The phishing emails were sent from a legitimate, compromised account, embedded within existing email threads, and written in the company’s normal business language. The only change was the bank account details, where the funds were redirected.
No one double-checked the updated payment details. There was no rule requiring confirmation by phone or validation through a second system. The transfers were approved and sent.
By the time the issue was noticed, close to $5 million had already been wired out of the company. The money was quickly moved through multiple accounts, and investigators later said there was little chance of recovering it.
The review that followed revealed something more concerning. There was no malware involved. No servers were broken into. No advanced tools were used. Security systems had little to respond to because everything appeared normal. The original phishing email had been flagged as suspicious but not blocked, partly because the sender infrastructure had previously been associated with legitimate vendors and was considered low risk.
The email itself did not stand out. It contained no threats, strange wording, or obvious errors. It looked like routine business communication and landed in the inbox of an employee responsible for payment-related tasks tied to federal contracts.
The sender appeared to be a known government contact. The subject line referenced an active project. Inside was a short request to review a document related to payment processing. The employee clicked the link and was taken to what looked like a standard login page.
The login page was fake.
As soon as credentials were entered, the attackers gained access to the employee’s email account. That account did not require multi-factor authentication, just a password.
From that point, the attackers stayed quiet. They read emails, learned invoice approval workflows, and watched how financial requests were normally processed. Because they were inside a real mailbox, everything they saw was legitimate. The organization relied heavily on email-based approvals for financial changes, which created an opportunity.
When they decided to act, the emails they sent did not raise concern. The real weaknesses were internal. The company did not enforce multi-factor authentication for sensitive accounts. Security training focused mainly on obvious scams, not highly contextual phishing. Logging was limited, which slowed investigation timelines.
The damage went beyond financial loss. Internal systems were restricted, federal project work was delayed, and government agencies paused data sharing while assessing exposure. Some contracts were flagged for review, and futurework remains uncertain.
Federal officials are still examining whether cybersecurity requirements were fully met. While no penalties have been announced, the incident has already raised concern across the federal contracting sector.
In the end, this was not a complex cyberattack. The attackers didn’t break in — they logged in. One email was trusted, one account was unprotected, and no one expected something so ordinary to cause that much damage.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
