Article by Olesja Grant
What happens when cyber crime takes you by surprise and makes you rethink everything you know?
As a PA/EA to the head of a global company, it’s natural that the standards are high and so, over the years, I’ve grown to gain certain qualities. At one point, it felt like I could handle hundreds of tasks at the speed of light and my understanding of technology only amplified that – making it easier to support my boss in three time zones, 24/7. Safe to say, I felt confident in my role. That is, until May 2018 when everything came crumbling down in a matter of two minutes. Here’s what happened…
My boss had bought a few high-value art objects and at that time I was in charge of processing payments of all his personal purchases. Unfortunately, it was during this period that I fell into a trap set by an organised group of cyber criminals.
The fraudsters used a ‘time bubble’ technique, which means they use time pressure to move me from a genuine conversation thread with a real invoice to a fake conversation within minutes, copying the text from the original email and re-sending it from a cloned email. It all happened within two minutes of receiving the original invoice, and neither my phone nor I detected this move nor a changed email address. Without any knowledge, I paid the fake invoice and processed the payment – feeling proud to check another task off my to-do list at full speed.
The Discovery – Money and Information is what they want
I soon realised that I was a victim of a cyber crime when the actual seller contacted me within a few weeks to chase the payment. Let’s just say, I literally felt sick and was paralysed with shock. The amount of money lost was significant and it was only by re-reading the emails did I realise when and how it happened.
Even though I was innocent, I felt responsible and yet, at the same time, felt like a victim. After 10 years of building trust, I needed to clear my name and almost start again. So, we brought in the help of Rose Partners to investigate and right away, I was asked to stop using my emails in case they had hacked my computer. If that was the case, there was a high risk that they could have full access to confidential information and exploit the company even further. I felt vulnerable, confused, trapped and watched.
Thanks to the investigator from Rose Partners, we discovered what really happened. A team of cyber criminals had been watching my work patterns for weeks – tracking the tools I used, how many emails I got each day, whether I worked on a laptop or a smartphone – all the details they would need to prepare for their planned attack. This way, they were able to turnaround fake invoices and emails within minutes, using that ‘time bubble’ technique to put pressure on the person at the receiving end (in this case, me) to give them the details they required to follow through. This entire fraud system is designed to target people like me, PAs and support staff who regularly process this type of information.
Within the company we’ve changed policies and how we all work and communicate. We took advice on new security measures and in the end, we recovered the money.
However, the hardest part of it all was the psychological trauma I felt for months after the incident. I experienced post-traumatic symptoms for about six months, took professional counselling and called the Victim Support Helpline for some additional support. Even with my name cleared, I felt like I just couldn’t forgive myself for prioritising efficiency and “multi-tasking” above everything else. It was time for change.
What I Learned from My Experience
The thing about traumatic experiences – personal or professional – is that they teach us something. For me, it taught me to reassess my work/life balance, my priorities and my boundaries, all the while putting safety before efficiency in all cases. These are the things I put in place in order to make that happen…
- I stopped using my business cards. My number and email give almost direct access to my boss, and this is usually the first point of cyber-attack – the PA.
- I stopped taking any calls in the office. The receptionist does the gate-keeping. We now ask for the name, number and a message and then we call back If we need to. If the person is reluctant to leave a number and a name – we take that as a warning sign.
- We now have a dedicated email address to receive any info from third parties we haven’t worked with before.
- I have made my social media channels safe – ensuring there is no information on my location or the name, locations or activities of my boss.
- I guard the information I give out verbally with even more care than before. No travel dates or facts about my boss are given to anyone we don’t know.
- I work mostly from the office computer and office network instead of public wif-fi. Often, you’ll find that this is an insurance policy nowadays.
- I now delegate much more now to my colleagues. There is always a back-up. Previously it was just me, as a one-man-show and I wanted to be indispensable. I value teamwork even more, as it works better in crisis situations.
- I changed my need to be super-achiever, to get the praise from myself and my directors. Less is more. I look out for the quality of projects and not the quantity of boxes I have ticked for the day. For 10 years I tried to do both and that was used against me when I was attacked. This need to be fast and efficient worked to the favour of the cyber criminals.
Most importantly, I look for ways to breathe deeper and find inner confidence that my input and work is not judged by the amount of emails I process a day. It’s about how well I protect my boss, the company and how in control I am of the situation. Being steady and thorough is one of the greatest skills to have as a PA and one of the most valuable lessons I’ve ever learned.