This is a guest post by Marko Gulan, a seasoned cybersecurity and risk management expert with over 15 years of experience in ICT consulting. He provides high-level advisory services to help organizations navigate the complexities of today’s evolving threat landscape. His expertise includes designing and implementing robust cybersecurity frameworks, managing enterprise risks, and aligning technology with regulatory requirements to support business goals.
In today’s business world, admitting you’ve been scammed isn’t just a personal embarrassment – it’s a reputational blow. For those of us who lead teams, make decisions, and carry responsibility, the expectation is that we always have everything under control.
But what happens when a cyberattack doesn’t look like an attack at all? What if it doesn’t exploit a technical flaw, but instead targets your emotional trust and your mental distraction? What if your digital world – your brand, your channels, your clients – becomes a weapon in the hands of someone you’ve never even met?
This is a true story. My client. Real damage. And a lesson every business leader needs to hear.
It looked like the business opportunity of a lifetime
My client was running a business with a modern digital approach. He communicated with clients via social media, ran campaigns, generated leads. One of those campaigns targeted the luxury market – and that was the trigger.
An American luxury brand responded, expressing interest in expanding into Europe. Visually impressive. Professionally worded. Courteous yet authoritative. Everything a decision-maker would recognize as a dream partner.
Months of video calls and online meetings followed. Brand representatives were responsive, presentations were on point, the tone was spot-on. After four months, the partnership was agreed. All that remained was the paperwork.
The attack took place on Good Friday. But my client became a victim much earlier.
On the eve of Easter, on Good Friday, my client received two documents – a PDF contract and a PPTX brand presentation. They were sent by “the brand.” Or so he thought.
It was the end of a long workday. He opened the files, saw nothing suspicious, and decided to review them properly after the holiday.
But by then – it was already too late.
The files were infected. Malware activated immediately upon opening. It silently harvested saved passwords, hijacked social media accounts, accessed cards, and stole his company’s entire digital identity.
By evening, the damage was done, all business social media profiles were stolen, thousands of euros were withdrawn from cards (up to their limits), the attacker used his communication channels to target and deceive his clients.
The warning signs were there – but focus was elsewhere
With hindsight, everything becomes clear. But at the moment? It was just another email. Another document. Another task at the end of the day.
Today’s decision-makers aren’t uninformed – but they are overloaded. Dependent on digital tools. Multitasking. Skimming. We build trust based on visuals and tone, not verification.
Later, my client admitted ignoring several major red flags Sudden urgency to sign documents, after months of relaxed negotiation, All communication took place via business social media, with no traditional corporate email exchanges, Documents were sent from an address not associated with the brand – a newly registered email domain, Video calls always showed blurry, pixelated faces – the people on the other end were never truly visible.
This attack didn’t happen due to a technical vulnerability. It happened because of a psychological lapse. Because of digital dependency, the kind that clouds our critical thinking in a world of five apps, three meetings, and two deadlines at once.
Ignoring cybersecurity advice isn’t saving money. It’s gambling.
For years, I had advised my client to implement basic cybersecurity practices. He postponed them. Here’s what was missing 2FA (two-factor authentication) was never activated, Passwords were stored in the browser, He reused the same password across services, He never checked when domains were registered or who owned them.
The email domain used to send the malicious documents had been registered only days before. A simple WHOIS check would have revealed that. But when you’re always “online,” always “on a call,” always “in the loop” – who takes the time?
The pace of digital business gives us a dangerous illusion: if everything works, everything must be safe.
That’s a lie.
The takeaway: If you don’t know how you can be attacked – you may not even realize when you are.
Attackers today aren’t hacking firewalls. They’re hacking people. They gain access through emotional manipulation, through the illusion of opportunity, through trust crafted in pixels and words.
Social engineering doesn’t target the naïve. It targets the focused, the fast, the ambitious. The ones who make daily decisions – and occasionally skip the checks.
If you don’t know what a modern attack looks like – you may not realize it’s happening.
And by the time you do, it’s already your responsibility.
