Let’s Think Like a Cyber Criminal: Because They’re Not Hacking Like the Movies

Let’s Think Like a Cyber Criminal: Because They’re Not Hacking Like the Movies

Cybersecurity advice usually sounds something like this:

“Use strong passwords.”
“Enable multi-factor authentication.”
“Update your systems.”
“Train your employees.”

All good advice.

Also, all advice most business owners have heard so many times that their brains quietly file it under:

“Important… someday… after payroll, the broken printer, the client emergency, and whatever Karen did to the spreadsheet.”

So today, we’re going to try something different.

Instead of thinking like the business owner, the office manager, the nonprofit director, the township secretary, or the person who somehow became “the IT person” because they once fixed the Wi-Fi…

Let’s think like a cyber criminal.

Don’t worry. No ski mask required.

Just a mildly unsettling imagination and a willingness to ask:

If I wanted to scam your organization, where would I start?

Spoiler: probably not by “hacking the firewall” while dramatic music plays in the background.

Most cyber criminals targeting small and mid-sized organizations are not cinematic masterminds in a dark room with twelve monitors and a glowing hoodie.

They are opportunists.

They look for convenience.
They look for confusion.
They look for busy people.
They look for weak processes.
They look for one employee having one very normal, very human, very “I’ll just click this quickly” kind of day.

And that is where the trouble starts.


First, I Wouldn’t Hack You. I’d Research You.

If I were a cyber criminal targeting your business, nonprofit, or municipality, my first stop probably wouldn’t be some secret hacker cave.

It would be Google.

Then your website.

Then LinkedIn.

Then Facebook.

Then maybe a staff directory, board minutes, public meeting agenda, vendor page, online job posting, or that one employee bio that accidentally tells me way more than I need to know.

Within a few minutes, I might be able to learn:

  • Who owns the company
  • Who handles billing
  • Who approves payments
  • Who recently got promoted
  • Who is on vacation
  • What software you use
  • What vendors you work with
  • What your email format looks like
  • When your next big event, project, audit, meeting, or deadline is happening

That is not “hacking.”

That is reading.

Annoyingly effective reading.

And once I know enough, I don’t need to break down the digital front door.

I can just knock politely and pretend I belong there.


My Favorite Target? The Busy Person.

If I were a cyber criminal, I would not necessarily go after your most technical person.

I’d go after your busiest person.

The person with 600 unread emails.

The person who eats lunch at their desk.

The person who approves things between meetings.

The person who says, “I’ll handle it” before anyone else even knows there is an “it.”

In every organization, there is usually someone who keeps everything glued together with caffeine, calendar reminders, and sheer force of will.

That person is valuable.

That person is also tired.

And tired people make fast decisions.

That is exactly what a cyber criminal wants.

Because scam emails are rarely designed to make you think deeply.

They are designed to make you react quickly.

“Can you take care of this today?”
“Please review before 3 PM.”
“Payment is overdue.”
“Your account will be disabled.”
“Updated banking information attached.”
“I’m in a meeting. Please handle this.”

Notice the pattern?

Urgency.
Authority.
Fear.
Convenience.

Cyber criminals are not just attacking computers.

They are attacking the normal rhythm of a busy workday.

And unfortunately, the normal rhythm of a busy workday is often held together by “fine, I’ll just do it real quick.”

Famous last words.


Next, I’d Pretend to Be Someone You Already Trust.

If I wanted to steal from your organization, I probably would not introduce myself as:

“Hello, I am the suspicious stranger from the internet.”

Rude. Ineffective. Lacks branding.

Instead, I would pretend to be someone familiar.

A vendor.
A client.
A bank.
A board member.
A department head.
Microsoft.
UPS.
Your payroll company.
Your copier company.
Your insurance provider.
That one software platform everyone hates but still uses every day.

Why?

Because trust is faster than hacking.

If an employee sees an email from a vendor they recognize, they are much more likely to act.

Especially if the email looks normal.

Especially if the request sounds boring.

And that is the part people miss.

Real scams often don’t look dramatic.

They look painfully ordinary.

Something like:

“Hi, attached is the updated invoice for this month.”

Or:

“Please note that our banking information has changed.”

