Scott's wife Margaret got a call from their bank. "Are you guys transferring out $85,000?" They weren't. But somebody had every password, every account login, and the multifactor codes to back it up. RPM, a 34-employee HVAC company in Dallas, had been compromised for weeks. The wire was the first thing that surfaced. By the next morning, Fornida was on-site. Net loss to RPM: roughly zero. This is what we found, what we deployed, and why it could happen at any small business that grew faster than its security did.
The 60-second version
- Client: Reliable Plant Maintenance (RPM), an HVAC and mechanical contracting business in Dallas. Started with four people; now thirty-four employees.
- What happened: A phishing email got into the network. Threat actors found a shared Excel spreadsheet containing passwords, MFA seeds, and login links for every account RPM used: banking, Amazon, Dell, vendor portals, ~300 sites in total.
- The attempt: An $85,000 wire transfer initiated using RPM's real credentials, real account numbers, real verification info. Caught by RPM's bank because Margaret had a personal relationship with the manager.
- What we deployed: Checkpoint Harmony for behavioral email security (used to forensically reconstruct the breach and monitor going forward). SentinelOne on every endpoint. Hardened MFA across the stack.
- The outcome: No wire lost. No ransomware. Business stayed operating throughout the response.
The bank call
The first sign anything was wrong was the phone call to Scott's wife.
We got a call from our bank. Margaret, my wife, got a call one day and said, "Are you guys transferring out $85,000?" No, we're not. And she's like, "Well, somebody has your passwords. They have all your account information. All the information they have is the correct information for us to make this transfer." That's when we realized we had a problem.
— Scott, COO, RPM
That's the moment that almost didn't happen. Scott and Margaret had a personal relationship with the bank's manager, close enough that an outbound transfer of that size triggered a courtesy verification call. Most SMBs don't have that relationship. Most SMBs find out about a wire fraud after the money is gone.
Scott's team is very fortunate. Usually this phone call never happens.
— Farzad Vahid, Founder & CEO, Fornida
Personal banker relationships are not a security control. They're luck. Luck is not a strategy.
What we found
When Fornida's team got on-site the next morning, the picture filled in fast.
The owner of the company and the operations lady had shared an Excel worksheet that had all of their passwords. And not just their passwords. This was bank account, link to the login page, here's this, here's the MFA key, all in this document. And we went in and we could prove that this was accessed and that this was used.
— Brian Smith, System Architect, Fornida
This is more common than people want to admit. RPM grew from four employees to thirty-four; somewhere along the way the spreadsheet became the password manager. It wasn't negligence. It was the pragmatic thing that worked when the business was small. By the time the business was big enough that it stopped working, nobody had paused long enough to fix it.
What made the breach worse was the scope of what the threat actor pulled off the spreadsheet:
This threat actor got hold of usernames and passwords to about three hundred different software products and sites and attempted to make this wire while accessing Amazon and Dell and a bunch of other sites, trying to place orders with everything that they had credentials to. So we had to react very quickly.
— Farzad
And the multifactor authentication wasn't the safety net people assume it is. The attackers had social-engineered the phone provider into forwarding RPM's calls, including the SMS codes used for MFA. By the time the wire request hit the bank, every "second factor" was already in the attacker's hands.
This is the modern shape of the attack. The perimeter doesn't get breached. Legitimate infrastructure gets abused.
The incident response
The first 24 hours were about stopping the bleeding without shutting the business down.
When you're a corporation, time is money. You don't want to be shut down. But even for smaller people, mom and pop, whatever it is, you're closed down for a small amount of time, it's monumental for you. So this is where it is a careful balance: you don't want them operating dangerously, but you don't want them dead either. We start blocking and we radiate it down.
— Brian
That's the operating philosophy. Block enough to stop the active threat. Keep the rest of the business running. Triage in concentric circles outward from the breach point.
Specific decisions Fornida's team and Scott made together that day:
- Owner's email shut down within the hour. The shared-credentials path started there.
- Three additional accounts taken offline pending verification.
- Logs reviewed for every other user: where they were logging in from, what they had accessed, what looked anomalous. Most accounts were clean and stayed live.
- Every password rotated. The spreadsheet was deleted. A real password manager went in its place.
