Cyber Tales

Cyber Tales: The Fake Vendor Scam

BOXX Client Profile: Tower Tutors
Location: Calgary, Alberta
Industry: Education
Employees: 75 (including 64 tutors)
Cyber Incident: Business Email Compromise (BEC) – Fake Vendor Scam

“Finance Colin” and the $250,000 Mistake

Places, industries, and names have been changed to preserve client privacy.

Tower Tutors, a reputable Calgary-based tutoring company, prided itself on providing high-quality educational services. With students and tutors working together online, CEO Alison Tower had always taken cybersecurity seriously. She knew that safeguarding students’ information was as crucial as hiring trustworthy tutors.

But cyber threats don’t always come in the form of a dramatic data breach. Sometimes, all it takes is a well-crafted email and an overwhelmed employee.

That employee? Colin G., or as he was known in the office, “Finance Colin” (distinguished from IT Colin, who, ironically, had been advocating for stricter cybersecurity training at their last Company all-hands).

Finance Colin received an email that made his stomach drop. It was from a partner at the law firm they worked with—at least, that’s what it looked like. The email was sharp, legal-sounding, and carried the weight of authority. It wasn’t a standard invoice. This was an urgent demand, citing five overdue invoices totaling $250,000. The sender warned that if the invoices weren’t paid immediately, the firm would withdraw legal representation and possibly take action against Tower Tutors.

Colin’s mind raced. “Did I miss these?” he wondered.

He wasn’t just any finance guy—he knew how complex the education industry’s regulations were. If they had overlooked payments, it could mean serious consequences. And with Alison Tower on bereavement leave, he felt an obligation to step up and protect the company.

Colin hovered over his keyboard, hesitating. Maybe he should call Alison? No, she was grieving, after all he had seen the notice in the paper and posted on her LinkedIn. Besides, he’d made large payments for legal costs before. And new employment contracts had recently been drawn up for over fifty tutors–now was not the time to lose the lawyers.

So, he did what he thought was the responsible thing. He processed the payments.

CEO Gets a Crash Course in Cyber Security

Over in Edmonton, Alison was grieving the loss of her father. Work wasn’t her priority at the moment, but she hadn’t turned off alerts. Any transactions over $5,000 triggered a notification. When her phone dinged, she barely glanced at it—until she saw the amount. $48,000.

“Odd,” she thought, opening her finance dashboard.

Her breath caught. More payments—four in total—had followed, each one larger than the last. The final amount? $250,000. And worse still, the recipient was a law firm they hadn’t worked with for a month. Had she remembered to tell finance? Obviously not.

Immediately, Alison sent a text to Colin:

“Why we paying lawyer this much? Call me ASAP.”

Enter: The Hackbusters Team

After talking with Finance Colin, Alison knew she needed to talk to someone else next. Thankfully, Tower Tutors had been a BOXX Insurance client for years. Alison considered cyber security as essential as a business license and had made a point of understanding her policy and meeting with the BOXX vCISO to review TT’s position. She called BOXX’s Hackbusters team.

Within minutes, she was speaking with Jack Brooks, BOXX’s virtual Chief Information Security Officer (vCISO) and Head of Hackbusters.

“I was in my dad’s study,” Alison remembers. “Using the phone I used to talk to childhood friends, trying to explain how we’d just wired a quarter of a million dollars to cybercriminals. It was surreal.”

Jack understood immediately.

“No security breach,” Jack said after a quick analysis. “This is a classic business email compromise. No one hacked your system. They tricked your finance department with social engineering.”

Alison exhaled. “So, the tutors…our students…their data is safe?”

“Yes,” Jack reassured her. “And if we act fast, we might be able to recover some of your money.”

“I Contemplated Life on the Run”

Colin stared at his phone, panic rising.

“I’m not going to lie,” Colin says now, “There was a moment—a brief one—where I contemplated life on the run. A new identity. A beach somewhere.”

Knowing there is no need to feel cyber shame, it was time for Colin to focus on solutions. He braced himself for Alison’s call.

When the phone rang, it was surprisingly calm and even more surprising—not from Alison.

Jack Brooks was on the line, and he wanted to help.

“I had a Chief Information Security Officer on the phone, telling me that we might be able to fix this,” Colin recalled. “But only if we got to work. Five minutes ago.”

He wasn’t just saying this for dramatic effect—time was of the essence. Once money is wired, recovery is a race against the clock. The longer they waited, the lower the chances of getting any of it back.

The Race Against Time

Jack outlined the plan. The funds had been wired out, but banks could sometimes halt fraudulent transactions if they were contacted quickly. But there was a problem—banks move at their own pace, and Colin was getting stonewalled by well-meaning but slow-moving gatekeepers. He might not be great at spotting scams, but he knew finance. He could speak their language, he just needed to get to the right people, right away.

Jack had a strategy and wrote up a summary of the event, with details of what happened – making it easier for Colin to explain the situation clearly to the bank.

“Be persistent. Call every hour. Get to a decision-maker and make sure the fraud department understands the timeline and that authorities have been notified.”

Colin, determined to undo his mistake, followed the advice to the letter. He refused to be brushed off, escalating to managers and fraud departments. And it worked.

By the next morning, four of the five payments had been recovered.

But there was bad news. The first payment—$48,000—had been transferred to a bank overseas and was not recoverable.

Lessons Learned

The cyber thieves didn’t hack into Tower’s systems—they hacked into human psychology.

“The criminals used urgency, authority, and fear to cloud Colin’s judgment.” Jack explained. “The email looked official, carried legal pressure, and played on the fact that Alison was unavailable. That’s social engineering at its best. These scams are designed to make even experienced professionals act before they think.”

“It’s disappointing that the criminals profited,” Jack admitted, “but considering the total loss could’ve been $250,000, things could have been much worse.”

Alison agreed. “Losing any money hurts, but thanks to BOXX, it wasn’t catastrophic. I didn’t have to spend my bereavement leave fixing a financial disaster.”

In the aftermath, Tower Tutors takes cybersecurity more seriously than ever.

Every employee—from finance to HR—was enrolled in BOXX Academy’s cyber awareness training. Hackbusters also helped them implement a multi-step payment verification process to prevent this from happening again.

And Finance Colin?

“I knew my job wasn’t at risk,” Colin says, “but I felt like I needed to make up for what happened. Alison was an incredibly supportive boss. She even took responsibility for not communicating about changing law firms. I wanted her to know that I’d learned from my mistakes. So, I took the lead on making sure we locked down our payment processes for good.”

Now, if an email comes in demanding money, Tower Tutors verifies it with a phone call—every time.

“I wish I’d done that in the first place,” Colin admits. “And about a dozen other things differently. But, hey, at least IT Colin and I finally have something to bond over besides the coffee machine.”

Cyber threats don’t always come from hacks—they come from human errors and clever deception. Thanks to BOXX and Hackbusters, Tower Tutors recovered most of their losses and turned a costly mistake into a valuable lesson.

Could your business detect a scam before it’s too late? If not, maybe it’s time to call BOXX.

Interested in more real-life cyber stories?
Sign-up for the BOXX Newsletter today.

Join over 5,000+ others that receive our newsletter updates. Filled with expert advice and product announcements to help prevent a cyber incident. Get insider access to news around BOXX innovations, cyber tips and case studies that allow you to stay up to date on all things cyber.