Or:

“Can you confirm the outstanding balance?”

Or:

“We need the W-2s resent for processing.”

Nothing about that screams “international cybercrime operation.”

It screams “Tuesday.”

And Tuesday is exactly where criminals like to hide.


The Vendor Email Scam: A Criminal’s Love Language

Let’s walk through one example.

Say your organization works with a regular vendor.

Maybe they provide office supplies, equipment, maintenance, software, consulting, uniforms, fuel, landscaping, or some other boring-but-necessary thing.

As the cyber criminal, I research that vendor.

Maybe I find their name on your website.
Maybe I see them tagged on Facebook.
Maybe I find an old invoice format from a compromised inbox.
Maybe I just guess — because many organizations use the same kinds of vendors.

Then I send an email that looks close enough to real.

Not perfect.

Just close enough.

Because I am not trying to win a graphic design award.

I am trying to catch someone on a busy day.

The email might say:

“Good morning,
We recently updated our payment information. Please use the attached ACH instructions for all future invoices. Let me know once this has been updated in your system.
Thanks!”

That’s it.

No malware.
No weird attachment.
No flashing red warning light.
No villain monologue.

Just a request.

And if your business does not have a process to verify banking changes, that email may be all it takes.

One person updates the payment info.

The next invoice gets paid.

The money goes to the criminal.

And then everyone gets to enjoy the horrible little adventure called:

“Wait… where did the money go?”

Zero stars. Do not recommend.


Or Maybe I’d Go After Password Habits.

If I were a cyber criminal, I would absolutely be interested in your passwords.

Not because I want to admire them.

Because people are wonderfully predictable.

A lot of organizations still have some version of:

  • Shared passwords
  • Passwords saved in browsers
  • Passwords written near desks
  • Reused passwords across systems
  • Old accounts nobody disabled
  • Generic logins like “frontdesk” or “admin”
  • Passwords based on pets, seasons, sports teams, or children’s names

And yes, before anyone gets offended:

Your dog is adorable.

Your dog’s name still should not be part of your password.

Cyber criminals know that people reuse passwords.

They know that if one password leaks from one site, it may unlock something else.

They know former employees sometimes still have access.

They know “temporary” passwords have a way of becoming permanent, like that one folding table in the office that was supposed to be there for two days in 2019.

Passwords are not just a technical issue.

They are a business process issue.

If you do not know:

  • Who has access
  • What they have access to
  • How passwords are stored
  • Whether MFA is enabled
  • How access is removed when someone leaves

Then neither do your employees.

But a criminal would be happy to help you find out the hard way.


Former Employees: The Ghosts in the System

Here’s another place I’d look if I were thinking like a cyber criminal:

Old accounts.

Former employees.
Seasonal workers.
Interns.
Board members.
Volunteers.
Vendors.
That person who left three years ago but whose email account still exists “just in case.”

Just in case of what?

Haunting?

Offboarding is one of those things that sounds boring until it becomes expensive.

When someone leaves, their access should leave with them.

That means:

  • Email
  • Microsoft 365
  • VPN
  • Line-of-business software
  • Shared drives
  • Cloud apps
  • Password managers
  • Remote access tools
  • Accounting systems
  • Social media accounts
  • Website admin accounts

Because if I can find an old account that still works, I might not need to break in.

You left me a key under the digital doormat.

Very neighborly of you.

Terrible security strategy.


I’d Also Check the “Nobody Owns This” Technology

Every organization has technology that falls into the mysterious category of:

“I don’t know. It was here when I started.”

Printers.
Copiers.
Old desktops.
Conference room computers.
Security cameras.
Door access systems.
Phone systems.
Network equipment.
Forgotten software.
Shared mailboxes.
That one ancient machine in the back office running something “important.”

Cyber criminals love forgotten technology.

Why?

Because forgotten technology often means:

  • No updates
  • Weak passwords
  • Default settings
  • No assigned owner
  • No monitoring
  • No documentation
  • No one wants to touch it because “what if it breaks?”

That last one is a classic.

And understandable.

But from a security perspective, “we don’t touch it because we’re afraid of it” is not a plan.

It is a horror movie setup.

If something is connected to your network, someone needs to know what it is, what it does, who manages it, and whether it is still safe to use.

