Hackers are using more than fake leads to steal your data

CybersecurityBusiness ProtectionSMB Strategy
Written By Jordan Gall

I’ve talked a lot recently about the cyber-risks associated with ‘fake leads’, and since then have received a lot of feedback from clients and followers about their real world experiences. This included a marketing agency being asked to download supporting files to produce a quotation. It all appeared very genuine, and they came very close to opening the attachments… This all goes to show how effective and easy it is to be caught out by this type of cyber threat.

We’re seeing more scams that deliberately pull staff outside the corporate environment onto WhatsApp/SMS, personal devices, QR codes, and external “document links”. That’s where traditional security tools often have limited visibility, but the business risk (financial loss, data exposure, and reputational damage) is very real.

What we’re seeing (real examples)

Most organisations have strong technical controls in place (antivirus, device management, access policies, etc.), but many successful incidents start with human behaviour. A rushed click, a quick reply, a login on the wrong site. The result isn’t just an “IT problem”; it can mean invoice fraud, data leakage, customer impact, downtime, and a very uncomfortable few weeks for the leadership team.

Here are two recent examples we’ve come across (these are very much real):

  • Someone at a financial services firm in Hong Kong was asked to provide a reference for an ex-employee and redirected to a fake login site from a link shared via WhatsApp. The user signed in using their corporate Microsoft details and their credentials were stolen. The hacker logged into their account 10 minutes later. Thankfully, due to strong cyber controls in place within their Microsoft tenant, the hacker could not extract any data.

  • An opportunity came into a sales inbox at a mortgage broker in London that provided a profile of a potential lead, and then after a brief conversation took place, they wanted to share more information via an external URL that was designed to steal data. Thankfully, the person noticed something wasn’t quite right just before entering their details and avoided being compromised.

In both cases, the engagement looked normal and the timing felt plausible, but the end goal was the same: steal credentials or sensitive data.

What makes these attacks difficult is where they happen. The conversation is often designed to move outside your corporate environment — onto personal devices, messaging services, and external websites. That’s a visibility gap for many security tools, and it’s exactly what attackers are exploiting.

Controls are essential — but process + training closes the gap

In 2026, the baseline technical controls (multifactor authentication, safe link protections for email, and well‑designed conditional access policies) are no longer “nice to have”. They’re the bare essentials that protect the core of your environment and most of your corporate data.

On top of that, clear processes and practical training give staff the confidence to pause and verify. Here’s a simple set of rules we’ve been sharing with clients (which apply across sales, marketing, HR, finance, and operations):

  • Keep high‑risk workflows inside approved tools. Recruitment, HR, vendor changes, and anything involving payments should not be completed via WhatsApp/SMS/personal email.

  • Never use work credentials on unknown sites. If you’re asked to “sign in to view a document”, validate the request via a trusted channel first.

  • Build a default ‘pause + verify’ step. If the message creates urgency, changes the normal process, or asks you to move platforms (scan a QR code, click an external link, “just text me back”), slow it down and verify before you act.

Conclusion

User‑targeted attacks work because they look normal, feel familiar, and align with routine processes you might do on any given day.

The main takeaway is that fake leads are just one example of a broader pattern. Attackers are getting better at exploiting human behaviour and forcing faster decisions, often outside your protected environment. Clear rules about what must stay inside approved systems, plus a consistent verification habit, reduces risk quickly.

In order to remain secure in 2026 and beyond, a combination of strict technical controls and developing a cyber-aware workforce must be put in place to help protect your company and client data.

If you’re not already subscribed and would like to learn more about how B.Tech provides cyber protections for businesses, which includes policies that not only protect your users from harm, but also provide them with the tools to collectively be your first line of defence, please reach out.

I hope you’ve found this interesting. If you have any questions, please let me know. I’m always happy to arrange a coffee chat to discuss.

Jordan Gall

Jordan Gall is a passionate technologist with extensive experience supporting businesses across Europe, Asia, and Australasia. He has a strong foundation in cybersecurity, holding a Bachelor of Information Technology from Griffith University in Australia. Jordan has dedicated his career to bridging the gap between technology and business efficiency.

In 2020, Jordan joined Buchanan Technology, a global cybersecurity firm, where he serves as Head of Cyber. His vision is to establish Buchanan Technology as a worldwide leader in accessible cybersecurity services for small and medium businesses.

Jordan recently relocated back to Australia in 2024 to get away from the hustle-and-bustle city lifestyle, allowing him to focus on some personal goals (a lot of which will be immortalised in LinkedIn) and spend time with his family.

When he's not leading cybersecurity initiatives, Jordan engages in emerging innovations and eagerly awaits a contact lens version of the Apple Vision Pro. Outside of tech, you can find him on the tennis court, cricket field or playing the drums and composing music.

Next

Case Study: Molokai Capital Secures their businesses with Secure365