Let’s be clear: I’m not a cybercriminal. But if I were—if I wanted to target your business—I wouldn’t need elite hacking skills or a dark web subscription.
I wouldn’t need to break through firewalls or write malware from scratch.
What I’d need is time, patience, a browser, and a basic understanding of how people behave online.
Because here’s the truth: most businesses don’t get “hacked.”
🔹 They get tricked.
🔹 They get bypassed.
🔹 They get handed access by well-meaning people who don’t know what to look for.
So let’s flip the script.
This blog will walk you through how I’d go about attacking your business—step by step—if I were on the other side. Not to scare you, but to show you just how easy it is when awareness is missing.
Step 1: I’d Start With What You’ve Already Shared
First stop? Your website and LinkedIn.
You’d be amazed how much useful information your team gives away just by being professional and proud of their work.
On your website, I’d look for:
🔹 Staff pages (especially names, job titles, and email formats)
🔹 Leadership team bios
🔹 Any mentions of clients, partners, or systems you use
Then I’d head to LinkedIn. I’d look at:
🔹 Who handles accounts, operations, and finance
🔹 Who recently started (great for impersonation)
🔹 Who publicly shares project wins, new software rollouts, or upcoming pitches
Why? Because this gives me names, targets, context, and a timeline.
If I know who’s in charge of payments, who’s onboarding clients, and what your current business focus is, I can tailor everything I do to sound more believable.
And while I’m there, I’ll also be scanning for photos of staff wearing ID badges at trade shows, in office selfies, or in team announcements. If I can see your badge layout, colours, logo, or lanyard design, I can replicate one well enough to walk into your office looking like I belong—especially if your front-of-house team changes regularly.
You might call this “doing your homework.” I’d call it the groundwork for an attack.
Step 2: I’d Look for Your Leaked Credentials
Next, I’d check if your domain or staff emails have appeared in any known data breaches using a tool like Have I Been Pwned.
If I find a set of email addresses and passwords leaked from past platform breaches—LinkedIn, Dropbox, or worse—I’ll try those credentials across:
🔹 Microsoft 365
🔹 CRM platforms
🔹 Webmail
🔹 File sharing systems
🔹 Anything exposed online
This is called credential stuffing. It’s simple, automated, and sadly, still incredibly effective—especially if you’ve reused passwords (and most people do).
Why does this work? Because password psychology is predictable. People choose things that are easy to remember. They tweak the same passwords across systems. And when no one’s looking, they cut corners.
If one of those old passwords works—even just once—I’m in.
Step 3: I’d Craft a Phishing Email You’d Actually Click
Forget dodgy grammar and generic threats. I’d build something targeted, relevant, and urgent. Based on what I’ve learned from LinkedIn or your blog, I’d send an email like:
Subject: Payment Request for Q3 Marketing Services
Hi [Name],
Just spoke with [Agency Name] about the Q3 marketing invoice—can you process this payment before 2pm today?
Amount: £4,320.00
Account: [Fake Account Details]Let me know when it’s done—I’m tied up in meetings all afternoon but on email if urgent.
—[Your Director’s Name]
It’s short. Polite. Business-as-usual.
You’ve probably seen a dozen like it. And if it’s sent while your Director’s genuinely in meetings (info I can easily find online), you might just approve it without thinking.
Phishing isn’t about shouting. It’s about sounding just familiar enough not to raise a flag.
Step 4: I’d Target Systems No One’s Watching
Most businesses are good at protecting the systems they use every day. But what about the ones you forgot about?
🔹 The legacy CRM you moved away from but never decommissioned.
🔹 The supplier portal only two people use.
🔹 The old FTP server with login credentials still active from 2020.
If it’s connected to the internet and you haven’t looked at it in months, it’s low-hanging fruit. I’ll scan for exposed ports, default logins, or known vulnerabilities in outdated software versions.
Why? Because attackers don’t waste time on your strongest point—they go straight for the weakest.
Step 5: I’d Use Your Team Against You
If phishing didn’t get me in, I’d move to social engineering—using psychology instead of technology. Because at the end of the day, people are often more vulnerable than systems.
Let’s say I wanted to trick your finance team or operations lead into taking action.
I’d craft an email that looks like it came from your Managing Director—complete with your branding, tone, and a believable sense of urgency.
If I’ve done my research (and I have), I’ll know the names of your suppliers, the kind of language your execs use, and when your team is likely to be busy or distracted.
Here’s what I’d send:
Subject: Quick Approval Needed: Updated Terms from [Vendor Name]
Hi [First Name],
[Vendor Name] just sent over an updated agreement—can you take a quick look and confirm if we’re happy to proceed with the revised payment terms?
Here’s the document: [Link to fake PDF]
I’m in back-to-backs this morning so if you’re happy, go ahead and sign off. Just cc me in.
Cheers,
[Director’s Name]
It’s calm, believable, and totally routine. Which is exactly why it works.
But email isn’t my only option.
I might ring reception pretending to be from IT: “Hi, I’m onboarding a new team member and just need to confirm which email format you use…”
Or I’d drop a USB stick labelled something tempting like “Payroll Q3 – Confidential” or “Client Contracts 2024” in the car park, near the smoking shelter, or by an outdoor seating area.
Eventually, someone will pick it up. And someone will take it inside and plug it in, “just to see what’s on it.”
But if it’s not just a USB—if it’s a Rubber Ducky—I won’t need them to open anything at all. The moment it’s plugged in, it starts running commands as if it were a keyboard.
Rubber Duckies don’t rely on luck. They rely on curiosity, helpfulness, and a tiny bit of human error.
And they work more often than most people would like to admit.
Step 6: I’d Wait for the Right Moment to Strike
Sometimes, once I’m in, I won’t act straight away.
I might sit quietly for weeks—mapping systems, reading internal emails, monitoring activity. Then I’ll strike when:
🔹 You’re closing month-end
🔹 A key decision-maker is on leave
🔹 Your IT team is buried in another project
🔹 Or your backups haven’t been tested in months
Because real attackers aren’t always looking for speed. They’re looking for maximum disruption with minimal resistance.
So How Do You Stop Me?
This is where most businesses want a tool list. But tools alone won’t save you.
You need a workforce that knows how to spot red flags, pause before clicking, and challenge things that don’t feel right.
You need:
🔹 Awareness training that reflects the real threats your business faces
🔹 Leadership that treats people as your first line of defence
🔹 A culture where security isn’t a bolt-on—it’s baked into how you work
At Cyber Rebels, we train teams to think like attackers so they stop acting like easy targets. It’s not fear-based. It’s behaviour-based. And it works.
Final Thoughts: It’s Not About Hacking. It’s About Human Nature.
Most cyber attacks don’t happen the way people think they do.
They’re not about sophisticated code or brute-force tools. They’re about the attacker knowing how your team thinks—and your team not knowing how attackers think.
Everything I’ve outlined in this blog—every single step—is based on tactics used every day to breach businesses just like yours. No drama. No technical wizardry. Just observation, timing, and a well-placed assumption.
If your people don’t know what these attacks look like, they can’t defend against them. And that’s the real risk.
At Cyber Rebels, we help businesses stop handing over access without realising it. Our training doesn’t throw acronyms at people or rely on outdated slides. We run live, human-first sessions that show teams how attackers operate, where they’re most likely to strike, and how to spot the signs—before it’s too late.
Because it’s not about being paranoid. It’s about being prepared.
💡 If you’re ready to build habits that protect your business—not just systems that tick compliance boxes—let’s talk.
We’ll help your team think like an attacker, so they can act like a defender.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
