threat library // teletraan systems

Know what you're up against.

These are not hypothetical scenarios. They happen to law firms, medical practices, hospitality groups, and professional service firms every week. Understanding how an attack unfolds is the first step toward making sure it never happens to you.

Four of the most damaging attack patterns aimed at small businesses: SIM swap, ransomware, business email compromise, and credential stuffing. Each diagram traces the chain from initial access to impact, so you can see exactly where the right control breaks it.

Four kill chains mapped end to end: initial access, persistence, escalation, impact. The diagrams mark the pivot points where a single control (number-port lock, phishing-resistant MFA, immutable backups, DMARC at enforcement, breached-credential monitoring) severs the chain before impact.

How to read the diagrams

  • Attacker action
  • Step in the chain
  • Critical compromise
  • Real-world impact

SIM SWAP ATTACK

They steal your phone number.
Then everything else.

A SIM swap does not require hacking your device. It requires a single phone call to your carrier. One convincing impersonation and your number transfers to a SIM the attacker controls. Every SMS two-factor code (your bank, your email, your investment account) now routes to them instead of you. Your phone goes silent. That is the first sign something is wrong.

SIM swap is carrier-level account takeover. The attacker assembles enough personal data to pass carrier identity verification, requests a SIM transfer or port-out, and your number activates on hardware they control. Every SMS one-time code now routes to them: banking, email recovery, anything still anchored to the phone number. Loss of signal on your handset is usually the first indicator.

SIM swap targets the weakest factor: the phone number. Breach and broker PII gets the attacker through carrier verification; a port-out or SIM transfer moves the number to attacker hardware, and SMS OTP plus voice-callback verification are fully intercepted. Recovery flows that fall back to SMS become the takeover vector. Defenses that hold: carrier port-freeze or number lock, removing SMS as a recovery factor, and phishing-resistant MFA (FIDO2 keys) on every account that matters.

$68M+ reported losses in 2024 alone [1]
<1 hr from SIM transfer to drained accounts
Assess your exposure →

RANSOMWARE

Every file locked.
Every client record gone.
Pay or stay dark.

Ransomware does not announce itself. It moves quietly through a network for days, mapping drives and exfiltrating files before the encryption begins. For a law firm or medical practice the calculus is brutal: patient records, case files, billing systems: all inaccessible. Then the ransom note appears and you have hours to decide whether to pay criminals or explain to clients why their data is gone.

Modern ransomware is exfiltrate-then-encrypt. Initial access lands through phishing, exposed remote access, or reused credentials; the operator moves laterally for days, stages data out, then encrypts servers, workstations, and any backups reachable from the same network and identity. The ransom note is the last step of the intrusion, not the first.

Contemporary ransomware operations run double extortion: data is staged and exfiltrated before encryption, so a clean restore does not end the incident. Initial access brokers sell footholds (phished credentials, exposed RDP, unpatched edge devices); the affiliate escalates privileges, disables endpoint protection where it can, deletes shadow copies, and encrypts everything reachable, including online backups joined to the same identity plane. Survival depends on segmentation, offline or immutable backup copies, and restore drills run before the bad day.

22 days average downtime after a ransomware attack [2]
$4.91M average total cost including downtime [3]
Assess your exposure →

BUSINESS EMAIL COMPROMISE

One email.
One wire transfer.
Gone before you finish lunch.

BEC is the single most financially devastating cybercrime category in the US, and law firms are the primary target. An attacker monitors your email (through a compromised account or a lookalike domain with one character swapped) and waits for a pending wire transfer or real estate closing, then sends a spoofed message at exactly the right moment. The email looks exactly right. The domain is one letter off. The funds leave within the hour, moved through shell accounts before anyone notices.

BEC is patience plus timing. The attacker reads real threads from a compromised mailbox or a lookalike domain, waits for a payment event (a closing, a payroll change, a vendor invoice), then injects altered wire instructions that match the thread's tone and history. The controls that matter: enforced MFA, mailbox-rule auditing, DMARC at enforcement, and out-of-band verification for any banking change.

BEC chains start with mailbox access (a phished OAuth grant, legacy IMAP, reused credentials) or a homoglyph domain registered days earlier. The operator sets silent forwarding rules, studies invoice cadence and signature blocks, then times the spoof to a real transaction. Wire recall windows are measured in hours; funds mule out through layered accounts. Mitigations: conditional access with phishing-resistant MFA, transport rules that flag external lookalikes, DMARC at p=reject, and a hard policy that banking changes are verified on a known voice channel, every time.

$2.9B #1 loss category in 2023 [4]
~0% recovery rate once a wire transfer is confirmed
Assess your exposure →

CREDENTIAL STUFFING

A password you used years ago.
They've been inside ever since.

Every major data breach produces lists of usernames and passwords that end up for sale on dark web marketplaces within days. Automated tools test these credentials against hundreds of services simultaneously: banking, email, practice management software, payroll. When one works, access is silent and persistent. By the time it is discovered, months of data may already be compromised, the financial damage already done, and the evidence already cold.

Breached credential lists are tested against hundreds of services by automation within days of a leak. Any account that shares a password with a breached one is exposed, and a successful login looks like normal traffic to most defaults. Unique passwords from a manager, MFA everywhere it can be enforced, and breach-exposure monitoring close most of this surface.

Combolists from aggregated breaches feed stuffing frameworks running through residential proxy pools, so velocity controls and IP reputation rarely trigger. One reused credential against M365, practice management, or payroll yields silent persistent access; from there it is mailbox rules, data staging, and slow drain. Counters: unique secrets per service enforced by a manager, MFA on every enforceable surface, conditional access risk policies, and credential-exposure monitoring for your domains.

30B+ stolen credentials on dark web markets [5]
197 days average time to identify a breach [6]
Assess your exposure →

Sources

  1. FBI Internet Crime Complaint Center (IC3) — 2024 Annual Report
  2. Coveware — Quarterly Ransomware Marketplace Reports
  3. IBM — Cost of a Data Breach Report 2024
  4. FBI Internet Crime Complaint Center (IC3) — 2023 Annual Report
  5. SpyCloud — 2024 Annual Identity Exposure Report
  6. IBM — Cost of a Data Breach Report 2023

THREAT LIBRARY // TELETRAAN SYSTEMS

Now you know what can go wrong.
Let's make sure it doesn't.

A 30-minute assessment call maps your current exposure across these attack categories and identifies where quick wins live. No sales deck. No generic advice. Just an honest look at where you stand.

Request a Security & Systems Assessment See security services