- Use phishing or techniques that bypass multifactor authentication (MFA) to gain access to email or cloud systems.
- Steal session tokens or credentials.
- Move laterally through systems using legitimate tools from well-known vendors.
- Exfiltrate data first, then encrypt systems.
- Launch double or triple extortion campaigns.
Ransomware attacks increasingly rely on double extortion tactics. Attackers steal sensitive data before encrypting systems and frequently threaten to publicly release the information if the organization does not pay a ransom, even after payment is made. Exposed data often appears on dark web sites, compounding legal, regulatory and reputational consequences.
What is phishing and how does it lead to account takeover?
Phishing is a form of social engineering that relies on impersonation to trick individuals into sharing sensitive information. When successful, it can lead to account takeover, enabling a criminal to act as a trusted user within the organization. This can look like:
- An employee receives an email, text message or phone call that appears to come from a colleague, vendor or financial institution.
- The message references a fake invoice, purchase confirmation or account alert and is designed to create urgency, fear or curiosity.
- The employee is prompted to click a link, open an attachment or provide information directly.
- Once credentials, account numbers or card information are compromised, attackers can access email, financial systems or internal applications. This access enables fraud, data theft and additional attacks that leverage the victim’s trusted identity.
Financial and operational risks of cyberattacks on businesses
Cyberattacks expose businesses to financial loss, operational disruption and regulatory scrutiny that can affect day-to-day operations and long-term trust.
Payment fraud exposure
- Wire fraud
- ACH fraud
- Vendor payment redirection
Business disruption
- Inability to process payments or payroll
Regulatory impact
- Breach notification requirements
- Potential fines or audit findings
A real-world ransomware attack: what went wrong
In early 2024, a ransomware attack on a U.S.-based healthcare technology intermediary caused widespread disruption across the national healthcare system.
- Attackers accessed the company’s network using stolen credentials for a remote access system that did not require multi-factor authentication.
- Core transaction systems were encrypted and sensitive data was exfiltrated as part of a double extortion attack.
- Processing, operations and payments were disrupted nationwide.
- The company paid a multimillion-dollar ransom. Soon after, attackers demanded additional payment and released a portion of stolen patient records to demonstrate their leverage.
Security controls including multi-factor authentication, stronger credential management and tighter oversight of third-party access could have significantly limited the attackers’ ability to gain entry. The event reinforced the importance of proactive cyber hygiene, continuous monitoring and disciplined vendor risk management.
What to do if an attack happens
Speed and coordination are critical when responding to a cyber incident, as early detection can significantly reduce losses.
For ransomware:
- Notify IT security and leadership immediately.
- Isolate affected systems to prevent spread.
- Preserve evidence and assess backups.
- Engage legal, forensic and cybersecurity experts.
- Make payment decisions only with executive and legal guidance.
For phishing-related account takeover:
- Report the incident immediately.
- Contact your bank or credit provider to lock affected accounts, cancel compromised cards and reset credentials.
- Notify internal fraud and security teams at once.
Rapid response is especially critical for wire transfers and automated clearinghouse payments, where recovery windows are narrow.
Practical steps to protect your business
Any employee can fall victim to these tactics. Strong prevention reduces both the likelihood of an attack and its potential impact. The most effective cybersecurity programs focus on people, processes and technology, including:
- Ongoing employee education and cybersecurity awareness training to help staff recognize and report suspicious activity
- Multi-factor authentication for email, banking platforms, remote access and other critical systems
- Regular, offline/immutable data backups with routine testing to ensure restoration works as intended
- Active vendor and third-party risk management, including access controls and security expectations; require out-of-band verification for payment changes
- A clear incident response plan that is documented, tested and understood across the organization
Remember: Your bank will never ask for your PIN, passwords or full account details. When in doubt — hang up and call your banker directly.
Frequently asked questions about ransomware and phishing
Should businesses pay a ransomware demand?
In general, paying a ransom is not recommended. Payment does not guarantee that data will be restored or that stolen information will not be released. It may also encourage future attacks. Decisions about ransom demands should be made carefully, with input from executive leadership, legal counsel, law enforcement and cybersecurity experts, based on the specific circumstances of the incident.
How can employees spot phishing emails?
Phishing emails often create a sense of urgency and appear to come from a trusted source. Common red flags include unexpected attachments or links, requests for passwords or financial information, spelling or grammatical errors and sender addresses that do not match the organization they claim to represent. Employees should be trained to pause, verify requests through a known contact and report suspicious messages immediately.
What is the first step after a suspected account takeover?
The first step is to report the incident immediately to internal IT security or fraud teams. Affected accounts should be secured, passwords reset and access reviewed to limit additional impact. If financial accounts are involved, banks or payment providers should be contacted right away, since recovery windows for fraudulent transactions may be very limited.