My First Week as an IT Director: A Crash Course in Phishing and Account Security

Stepping into a new role always brings a certain level of excitement and anxiety. But nothing could have prepared me for the eventful first week I had as an IT director. In one of the first few days, I received a call from a concerned staff member asking me to come to their desk. What I witnessed was, to put it lightly, unsettling.

Their email inbox was changing before our eyes—messages were being marked as read, emails were disappearing, and yet, the person wasn’t touching their computer. We both stared at the screen, puzzled by what was happening.

I quickly glanced to the bottom of the browser and saw a small notification: another user was logged into the account. The person, visibly concerned, told me they were the only one who should have access. We dug deeper and discovered that the other user was accessing the account from a foreign country—definitely not in NYC. Before panic set in, we immediately reset the user's password, locking the unauthorized user out.

My First Encounter with a Compromised Account

This was my first experience of seeing an account hacked in real-time (it was 2013). The event unfolded right in front of me, and it was the result of someone falling for a phishing scheme. Earlier that day, the employee had clicked on a phishing link. The fake website prompted them to enter their email credentials, and with that, the attacker gained access to their account.

As we watched the inbox, we realized the intruder wasn’t just passively snooping around. They were actively sending out emails to people in the user’s contact list as quickly as possible, deleting the sent messages, and archiving responses to cover their tracks. It was a race—the hacker trying to spread their phishing campaign before being caught.

Within minutes, we were able to stop it. But over the course of the following week, things went from bad to worse.

The Domino Effect

Seven more accounts in the organization were compromised within a week. And it all stemmed from that one initial breach.

The person who was first hacked held a position of authority and trust within the organization. As a result, other users—who naturally trusted the legitimacy of emails from this person—were also fooled into clicking phishing links. The ripple effect was immediate, and we were in crisis mode.

Oh, did I mention that this was my first week on the job? Not exactly the smooth start I was hoping for.

The Early Days of Cloud Email Security

This incident happened during the early days of cloud-based email systems. Back then, discussions about best practices for securing accounts weren’t as widespread as they are today. And phishing? It was still a relatively new term to most people. As I discussed it more broadly with the staff, I’m sure many probably thought I was just a fan of the sport!

The situation had me pulling several all-nighters in my first week, researching everything I could about securing cloud email accounts. I wrote up a proposal recommending that we implement two-factor authentication (2FA) across the organization to prevent further incidents.

The Challenge of Change in IT Security

Here’s where things got tricky. Leadership was hesitant to come across as "heavy-handed" by enforcing new policies that would require users to change their behavior. When I presented my proposal to the IT team, many of whom had been with the organization for years, they told me it was unlikely to get approved. Change, after all, is hard, and people don't always welcome new security measures, even if they’re for the greater good.

But we pushed forward. Thirty days later, we had successfully secured over 200 accounts in the organization. Why? Because implementing 2FA isn’t just one of the most effective ways to secure an account—it’s also the least disruptive.

Why 2FA is a Game Changer

At the time, the standard practice for securing email accounts was to create super-complex passwords and force users to change them frequently. However, this practice had its downsides. It led to password fatigue, and users often resorted to shortcuts like writing passwords down or creating only minor variations with each change. Even worse, it did little to prevent compromises that occurred through phishing or other social engineering attacks.

On the other hand, two-factor authentication adds an extra layer of security that doesn’t rely solely on a password. Even if someone falls victim to a phishing attack and unknowingly hands over their credentials, the hacker still needs a second piece of information—usually a one-time code sent to the user’s phone—to gain access.

The Evolving World of Security

Thankfully, 2FA has become more common today. Many cloud email providers now have tools to easily implement and enforce it. Banks, too, have made 2FA a standard practice. Yet, there are still many sites where it remains optional, or worse, isn’t even available.

My advice to friends, family, and anyone reading this? Turn on 2FA for every account that offers it. And be cautious of using sites that store payment information or sensitive data but don’t offer this option.

If you’re unfamiliar with 2FA, now’s the time to learn about it. A quick search will reveal everything you need to know, and the peace of mind it brings is well worth the few extra seconds it takes to log in.

In today’s digital age, it’s not a matter of if your account will be targeted—it’s a matter of when. With phishing schemes becoming more sophisticated by the day, taking steps to secure your accounts is essential. Two-factor authentication may be a simple solution, but it could very well be the thing standing between your data and a hacker’s next payday.