Running a small business means juggling a lot – clients, cashflow, staff, sales… and, somewhere on the list, online security. But here’s the thing: when cybercrime hits a small business, it’s not just a nuisance. It can be devastating.
We’ve seen it happen. So here’s a fictional story based on a very real scenario.
Meet ‘Widgets Are Us’
‘Widgets Are Us’ are a small and successful business with five employees. One of them, Sarah, handles invoicing. Everyone’s sensible and aware of online scams. But they still got caught out.
It all started with an innocent-looking email. It said, “Here’s that document you asked for – click to view.” Sarah clicked. The page looked like Microsoft 365, so she logged in.
Nothing happened. Weird. She shrugged it off and got on with her day.
What she didn’t know was that she’d just handed her login to a hacker.
Then… nothing. For weeks.
Behind the scenes, the hacker was quietly reading her emails. They didn’t cause chaos – not yet. They just watched. Learned who dealt with money. Who paid invoices. How the conversations flowed.
And one day, they struck.
The £12,000 mistake
A client emailed to say they’d paid an outstanding £12,000 invoice. Except, Sarah hadn’t received anything.
The client showed proof, but the bank details didn’t match. The money had gone to a different account.
Panic. Phone calls. But the bank said, “Sorry – we can’t get it back.”
The hacker had emailed the client from Sarah’s real email account, sent a real invoice, and just swapped the bank details. The client trusted it because it looked legit.
Could this happen to you? Yes. But there are simple steps to protect yourself.
- Lock down your email accounts
Use strong multi-factor authentication (MFA). Apps like 1Password or hardware keys are far more secure than SMS codes. - Train your team.
Make sure everyone knows what phishing looks like. Teach them to stop and think before clicking. And if someone makes a mistake, act fast – change the password and call for help. - Double-check payment changes.
Never trust an email alone when it comes to bank details. Always confirm by phone or another secure method.
Final thought
This kind of scam is alarmingly common. Hackers aren’t just after big corporations – small businesses are often easier targets.
But with a few smart habits, you can stay one step ahead.
If you’re not sure where to start, or just want a second pair of eyes on your setup, we’re here to help.