Pinch me! I'm not dreaming I’ve been hacked

Here’s how your SME should navigate scams.

Pinch me! I'm not dreaming I’ve been hacked

Occasionally I like to schedule a time to share the stories that come across our support desk so that, as a community, we understand what is out there. 

Only by sharing and trying to be straightforward can we stay ahead of the tsunami of hacking that most of our networks face.

A Real–Life Hacking Scenario

A few weeks ago, we had a client call us regarding a suspected hack – a member of staff was hit by a convincing phishing scam and had managed to get through the pop–ups and warnings to get to the hacker's desired page.

This staff member came and said that they thought they had dropped the ball and put their password into a website and were worried.

Slight spoiler alert – the client had Multi-Factor Authentication (MFA) enabled, so no actual data was lost, but that wasn't the exciting feature of this hack or the evolution we saw. 

As we tried to investigate, we realised that once someone entered their details into the site, it was checking to see if the user was correct through the office API. If the user had a valid account, it let them proceed. Still, if they tried to test it with a dummy account, it checked and could come back and tell them that the version they were using had not been found – something that may facilitate the less IT literate into thinking that the site was genuine. 

Hackers Are Getting Smarter

Something else was happening too. If you typed your details in once, it would, from that point on, direct you to the proper to try to hide the fact that it was a phishing site.  

Ultimately, the most essential thing for sites like this is that they stay up long enough to get a decent amount of hacked accounts, and tactics like this can confuse people and allow the place to be left up for a significantly extended period.

Also, I find it interesting to see the gradual increase in evasive measures these hacks are taking. However, while you can easily see where things are heading, we need to realise the additional ingenuity these hackers demonstrate to collect user data by hacking your data, files and email. 

Preventing Hacks with Multi-Factor Authentication

It also rams home the message on MFA. For the longest time now, it has been clear that MFA is probably the most critical security measure you can implement in your company. At a recent Microsoft event, Microsoft reiterated that the previous idea of the company front door (or business premises) being the perimeter and needing securing is now more or less dead or at least on life support. Now, the actual boundary needing protection is the user identity. Given that almost 100% of successful hacks were on user identities without MFA, not doing MFA is basically the cyber equivalent of getting the most extensive, juiciest steak you can find, strapping it to your neck and dancing around the Serengeti! 

The numbers don't lie. If you still need to implement MFA, it is more a matter of when you will be hacked than 'if', which is a scary prospect.

Let's work together

Thank you for your enquiry. Someone will be in touch as soon as possible!

Our use of cookies

Some cookies are necessary for us to manage how our website behaves while other optional, or non-necessary, cookies help us to analyse website usage. You can Accept All or Reject All optional cookies or control individual cookie types below.

You can read more in our Cookie Notice


These cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

Analytical cookies help us to improve our website by collecting and reporting information on its usage.

Third-Party Cookies

These cookies are set by a website other than the website you are visiting usually as a result of some embedded content such as a video, a social media share or a like button or a contact map