"We assumed everyone knew how to spot a phishing email."
COMPANY
Sector: Non-Profit
Size: 150 employees
Location: Brussels
FACTS & FIGURES
No formal training program for staff
Employee clicked phishing link, entered credentials
Business Impact: Email account compromise and data theft
STORY
A Brussels-based NGO operated under the assumption that common sense was enough to protect against phishing. Without training, one employee clicked on a crafted phishing link, unknowingly handing over their credentials. Attackers used the compromised account to send fraudulent donation requests to partners, damaging trust and diverting funds.
INCIDENT OVERVIEW
Security awareness is often underestimated, yet employees are the first line of defense. Attackers exploit lack of training, using increasingly sophisticated phishing tactics that bypass spam filters. Without awareness, staff are left guessing, and one mistake can have cascading effects. In this case, the absence of structured training directly enabled a successful attack that harmed both finances and reputation.
BUSINESS IMPACT
Financial loss due to fraudulent transfers
Reputational damage with donors and partners
Potential regulatory implications under GDPR
SECURITY MEASURES
Implement regular phishing and cybersecurity awareness training
Conduct simulated phishing campaigns to reinforce learning
Establish a clear process for reporting suspicious emails