Like many a small business owner, Barbara Clifford relishes the chance to unplug from work and celebrate the festive season each year. But the Alice Springs–based business coach knows better than most that cyber criminals don’t take holidays.
A few years ago, she quickly jumped online to check her emails on Boxing Day, a decision she’s eternally grateful for.
To her shock, Barbara discovered that her business Zoom account had been hacked on Christmas Day, while she was celebrating with family.
The co-founder of The Hinwood Institute says cyber criminals were able to break into her account as she didn’t have multi-factor authentication turned on.
They proceeded to upgrade her basic plan to a more expensive one, costing about $250 a month, and set up a series of different phone accounts linked to her business Zoom.
Each new user profile was linked to ten different Gmail addresses she didn’t recognise.
“I saw email notifications and bank transactions that had occurred on Christmas Day, and I knew that I didn't do any business that day,” she says.
“Maybe the hackers thought it would go unnoticed because they were doing it on that day?
“It absolutely freaked me out. I didn’t know if I was going to be able to rectify it or get a refund for the charge. So I immediately cancelled the upgrade, and contacted Zoom, who were really good.”
Zoom quickly refunded the payment and provided advice, including enabling two-factor authentication.
While it caused a holiday headache, she says it was a valuable learning experience.
“I know if I had multi-factor authentication at the start, it would never have happened,” she says.
“I’m very savvy normally and can spot a scam email, for example, but this was one important step that I hadn’t taken until then.”
But it wasn’t the last time she would be targeted, and a second cyber incident in 2022 proved far more stressful.
This time, the Hinwood Institute’s Microsoft account was hacked, which she discovered late one night after closing her laptop for the day.
“I suddenly got all these bounced email notifications going ‘ding, ding, ding’ on my phone at about 9pm, from emails I hadn’t sent,” she says.
“I immediately logged on and looked up where the last login was for my account, and it was in Brazil. I don’t know how many emails actually made it to people’s inboxes.”
Barbara, a recognised leader in time and stress management, known as the Time Tamer, spent several hours on the phone with Microsoft as the team investigated.
“They were very helpful and told me the hackers had done some very sophisticated work at the back end, and got into every nook and cranny,” she says.
“They had changed settings such as turning on email forwards to their own addresses. We were able to secure and save my account but it didn’t end there.”
The cyber criminals had downloaded a month’s worth of her emails and begun impersonating her by replying from a similar, but fake, address.
She lost about two days of work as she cleaned up the fallout, alerting everyone in her database and adding a warning to her email signature.
While it was “really, really scary”, she says she is grateful the business didn’t suffer any financial loss.
And the experiences have fundamentally changed the way Barbara thinks about cyber security and the extra risks that come with running a business that is not tied to a single office.
From Australia’s red centre to the high seas, Barbara regularly travels to clients to deliver in-person training, conduct workshops and speak at events.
One day she might be speaking on a cruise ship about giving diplomatic feedback to staff; the next she may be training public servants in Darwin in leadership skills.
She says The Hinwood Institute equips busy professionals to “do some of the tough stuff in work,” adding: “We do workplace mediations, we coach people in leadership, time management and conflict, and we also provide professional development training.”
She recently completed the Cyber Wardens training and says it provided practical guidance in many areas, including identifying scam red flags, the importance of strong, long passwords and recognised password storage managers.
Another important takeaway was to always verify any emails from clients with change of bank account details requests or unexpected payments with a follow-up phone call.
“I’ve implemented all of the recommended security measures to keep my accounts safe, so touch wood that nothing happens again now,” she says.
Don’t leave the doors of your business open to cyber criminals these holidays. It only takes ten minutes to start your free cyber security journey by enrolling in the Cyber Wardens program.
