The IT department at Middlesbrough-based logistics firm Hartwell Distribution has spent half a year diligently deleting emails about a critical server vulnerability, having collectively decided that the warnings from their own security software vendor were almost certainly an elaborate phishing attempt.
The messages, which began arriving in March and escalated from ‘urgent’ to ‘critical’ to ‘please for the love of God update your systems’, were systematically moved to a folder marked ‘suspicious correspondence’ by the three-person team responsible for maintaining the company’s entire digital infrastructure.
Graham Pettifer, senior IT administrator, explained that the emails had displayed several telltale signs of a scam. These included a sense of urgency, multiple embedded links, and the phrase ‘click here to secure your network’, which he noted was ‘exactly the sort of thing we tell people not to do, isn’t it’.
The vendor’s increasingly desperate attempts to contact the team only deepened their suspicions. Follow-up emails with subject lines such as ‘Second Notice: Critical Patch Available’ and ‘Your Server Infrastructure Remains Vulnerable’ were interpreted as signs of a particularly persistent threat actor, possibly state-sponsored.
“We’ve been running those cybersecurity training sessions every quarter since 2019,” said Pettifer. “Everyone knows that legitimate companies don’t send emails asking you to download things or warning about security problems. That’s scammer behaviour. We’re not idiots.”
The situation came to light only when a actual phishing email, sent by a teenager in Romania, successfully compromised the unpatched servers within minutes. The attack was notably straightforward, requiring none of the sophisticated social engineering that might have been necessary had the systems been updated at any point since February.
Jennifer Caldwell, the company’s compliance officer, admitted that the IT team’s thoroughness in avoiding potential threats had created what she termed ‘a slight gap in our actual security posture’. She confirmed that the department had also been ignoring phone calls from the software vendor, having assumed these were part of an elaborate vishing campaign.
“Looking back, there were perhaps some indicators that the emails were genuine,” Caldwell acknowledged. “The sender address was correct. The links went to the legitimate vendor website. The person calling us knew our account number and could describe our server configuration in detail. But these are exactly the things a really good phishing operation would get right.”
The IT department has now implemented a new protocol whereby all security warnings will be printed out and assessed in a weekly meeting, though Pettifer noted this may be delayed as the team’s printers have been disabled since January following an email about a firmware update that ‘seemed dodgy’.
Hartwell Distribution’s systems remain offline. The company is currently accepting orders by fax, a system which Pettifer described as ‘refreshingly immune to this sort of confusion’.