When a business owner hears “My business got Ransomed a few months ago”, they probably expect them to be the CEO of some big corporation, a huge headline, a viral brand. But that’s not actually what you see. They actually own a small business with just 14 employees.

The hackers knew the money was coming in, so they knew a payout was on the table. No dedicated security team keeping watch. And online, there was just enough to work with. Staff on LinkedIn, email formats on the website, and the odd supplier mention. It likely only took them a few hours to sketch out and launch an attack. What this small business owner worked for over years was destroyed in less than a day.

But how did this happen? What are the key points to this attack, and how do you actually defend against them when you don’t have the budget for Mission Impossible-style security systems?

While this company is fictional, the methods that are used aren’t and lines up with methods used today, in 2026.

As you read, you’ll feel where it all starts to unravel, where one small barrier could have stopped everything. At the end, we’ll come back to five of those moments, where tools most small businesses already pay for could have shut the whole thing down early.

I don’t cast a wide net because I don’t need to. I work regular hours, keep the volume low, and pick my targets carefully. About 40 prospects a month, businesses with 10 to 50 staff. There’s a reason for that. Go too big and you run into security teams, legal walls, incident response firms. Expensive, slow, not worth the effort. Go too small and there’s nothing in it. But a 14-person company? That’s perfect; little effort, great pay out.

You’ve got payroll, customer data, live projects, supplier links. Enough moving parts that downtime hurts, and an owner who’ll pay to get things back on track as soon as possible. From my side, the return per hour is better here than anywhere else.

I didn’t find you through a leak or a tip-off. Nothing that dramatic. It’s easy to find the right type of businesses via public sources. Business registries, contract listings, local licensing databases, they hand over more than most people realise. One search gave me your company name, your registered agent, the value of a recent job, and the person tied to it. From there, it’s just connecting dots. A quick look at LinkedIn, your website, a few mentions elsewhere, and I’ve got names, roles, email patterns, even a feel for how you operate. Simple.

The real signal, though, isn’t what I find. It’s what I don’t. Nothing’s gone wrong for you yet. No visible incidents, no forced resets, no signs of tightened controls. That tells me a lot, credentials are likely still valid, staff haven’t been put on alert and passwords haven’t been changed in a rush.

A clean record sounds like a good thing. To me, it’s an invitation.

I spend about 40 minutes on you today. Just a browser. Nothing special. LinkedIn hands me eight of your staff with job titles. That’s more than enough. Your office manager stands out straight away. Six years in the role, and she’s openly listed “accounts payable, payroll, supplier invoicing”. In other words, she directly deals with money. Your second admin is newer, about 11 months, still finding their feet. The director, keeps a low profile. Few connections, not much activity. That tells me you’re unlikely to notice if someone unfamiliar starts looking in or engaging.

Public filings fill in the gaps. Your registered business name, your full legal name, all there without a fight. Then I land on a Facebook post from a couple of years back. “Meet the team.” First names, photos, a bit of friendly context. Someone in the comments casually drops your surname.
That’s enough to start stitching things together.

Now I know who handles your money, what they’re called, how long they’ve been there, and what systems they probably use. I’ll double check job ads later, see if “QuickBooks” or “Sage” pops up as a requirement, just to tighten the picture.

More importantly, I can make a good guess at who can approve a payment without needing a second signature. That’s the person who will become my target.
It won’t be you. You’re harder to reach, and you’ll likely pause before doing anything unusual. Your office manager is different. She’s got access, she’s trusted, and she’s busy. Busy enough that one more email doesn’t get the attention it probably should.

So that’s where I go next. And at this point, I haven’t spent a penny.

Stealer logs are where this starts to get interesting. They’re bundles of usernames and passwords hoovered up by info stealer malware, usually from someone’s personal device, often months or even years ago. Every login typed, every password saved, quietly collected and packaged up for sale and they’re easy to shop for.

Telegram channels, low-key forums, nothing hidden if you know where to look. You can search by company email domain and pull back whatever turns up. So I try yours and I get two hits. One is your office manager’s work email with a password sitting next to it, looks like it came straight out of a saved browser login. The other is a personal Gmail account, likely a family member’s, picked up from a shared home device. I buy the pack for £17. It takes about four minutes.

Your office manager’s password follows a familiar pattern. A name, a year, an exclamation mark. The sort of thing people think is strong because it ticks the complexity box; letters, numbers and punctuation. I run it against HaveIBeenPwned, the same public breach database security teams use, and it comes back flagged. It showed up in a retail loyalty breach three years ago with no sign it’s been changed since. The window is wide open.

The second set of credentials looks unremarkable at first, but it’s the better find. Same core password, tweaked slightly across different services, a streaming account, a gaming login, and then something more useful. Your company’s Microsoft 365. So, I give it a try and it works. At this point, I’m not guessing anymore. I’ve got a valid login tied to your business. The only thing slowing me down is the multi-factor authentication (MFA).

Total spend so far, £17.

