DISCLAIMER: This case study depicts a fictional cyber incident based on real-life scenarios described by expert interviewees, media reports, and other publicly available resources. While the details surrounding the characters, company, and ransomware attack are imagined, the business concerns and legal issues raised are plausible and based on actual cases.

Vulnerable Electric (VE) is a private utility company providing retail electricity service to 1.4 million customers in eastern and central Massachusetts. Headquartered in downtown Boston, VE has close to 600 employees across all its locations and generates about $250 million in annual revenue.

Betsy, a longtime employee of VE, is always the first to arrive in the office. In fact, she prides herself on it. She uses her fob to let herself into the building, rides the elevator to the 16th floor, puts on a pot of coffee in the kitchen area, and sinks into her well-worn desk chair— all before 6 a.m. Betsy, who has been with the company 23 years, is executive assistant to the vice president of human resources.

Betsy’s boss has a big job: He oversees all human resource efforts supporting VE’s business. Accordingly, Betsy sees her own role in supporting him as equally vital. She manages his calendar, maintains and organizes administrative records, and prepares general and confidential correspondence, among many other things.

Because Betsy leaves the office each evening with her tasks in order for the following day, she enjoys the reward of a quiet hour to herself between 6 and 7 a.m., after which point her colleagues trickle in. She uses the time to indulge her secret obsession: online shopping for her grandchildren.

Early one morning, Betsy powers on her work laptop to find an email marked “urgent” from her boss’s account, HumenresourcesVP@VE.com. She opens it. The email is uncharacteristically abrupt, but Betsy assumes it’s because of the early hour and the apparent time-sensitivity of the request.

“Hi. Will you please print this spreadsheet [LINK HERE] and leave hard copy on my desk? Ty.”

Dutifully, Betsy clicks the link. But then something peculiar happens. There is no spreadsheet. Instead, Betsy has been redirected to her company’s website.

She scans the site, eyebrows knit. Then, a bad feeling wrenches in the pit of her stomach. Something is wrong. The website looks … phony. Yes, phony. The VE branding is all there, but the website itself looks doctored somehow, and there is a blocky message demanding her login credentials to continue.

She glances back at the email, and with a little gasp, notices a typo in the email address: “Human” is spelled wrong. Heart hammering in her chest, she “X’s” out of the website and debates whether to reboot her laptop. Would that do anything? She vaguely recalls a cybersecurity training from a while back that covered this exact scenario, but she can’t remember whether the instructor said to power off or not. Betsy settles on not. She’s done enough damage as it is, she reasons.

She considers calling her boss or reporting the email to IT. But she’s afraid they’ll dig into her browsing history and see she’s been using her work laptop for online shopping.

She straightens her shoulders and gets on with her day. It’s like it never happened, she assures herself.