In March 2023, a small clinic in southeast Asia experienced a damaging Business Email Compromise (BEC) attack, illustrating the far-reaching consequences of such an incident even for modest-sized businesses. The attackers meticulously researched and targeted clinic staff, utilising phishing emails to deceive employees into clicking on malicious links or downloading infected attachments. Through a successful phishing attempt, the attackers gained unauthorised access to an employee's email account. This allowed them to send fraudulent emails to clients, posing as clinic staff and redirecting payments to the attackers' accounts.

Upon discovering the breach, the clinic's response included attempting to delete the compromised account and seeking assistance from their IT contractor and, when it became clear more specialist support was needed, Blackpanda. Unfortunately, at that point the attackers' tactics had already led to several clients transferring them funds, resulting in a substantial loss.

The financial impact extended beyond the monetary loss, as it included incident response and recovery costs. The BEC attack also inflicted significant reputational damage, highlighting email security vulnerabilities and raising concerns about safeguarding patient information. 

Download the full case study below.