When “Encrypted” Isn’t Safe: How One Click Unraveled an Engineering Firm’s Inbox

The weekend was over, and Casey Ward was working through an endless scroll of emails when a subject line froze everything in place:

Encrypted docs from your CPA – W-9 and 1099 packet plus quarterly estimate

It was that time of year. Tax forms, financial documents, filings. Casey clicked the prompt. It was an action that would soon be impossible to take back.

As the owner of North Ridge Consulting, a nine-person engineering firm, Casey was already buried under proposals, deadlines, scheduling issues, invoicing questions, and a whiteboard full of half-finished tasks. An encrypted note from the accountant seemed routine.

The Page That Looked Legit

A clean login screen appeared, complete with a lock icon and a simple prompt:
“Sign in to view encrypted documents.”

It asked for an email address and a password. This was an odd request. Casey didn’t remember the CPA using a login page before. Maybe they upgraded their system. Casey signed in.

Another page loaded, but the documents looked scrambled – possibly corrupt. Casey shrugged it off and planned to call the CPA after lunch.

Small Signs, Quick Snowball

Twenty minutes later, the weirdness began.

Outgoing emails were suddenly carrying a new signature line. Replies were landing out of order. A vendor called, confused, because Casey had just emailed requesting an updated W-9 and new ACH details again.

Back at the desk, Casey opened the Sent folder and felt the room tilt. There were messages Casey didn’t remember writing. The messages were polite, professional, and threaded seamlessly into recent conversations. Each included a link to a “secure portal” for invoices or tax documents. The unknown signature was stamped onto all of them.

The truth hit hard: the “encrypted” page wasn’t secure at all. It was a trap and Casey had handed over the keys.

A Lone Fight Against a Silent Intruder

With no managed cybersecurity partner, Casey did what most business owners do first: tried to fix it alone.

Password changes. Forced logouts. A desperate call to the email provider. A mass “Please ignore any strange emails from me” message to clients.

But the attackers were already living inside the mailbox.

Two clients forwarded screenshots of suspicious follow-ups. Another shared a phishing link styled with North Ridge branding, indicating the attackers were now imitating the firm itself. A long-time client nearly sent a wire transfer to a fraudulent account before deciding something felt slightly off and calling to double-check.

Luck – not security – prevented a financial disaster.

Full Compromise

By noon, Casey’s inbox felt like a crime scene.

The attackers had:

• Created hidden mailbox rules forwarding select messages to an external address
• Filtered replies so Casey couldn’t see them
• Injected messages into legitimate threads
• Sent outbound phishing attempts to clients and vendors
• Used North Ridge’s email domain to generate convincing fraudulent portals

Critical messages never reached the inbox. Some client conversations had been hijacked in real time. Revenue for the day evaporated into damage control.

When the CPA Called Back

Late in the afternoon, Casey’s real CPA called because they had just received an urgent, slightly odd-sounding request to update ACH details.

Embarrassment quickly shifted into dread.
Even after the password change, the fake messages were still going out.

Casey had lost control of the mailbox.

Calling in Reinforcements

Finally recognizing the depth of the breach, Casey reached out to Underdog Cyber Defense.

Cleanup took a week.

Our team:

• Audited every account
• Removed malicious rules and unauthorized connections
• Enforced multi-factor authentication across all critical systems
• Deployed Advanced Email Protection to block lookalike outbound messages
• Rolled out Security Awareness Training for staff
• Implemented a “first 10 minutes” response playbook for mailbox compromises

The attack was contained but not before real damage was done.

The Aftermath

The fallout came fast:

• Clients were notified.
• One prospect paused a project until security improvements were proven.
• The cyber insurance broker flagged the incident and demanded evidence of new controls.
• Renewal premiums went up.

No one enjoyed those conversations. But everyone learned from them.

The Lesson That Stuck

The subject line said “encrypted,” but that meant nothing.
Real verification is a phone call to a known number – not trust in a lock icon.

And in a mailbox compromise, the first ten minutes matter more than the next ten hours.

Protect Your Firm Before a Crisis Hits

If Casey’s story feels uncomfortably familiar, you’re not alone. Small and mid-sized businesses are now prime targets for email compromise, and most don’t realize it until damage is already spreading. Don’t wait for a near-miss or a costly incident to take action.

Underdog Cyber Defense offers a free, no-pressure consultation to assess your current risks and outline practical protections you can implement immediately.

If you’re ready to strengthen your defenses and protect your business, book your free consultation today.