MFA blocks a lot, but only when it’s set up properly. In your case, the easy route doesn’t work. Microsoft turned on number matching for Authenticator pushes back in May 2023, so your office manager can’t just tap “approve” out of habit. She has to enter a code and that shuts down the usual spam‑the‑phone trick. So I take a different route.

I send her a routine-looking Microsoft 365 email; a password reset notice. Nothing alarming, just enough to feel legitimate, I even reference the same breach where her password appeared earlier in the week, which makes it feel believable. The link leads to what looks exactly like the Microsoft login page.; same branding, same flow. The difference is it’s sitting behind a proxy I control.

She enters her password then approves the MFA prompt. From her point of view, everything behaves as expected but behind the scenes, her login is being passed straight through to the real Microsoft servers, and the session token that comes back lands with me. That’s the moment it all clicks into place. She sees a confirmation message and carries on with her day. I’m the one holding the authenticated session and as far as Microsoft are aware, it’s valid.

I did try a backup plan earlier, just in case. A quick call to your office, posing as IT support. I used a real name pulled from a Google review you left over a year ago then, told reception we’d spotted unusual login activity and might need a quick approval. She said the office manager wasn’t at her desk and I said no problem, I’d ring back.

By Thursday evening, I’m in her Microsoft 365 account with complete access, no noise, no alarms. First thing I do is set up a quiet inbox rule. Every email she gets is copied to me, nothing flagged, nothing obvious. Then I stop and I wait.

There’s no reason to rush it, I’m already in. I sit in your inbox for a day and a half, just watching. 36 hours tells me more than any tool ever could. It shows me how money moves, what matters, and how much pressure you’re under when things go wrong. That’s what I’m really pricing for the pay out at the end.

In that time, a few useful things turn up. Your cyber insurance policy comes through from your broker, attached to a routine email. There’s a sub limit sitting there, $250,000 so good to know where the ceiling is. A bank reconciliation follows not long after; your office manager sent it over a couple of weeks back. Month end balance, around $180,000. That tells me what’s actually there, not just what’s insured. Then there’s everything else. A customer list tucked into a quote template she’s emailed to herself. A thread about a municipal job starting in three weeks, fixed deadline, no room for delays. That one matters, these deadlines create pressure, and pressure speeds up decisions.

I set the ransom at $65,000. Low enough that fighting it feels like more trouble than it’s worth, but, high enough to make it worth my time. It sits comfortably below ten percent of what I can see you have access to, which is where people tend to push back. This isn’t a random figure, it’s tuned to get the best return.

Then I pick my moment; 2:47pm on a Friday. There’s a reason for that; your bookkeeper logs off at 3pm, I saw the out of office earlier in the week. I know you’re out on site, calendar says so. The person who spots issues first is about to disappear, and the person who can make decisions isn’t at a desk. By the time anyone realises, it’s Friday evening, the shared drive is locked up and the files go quiet. Ransom note sitting on every screen, waiting.

Total cost to me? £17 for the credentials, and a handful of hours spread across the week.

This should have been a dead end; HaveIBeenPwned is public and free, anyone can check it. Microsoft Entra password protection can block passwords that have already shown up in breaches. Add a password manager and enforce unique passwords, and what I bought becomes worthless. I can’t reuse it, so no entry.

The obvious trick doesn’t work anymore, Microsoft fixed that with number matching. But that’s not where attacks sit now; adversary-in-the-middle phishing is. There are ways to stop it, FIDO2 keys, passkeys, Windows Hello for Business, Conditional Access that only allows trusted devices, proper anti-phishing in Defender for Office 365. Any one of those changes the outcome; either I don’t get the token, or I can’t use it.

I only needed one quiet setting to watch everything. Microsoft 365 lets you block external forwarding at tenant level and if that’s switched on, I don’t get 36 hours of visibility. I’m either forced to move faster or work blind.

I stayed because no one was looking. Defender for Business, which is already bundled into Microsoft 365 Business Premium, flags new inbox rules like the one I created. It would have raised an alert the same night I got in. The real gap isn’t usually tooling, it’s attention. Alerts exist, they just aren’t being seen or acted on.

You can’t take your company out of public records; that data’s staying put. What you can control is how much colour your team adds around it. A LinkedIn profile that spells out who handles payments, payroll, approvals, that’s incredibly helpful from my side. Not malicious, just detailed enough to point me in the right direction. That’s a people conversation, not a policy document.

If you strip this whole scenario back, it really comes down to three questions. Not complicated ones, but the kind people assume are already covered.

1. Are we actually using phishing‑resistant MFA for the people who matter most?
Not just “MFA is turned on”, but the kind that can’t be quietly sidestepped. Finance, admin, directors. If those logins aren’t locked behind passkeys, FIDO2 keys, or Windows Hello, then there’s still a way through.

2. Is external email forwarding blocked?
It’s a tiny setting. Easy to miss. But it’s the difference between someone getting a quick look at your inbox, or sitting there reading everything, learning how your business ticks.

3. Are security alerts going somewhere real, and is anyone actually looking at them?
Because the alerts were there in this case. They fired. They just disappeared into the background while someone got on with their day.