Otherwise, it may become the digital equivalent of a basement door nobody remembers locking.


The Best Scams Are Boring

This is the part that surprises people.

Cyber attacks against small businesses, nonprofits, and municipalities are often not flashy.

They are not always some elite technical exploit.

They are often basic, patient, and boring.

A fake invoice.
A fake login page.
A fake password reset.
A fake vendor request.
A fake Microsoft alert.
A fake voicemail notification.
A fake shared document.
A fake “quick favor” from the boss.

Boring works because boring blends in.

An email that says:

“Please see attached invoice”

does not feel dangerous.

It feels like work.

And most people are not trying to be careless.

They are trying to keep the day moving.

That is why cybersecurity cannot depend on everyone being perfectly alert every minute of every day.

That is not a strategy.

That is wishful thinking wearing a name badge.

Good cybersecurity assumes people are human.

They get busy.
They get distracted.
They try to be helpful.
They trust familiar names.
They click things sometimes.

The goal is not to shame people for being human.

The goal is to build systems that do not fall apart the moment someone has a normal Tuesday.


So How Do You Defend Against This Without Becoming Paranoid?

Good news: you do not have to turn your office into a bunker.

You do not have to suspiciously interrogate every email like you’re in a spy movie.

You just need better habits, clearer processes, and a few “pause before panic” rules.

Here are a few practical places to start.


1. Verify Financial Changes Outside of Email

If a vendor asks to change banking information, payment instructions, mailing addresses, or contact details, verify it through a known phone number.

Not the number in the email.

Not the number in the attachment.

Not the number in the signature.

Use a phone number you already had on file or one verified from a trusted source.

This one step can stop a lot of expensive mistakes.

A simple internal rule could be:

“No banking or payment changes are made based only on email.”

That sentence may be boring.

It may also save you thousands of dollars.

Boring is underrated.


2. Create a “Pause Button” for Urgent Requests

Cyber criminals love urgency because urgency makes people skip steps.

So build a rule around it.

If a request involves money, credentials, sensitive information, gift cards, payroll, tax forms, or account access — and it is marked urgent — slow down.

Especially if it pressures someone to act quietly or quickly.

Healthy organizations make it safe for employees to verify before acting.

Nobody should feel embarrassed for asking:

“Can someone confirm this is legitimate?”

That should be praised, not treated like a bother.

Because the employee who pauses may be the employee who saves the business from a very expensive mess.


3. Use Multi-Factor Authentication

Yes, MFA is one of those cybersecurity topics that gets repeated constantly.

That is because it matters.

If a password gets stolen, MFA can help stop that stolen password from becoming a full account takeover.

Is MFA perfect?

No.

Is it better than relying on passwords alone?

Absolutely.

Think of it like locking your front door and having a deadbolt.

Could someone still try to get in?

Sure.

But why make it easy?

Cyber criminals are often looking for the easiest target.

Do not be the easiest target.

That is it. That is the strategy.


4. Stop Sharing Passwords Like Office Snacks

Shared passwords may feel convenient.

Until nobody knows who logged in, who changed what, who still has access, or whether the password was ever shared with someone who left.

Each person should have their own login wherever possible.

Access should be based on job responsibilities.

And when someone leaves, their access should be removed promptly.

If your current password process is:

“Ask Bob, he knows it”

then congratulations, Bob is now both a person and a cybersecurity risk management system.

Bob deserves better.

So does your organization.


5. Clean Up Old Accounts

Review user accounts regularly.

Look for:

  • Former employees
  • Duplicate accounts
  • Generic logins
  • Unused admin accounts
  • Old vendor access
  • Accounts without MFA
  • People with more access than they need

This does not have to be fancy.

Start with a list.

Who has access to what?

Should they?

If not, remove it.

Cybersecurity does not always start with advanced tools.

Sometimes it starts with a spreadsheet and an uncomfortable amount of honesty.


6. Train Employees With Real-Life Examples

Please do not make security training feel like punishment.

Nobody wants to sit through another robotic slideshow where a stock photo man in a headset explains phishing like it’s 2007.

Use real examples.

Show what scam emails look like.

Talk through why they work.

Explain the red flags.

