PrymoSec
Back to Blog
Real Stories

That 'Weird Email' Your Employee Clicked? It Just Cost You $12,000.

How one quick click can drain your bank account—and what to do about it.

January 10, 20265 min read

Let me tell you about Michael's Tuesday morning.

Michael runs a construction company. Twenty employees. They do commercial renovations, mostly. Good business. Good reputation. Until Tuesday.

His bookkeeper, Janet, had been with the company for eight years. Reliable. Detail-oriented. Not someone who makes careless mistakes.

So when she got an email that looked like it came from their bank, asking her to verify some account information for a wire transfer, she didn't think twice. The email had the bank's logo. It mentioned their actual account number. It referenced a payment they'd recently sent.

She clicked the link. Entered the credentials. And gave hackers complete access to their business banking.

By Wednesday morning, $12,000 was gone. Transferred to accounts that would bounce the money across three countries before disappearing entirely.

This Wasn't Janet's Fault

Here's what kills me about this story: Janet did everything she would normally do. The email looked legitimate. The request seemed routine. She was busy—it was the end of the month, and she had payroll to process.

She wasn't careless. She wasn't stupid. She just hadn't been taught what to look for.

And that's the problem. We expect employees to recognize threats they've never been trained to identify. That's like expecting someone to spot a counterfeit $100 bill when they've never been shown what makes a real one different.

How the Scam Worked

The criminals who targeted Michael's company did their homework:

  1. They researched the business. They knew the bank Michael used, probably from a check image posted on a subcontractor's Instagram (it happens more than you'd think).
  1. They made the email look perfect. Same colors, same fonts, same footer as legitimate bank emails.
  1. They created urgency. The email said the transfer would fail if not verified within 24 hours.
  1. They exploited trust. Janet had received similar (legitimate) emails from the bank before. This one fit the pattern.
  1. They timed it well. End of month, when Janet was busy and distracted.

This wasn't a random attack. It was calculated, professional, and effective.

The Real Cost Was More Than $12,000

The money was bad enough. But that wasn't the whole cost.

Michael spent three days dealing with the bank. He couldn't work on projects. He couldn't chase new business. He was on the phone with fraud departments, police, and lawyers.

Janet was devastated. She offered to pay back the money herself. She almost quit. Michael spent weeks rebuilding her confidence and assuring her she wasn't being blamed.

Their insurance didn't cover it. Social engineering fraud—where criminals trick employees into voluntarily transferring money—often isn't covered under standard business insurance. Michael found this out the hard way.

They lost a client. Word got around. One client decided they didn't want to work with a company that had been "hacked." Unfair? Yes. But reputation damage is real.

What Would Your Team Do?

Here's a simple test. Could your employees answer these questions?

  • "How do you verify that an email actually came from who it says it came from?"
  • "What should you do if you receive an urgent financial request via email?"
  • "How do you check if a link is safe before clicking it?"

If you're not confident they could answer correctly, that's not their fault. It's a training gap.

Most employees want to do the right thing. They want to protect the company. They just don't know what "the right thing" looks like when it comes to security.

Five Minutes Could Have Saved $12,000

Janet told me later that if she'd known just one thing—to call the bank directly using a number she looked up herself, not the one in the email—she would have caught the scam.

Five minutes of verification. $12,000 in losses avoided.

That's the thing about security training. It's not about turning your employees into cybersecurity experts. It's about giving them simple habits that prevent disasters.

Things like: - When in doubt, verify through a different channel. Got an email from your bank? Call them using the number on your card. - Watch for urgency. Legitimate requests rarely require immediate action without verification. - Check the email address, not just the name. "Bank of America" as a display name doesn't mean the email is from Bank of America. - When it involves money, always double-check. Period.

It's Not About Blame. It's About Preparation.

I share Michael and Janet's story not to scare you, but because it could happen to anyone. It probably will happen to someone you know.

The question isn't whether your business will be targeted. It's whether your team will be ready when it happens.

Give your team the knowledge they need

PrymoSec trains your employees to catch the scams that slip past spam filters. Our simple, practical modules cover exactly what your team needs to know—without the technical jargon.

After training, your employees will: - Spot suspicious emails before they click - Know how to verify unusual requests - Understand what to do if something seems wrong

Don't wait for your $12,000 wake-up call.

Start training your team today →

Found this helpful? Share it with a fellow business owner.
Previous Article

I Thought Hackers Only Went After Big Companies. I Was Wrong.

Next Article

Do You Know What Your Team Would Do If They Got a Suspicious Email?

Ready to Protect Your Business?

Give your team the training they need to spot scams and protect your business.