Proudly supported by

Australian Government logo


Resources Hub / Boost your cyber resilience / Bouncing back after a $35,000 email hack

Bouncing back after a $35,000 email hack


When Lisa and Brett Millwood took over the family plasterboard business in 2018, they set up and planned their dream lifestyle.

An office by the beach, with a surf and café breakfast before work. Away from the city traffic, their kids could ride their bikes to school. It seemed idyllic and a very long way from any thoughts of cyber crime.

Brett’s father had recently retired after a long time at the helm and, as the next generation, Lisa and Brett wanted to modernise the business.

“My dad kept all his records by hand, whereas we are much more computerised and prefer a Gantt chart to a notebook,” Brett says.

Exposed to an invoice scam

However, it took a close encounter with a cyber criminal for Brett and Lisa to fully come to terms with the risk of cyber crime.

Brett was still using the previous family business email system when he sent an invoice to a client for $35,000 and, after a while, noticed it hadn’t been paid.

Some confusion followed. The client said he had paid the invoice, but Brett never received it.

Boss impersonation scam graphic

How the scam happened

It turned out to be in the hands of a cyber criminal who had intercepted the invoice and changed the account details, so the money went directly to the criminal account.

The family business email account Brett shared with his father had been hacked. Every email with the words “invoice” or “payment” was diverted to the criminal account. The criminal then changed the bank account details and sent it on to the client, looking exactly like the initial invoice, but with different bank account details.

In this case, the banks were not able to help recover the money. Fortunately, the client was able to claim with his cyber insurance.

Protect your business vector

This type of scam is called a “business email compromise” where the attacker pretends to be a supplier, boss or another known contact to trick victims into sending money or disclosing sensitive information.

It gave Brett and Lisa a big enough shock to review and update cyber safety across the business.

Protecting themselves for the future

“When a business has been running for a while, it can have legacy systems that people are used to, so it can be hard to change.

“That can mean old-fashioned ways of doing things that might have been ok in the past, but now put your business at risk,” Brett says.

To protect themselves from having their accounts compromised again, Lisa says they have updated to complex passwords, or passphrases and use multi-factor authentication and antiviral software and never miss an automatic software update.

“There are simple things you can do to keep your business safe. You always think it won’t happen to you until it does,” says Lisa.

With Cyber Wardens, you can keep your digital floors clean and free of cyber criminals fishing.


Learn easy and simple cyber security tips for your small business


More helpful resources for you and your business

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.