Create a culture where employees can ask questions without feeling foolish.

The best training is not:

“Don’t click bad things.”

The best training is:

“Here’s how criminals try to trick normal, smart, busy people — and here’s what to do when something feels off.”

That distinction matters.

Because people are not usually tricked because they are dumb.

They are tricked because the scam was designed to hit them at the wrong moment.

If your organization hasn’t tested how employees respond to phishing emails lately, you might be surprised by the results.

Regular awareness training and phishing simulations can provide valuable insight into where additional education may be needed—before a real attacker identifies the same gaps.


7. Document the Stuff Only One Person Knows

Every organization has at least one person who knows how everything works.

The passwords.
The vendor contacts.
The billing process.
The weird printer fix.
The payroll steps.
The software renewal dates.
The “don’t touch that button” button.

That person is valuable.

That person is also a single point of failure.

If only one person knows a process, your organization is vulnerable — not just to cyber criminals, but to vacations, resignations, sick days, emergencies, and plain old burnout.

Document critical processes.

Especially anything involving:

  • Money
  • Access
  • Client data
  • Employee data
  • Compliance
  • Vendors
  • Core operations

You do not need a 90-page manual.

Start with simple steps.

Record a screen.
Write a checklist.
Save vendor contacts.
Explain how approvals work.
Document who can authorize what.

Cybersecurity and business continuity are closer cousins than people realize.

Both ask the same question:

“What breaks if the wrong thing happens at the wrong time?”


The Real Lesson: Criminals Love Gaps

Cyber criminals do not need your organization to be completely unprotected.

They just need a gap.

A gap in communication.
A gap in verification.
A gap in offboarding.
A gap in documentation.
A gap in password practices.
A gap between “we thought someone handled that” and “apparently no one did.”

That is where they operate.

Not always in your technology.

Often in your assumptions.

The uncomfortable truth is that many cyber incidents begin with:

“I thought we had a process for that.”

Or:

“I assumed someone checked.”

Or:

“We’ve always done it this way.”

Or the classic:

“It seemed legitimate at the time.”

And honestly?

That is understandable.

Most organizations are busy running the actual organization.

You are serving customers, residents, clients, patients, members, donors, students, or the community.

You are not sitting around thinking:

“How would a criminal exploit our invoice approval workflow today?”

But maybe once in a while, you should.

Just for a few minutes.

Not because you want to become paranoid.

Because you want to become prepared.


A Simple Exercise: Think Like a Cyber Criminal for 10 Minutes

Here is something you can do this week.

Gather a few people from your organization and ask:

If someone wanted to trick us, where would they start?

Then walk through these questions:

  1. Who can approve payments?
  2. How do we verify vendor changes?
  3. What happens if the owner/director/manager is unavailable?
  4. Do former employees still have access to anything?
  5. Do we use shared passwords anywhere?
  6. Who has admin access?
  7. What information is publicly available about our staff and vendors?
  8. What process depends entirely on one person?
  9. What would happen if someone’s email account was compromised?
  10. Would employees feel comfortable questioning a suspicious request?

You may not like every answer.

That is fine.

Finding the gap before a criminal does is the whole point.


Final Thought: The Criminal Is Looking for Easy

Cybersecurity can feel overwhelming because people imagine they have to defend against every possible threat at once.

But most criminals are not looking for hard.

They are looking for easy.

Easy passwords.
Easy money.
Easy targets.
Easy confusion.
Easy trust.
Easy urgency.
Easy access.

Your job is not to be perfect.

Your job is to be harder to fool than the criminal expected.

Add a verification step.
Turn on MFA.
Remove old accounts.
Stop sharing passwords.
Train your team.
Document your processes.
Question urgent requests.

Small improvements can close big gaps.

And if you are not sure where your biggest gaps are?

That is a good place to start.

Because the best time to think like a cyber criminal is before one thinks about you.


At Herstek & Associates, we help small and mid-sized businesses, nonprofits, and municipalities look at their technology and processes with a practical eye — not just “is it working?” but “is it protected?”

If you are wondering where your organization may be more vulnerable than you realize, start with the question:

“If someone wanted to trick us, where would they begin?”

The answer may tell you exactly what needs attention next.