry is a big picture person who doesn’t like to deal with the details that come with everyday life. After a long day of meetings and presentations, Barry capped it with dinner at Daisies with the new client. As usual, it was after a long day, when Barry finally hit his head on the pillow and dozed off into a dreamless night.

The Nightmare

First thing in the morning, Barry logged in to his banking app. Payday was rapidly approaching and he wanted to make sure all funds were in place. But there was no money. The cyber criminals wiped out his entire operating account. He had the majority of his funds with one bank. Now, all that money is gone. No, he didn’t spend it all and it was still there yesterday. It just disappeared without a trace.

The attack on Barry’s cash didn’t happen overnight though. A local organized cybercrime gang deployed a systematic attack. They selected him because of his potential high net value and the ability to interact with him in real life (i.e. at his favorite coffee shop). The cyber criminals employed a multiprong approach. Through phishing basic information about Barry from people around him (in particular from his personal assistant Carol and his bookkeeper Anna), smishing, shoulder surfing and SIM swapping, the cyber criminals were able to clean Barry out completely.

Cyber Criminals at Work

The cyber criminals didn’t just rely on old-fashioned e-mail spear-phishing (sending fraudulent e-mail from a fake trusted person). They used smishing (SMS phishing) by sending Barry fake alerts from common banks to identify which bank he uses. With each additional piece of information gained, it made it possible to appear more credible to the people around Barry. His employees believed it was he who asked them for additional information. Systematically, the cyber criminals discovered the contact name of his banking branch manager and other employees. Trusted people who usually added an extra layer of security to protect Barry from identity theft.

AI enhanced voice simulators can be used to make cyber criminals sound like people you know and trust. At this stage, the cyber criminals were able to establish who Barry’s bank and banker was. Through dumpster diving and spamming Anna into issuing a check to a spoofed vendor, they also now had Barry’s business account number. The login credentials to his bank were obtained through shoulder surfing at Soloway Coffee when the cute student Barry thought was flirting with him had eyes for his laptop instead. At that point, the cyber criminals had a clear understanding of the credentials needed to log into Barry’s account.  

The Final Nail in the Coffin

However, they still had not overcome the two-factor authentication hurdle to get access to Barry’s account. For that, the cyber criminals used the SIM swap tactic. By using Barry’s AI generated voice, they convinced his mobile provider that he lost his phone and needed a new sim card. No new phone was needed, and Carol picked up the SIM card at the local branch.

The Sigh of Relief

Just when Barry thought he was going to have a heart attack, his phone woke him up. He grabbed it with his sweaty hands. Falling back on his pillow with a big sigh of relief, Barry realized he was having a nightmare. His money was safe! Because it was protected behind multiple security layers, such as a password manager, identity theft protection, and cybersecurity awareness training. All crucial elements of his cyber defense, set up by his trusted IT service provider.