Then came the tools.
Checkpoint Harmony, the email layer
The behavioral email security tool that does double duty: it forensically reconstructs how the attackers got in, and it stops the next attempt.
It's a behavioral learning tool. We were able to deploy it and what it did is it went in and was able to analyze all of their inboxes, not just the current. It was able to learn from historical emails, saved emails, and learn their behavior. So as soon as we turned it on, it immediately spotted: "Oh, hey, this is the phishing email that was sent."
— Brian
Rules-based filters look at headers and known-bad indicators. Harmony looks at behavior. Does this email match the way this sender normally writes? Does the link match the way they normally share files? Six months of inbox history were enough for it to retroactively pinpoint the original phishing email and the lateral access that followed.
SentinelOne, the endpoint layer
Email security catches the email. It doesn't catch what happens once a threat actor is inside the device.
You need the double whammy. Phishing emails are ultimately going to be the most likely way somebody's going to come in. But say somebody downloads something from a site that's allowed. Well, SentinelOne is that approach. Now you're looking at the device. Somebody got in and they're deploying a key logger. They're watching your keystrokes when you type in your password. Or you have all the protection in the world, MFA on your phone, but then they're on your computer and they watch you enter it.
— Brian
That's the layered-security argument in plain language. No single tool stops everything. The email layer and the endpoint layer answer different questions. Run both.
MFA, real this time
The MFA the attackers had bypassed wasn't broken. It was misconfigured. SMS codes routed through a phone line the attacker controlled aren't a second factor. Authenticator apps tied to the user's actual device, not their phone number, are. RPM's MFA got rebuilt accordingly.
What this means for any business like RPM
The lesson Brian closes on is the one we put on the page deliberately.
It's not some abnormal case. It's not a company who had a very poor design or didn't put money into it. They did the best they could with the knowledge they had. And unless you have a security partner who really knows what they're doing and encounters this kind of stuff every day, you're not going to know where you're vulnerable. You don't know what you don't know.
— Brian
Three things this case proves about the threat shape SMBs are facing right now:
- Credentials in a spreadsheet is a normal-startup story. It happens because growth outruns the security setup. The fix is a password manager, MFA enforcement, and an audit of who has access to what. The prerequisite is somebody who notices the gap exists.
- MFA gets bypassed when the attacker controls the phone line. SMS-based MFA is no longer sufficient on its own. Authenticator apps tied to the device are.
- Behavioral email security is not the same as a spam filter. Rules-based tools catch known patterns. The attacks that hit RPM didn't match a known pattern; they matched the shape of legitimate emails. Behavioral analysis is what catches that.
And one closing line from Scott on what working with Fornida looked like once the call came in:
We're a small company. We don't need a full-time IT guy, but we're big enough that we do need help. Farzad and his team were extremely responsive. As soon as they heard, they were on the phone with us late one evening and they were here first thing the next morning.
— Scott
About RPM
RPM is a Dallas-based HVAC and mechanical contracting business. Scott started in the air-conditioning trade after moving to Dallas in 1986, and has been running RPM for going on fifteen years. The company grew from four employees to thirty-four during that period. That's the company size where most SMBs hit the inflection point that RPM hit: too big to keep doing IT informally, not yet big enough to staff it full-time.
Tools deployed
- Checkpoint Harmony Email Security — behavioral email analysis, retroactive forensics, ongoing monitoring
- SentinelOne EDR — endpoint behavioral analysis, key-logger detection, lateral-movement detection
- Microsoft 365 hardening — MFA enforcement (authenticator-based, not SMS), conditional access, account audit
- Password manager rollout — to replace the shared spreadsheet pattern
- Tabletop exercise — quarterly, with leadership, to rehearse what the bank-call moment looks like when the bank doesn't call
What a free vulnerability assessment would have caught
Most of what we found at RPM would have surfaced in a 30-minute assessment: the MFA gaps and the lack of behavioral email security. We've already uncovered hundreds of critical issues at other companies with the same assessment. Most of them companies that thought they were fine.
If you're not sure what a threat actor would find inside your network right now, book a free vulnerability assessment. It takes 30 minutes. We'll show you what's exposed before someone else does.
