Cyberattacks in Remodeling

In today's interconnected online world, businesses are vulnerable, and businesses with fewer than 100 employees even more so

January 29, 2016
Cyberattacks occur in remodeling companies, so it's important to educate your staff about cyber security.

Chad Hatfield clearly remembers the day he walked into his office and saw his wife preparing to transfer funds from the company’s bank account. “What are you doing?” he recalls asking. His wife answered that she was transferring money—as Hatfield had requested in an email to the company’s office manager.

But Hatfield had written no such email. Instead, it turned out, his Dallas-area company, Hatfield Builders & Remodelers, had been the victim of a cyberattack. 

Seventy-one percent of data breaches occur in businesses with fewer than 100 employees, according to a study by Verizon. This isn’t because criminals can make a huge profit by stealing from them; it’s because automation allows them to attack thousands of family-owned businesses at the same time, and many of these firms aren’t well-protected.

In Hatfield’s case, his office manager had received an email and clicked on what she thought was a Dropbox link. That installed a virus, which gave someone in Nigeria access to her email account. The attackers then deleted all new emails between Hatfield and the office manager, and wrote one of their own, claiming to be Hatfield and asking the office manager to transfer $8,000 to a client’s bank account in North Dakota. 

“She tried to do it, but you needed a two-person authorization to transfer money at our company,” Hatfield says. That’s how his wife got involved. Today, no one wires money out of the business at all. 

Perils of Connectedness

Another factor that adds to the vulnerability of smaller companies is interconnectedness. Today, more and more businesses rely on networks that provide interaction with customers and vendors. Some believe that this makes them not only a target, but also a springboard to a more lucrative prize. 

“As the digital world becomes more entwined, large companies are requiring vendors to interact with internal systems including procurement, marketing, human resources, [and] payroll,” says Alan Moss, a managing partner at security consulting firm Conventus. “These relationships create access into the parent organization—the ultimate target.” Moss’ comments appeared in CSO magazine.

What’s a Small Business to Do? 

The first, and biggest, step you can take is to educate yourself and your staff. Add data protection policies to employee handbooks and inform all staff members about data confidentiality and common cyberattack practices. 

“We get three or four emails a week in our general inbox that are bogus,” Hatfield says. “They seem like real leads. Someone will write, ‘Hey, I want to redo my kitchen and I’ve got some initial thoughts. Can you open these pictures and then give me a call?’” (See sample email from Hatfield, below.)

Always keep systems and software updated. Utilizing the newest version of any online system means you are up to date with any updates made to combat recently discovered vulnerabilities. 

Finally, take a look at your passwords. Most data breaches are the result of weak or stolen credentials, according to Verizon’s Data Breach Investigation Report. Consider a system such as LastPass or Google Authenticator to strengthen password security.  

1] Is the email from a provider you recognize, such as Gmail? You can also hover your mouse over the address itself and the real address will appear in the lower left of your screen. In this case, the email is from, a Russian company. Not a likely client. 

2] Here, Hatfield is being asked to look at a project, but if you hover your mouse over this link, the name doesn’t match the actual link, which is in Vietnam. 

3] The real website link will appear here. Don’t click the link! This email is phishing.

About the Author

About the Author

Erika Taylor is the director of content for Professional Remodeler. Contact her at or 972.803.4014.



We lost over $545k in 2009.  Zeus malware had been downloaded onto one of our computers.  The bank was allowing over $100k a night to be transferred out of our account to bank accounts all over the country.  Money mules withdrew the money the next day and wired the cash to Eastern Europe.  The money was gone in 24 hours.  The bank's security measures were deemed not commercially reasonable after a two-year battle in the courts.  It went all the way to the federal first district court of appeals.  The bank paid us back with interest but not the hundreds of thousands of dollars in legal bills.  We do not do ACH transactions.  If you must, two forms of authentication, one being we actually confirm the transaction either in person or by phone with someone we know. 

Add new comment

By submitting this form, you accept the Mollom privacy policy.
Overlay Init