“It Was Just One Click”: Anatomy of a Breach That Could’ve Been Avoided

It always starts the same way.

Someone’s got 43 unread emails. They're rushing through their inbox between meetings. Coffee’s gone cold. Their kid texted about missing a ride home. And then they see it—an email from “IT Support” that says their password’s expired. “Click here to reset.”

They click.

And that’s it. That’s the breach. One little click. One very fake email. And a very real mess.

Let’s talk about what actually happens behind the scenes of one of these “oops” moments. Not to shame anyone—we’ve all clicked dumb things (remember that dancing baby video?). This is more like a group therapy session for businesses who’ve been burned by phishing emails and want to stop lighting themselves on fire.

It wasn’t a hacker in a hoodie

Forget the movie scene where some dude in a dark room types really fast and yells “I’m in.” Most of the time, cybercriminals aren’t breaking in—they’re being invited in. Nicely. With a handshake. And maybe even a “Thanks!”

That’s because phishing isn’t technical. It’s psychological. These attackers know people are distracted, tired, or just trying to get through their inbox. They know what kind of email will make someone stop skimming and start clicking. Fake invoices. HR memos. A note about PTO. (They really know how to weaponize a vacation request.)

Once the click happens, the doors open. Credentials get harvested. Malware gets dropped. Files get locked. Sometimes, attackers don’t even do anything right away—they just hang out. Lurk a little. Watch your systems like it’s Netflix. Then strike when the timing’s right.

Who clicked it?

If your first reaction is “Which one of our people clicked it?”, take a breath. The better question is, “Why was it so easy to click it?”

Most companies only focus on the human error part. But email filters miss stuff all the time. People aren't firewalls. And if one click can sink the ship, the ship wasn’t built right to begin with.

Phishing isn’t going away. It’s evolving. That email may look like it’s from your CEO. It might even sound like your CEO (thanks, AI). So relying on “common sense” or finger-wagging security training videos from 2009? That’s not gonna cut it.

What would’ve actually stopped it

Multi-factor authentication. Plain and simple. That one extra step—whether it’s a code from an app or a tap on your phone—means that even if someone gives away their password, it’s not a free pass.

Also, proper access control. If everyone in the company has access to everything, you’re basically saying “One click can burn down the entire village.” Segment your systems. Limit permissions. Set expiration dates on access.

And then there’s the thing nobody wants to hear: practice. Simulated phishing tests. Fake attacks that help people recognize real ones. Not to humiliate them—just to build muscle memory. If someone messes up a fake test, they learn. If they mess up a real one, you’ve got a problem.

So what now?

If your company’s been lucky so far, great. But depending on luck is like leaving your front door unlocked and hoping burglars are too polite to walk in.

Make it harder for people to screw up. Train them without making them feel like idiots. Set up systems that assume someone will click eventually. Because they will.

And when they do, you want the damage to be a quiet cleanup—not front page news.

Want help making that happen? That’s what we do. But you knew that already.