Background

Alice had been at WonderLandFashionFastAtDoorstep.com for just three weeks. She was still settling in — learning internal workflows, figuring out which Slack channels to use, and checking the org chart before reaching out to senior leaders. Like most new joiners, she wanted to do everything correctly and avoid making mistakes.

At 7:43 AM on a Monday, four weeks before peak season, an email landed in her inbox.

The Email Said

Alice — urgent. I need the full inventory analysis uploaded to the ops portal before the 9 AM board call. Use the link below. Do not delay.

The sender name displayed the CEO's name. The message looked credible — it used her name, the 9 AM board call was real (she had seen it on the shared calendar), the tone matched what she imagined a busy executive would sound like, and the timing created immediate pressure.

The Click

Alice did not pause to verify it. In a fast-moving company, new employees are rarely comfortable questioning a CEO request — especially one that sounds operationally important and time-sensitive.

She clicked the link. A login page opened that looked like the company's normal single sign-on portal. She entered her credentials and uploaded the requested file. Then she sent a quick confirmation reply.

The reply bounced back immediately. She assumed it was a technical issue, made a mental note to revisit it later, and moved on with the rest of her morning.

What Actually Happened

The email had come from wonderlandfasshionatdoorstep.com — a look-alike domain with one extra letter, registered only eleven days earlier.

The attacker had done their homework. They had monitored the company's public-facing activity, reviewed LinkedIn posts, identified new hires, and studied the CEO's writing style from public communications. Alice was not randomly targeted. She was selected because she was new, likely under pressure, and more vulnerable to authority-based deception.

Attack Timeline

7:43 AM
Alice receives the spoofed CEO email and enters her credentials into a fake SSO page.
Within minutes
Her credentials are compromised.
8:15 AM
The attacker is inside the network using a valid user session.
9:30 AM
The attacker moves laterally into the logistics environment through a shared service account using the same password across four systems, with no MFA and no rotation for fourteen months.
2:00 PM
Ransomware encrypts the order management system, the warehouse dispatch database, and three years of supplier contracts.
Business Impact
WonderLandFashionFastAtDoorstep.com goes dark four weeks before peak season. Operations stall, dispatch is disrupted, supplier data becomes inaccessible.

Leadership Realisation

The CEO only learned about the attack when the operations team started calling him to report systems going offline. He had never sent Alice that email.

Governance Breakdown

The attack succeeded because trust was not backed by process. A new employee faced executive pressure without awareness training, suspicious communication was not expected to be challenged, and weak identity controls allowed one phished session to escalate into a business-wide ransomware event.

GRC Questions Raised
  1. Why was a new employee allowed system access without basic security awareness training during onboarding?
  2. Why were employees not trained to recognize social engineering attacks such as CEO impersonation emails?
  3. Why was there no clear policy on how senior leadership sends urgent operational requests?
  4. Why was there no expectation set for employees to verify suspicious or high-pressure communications?
  5. Why were shared service accounts and critical systems accessible without strong identity controls such as MFA and password rotation?
Back to GRC Hub Continue to Solution