A humorous near miss shows a serious truth: in the era of believable hacks, an ISMS is no longer optional, it’s business survival

In one of the non-profit organizations we work with, an invoice for $35,000 arrived through the official company email system. Everything looked completely legitimate:

  • The Vice President had “requested” the payment.
  • The Treasurer dutifully asked the President to approve it.
  • The President gave the green light.

All the boxes for authorization were checked.

But here’s the catch: both the Vice President’s and the President’s email accounts had been hacked. On paper, the approvals were real but in reality, a cybercriminal was pulling the strings behind the scenes.

The Treasurer was just about to process the payment when they noticed something odd. The invoice wasn’t for consulting fees, program funding, or even new laptops. No, it was for 500 singing fish wall plaques. Yes, the kind that flap their tails and sing “Don’t Worry, Be Happy” when you walk past.

Not exactly standard budget spending for a non-profit. Thankfully, the Treasurer paused, laughed (and probably shook their head), and stopped the transaction before any money left the account.

The funny part? The scammers might have actually gotten away with it if they had been just a little less creative. The serious part? This incident shows how convincing cyberattacks can be, and how even experienced leaders can fall victim without the right controls in place.

In today’s world, information isn’t just a byproduct of business, it is the business. Your customer lists, contracts, financial data, trade secrets, product designs, and strategic plans are among your company’s most valuable assets. But in an era of cyber threats, data leaks, and increasing regulatory demands, simply locking the office door isn’t enough.

This is where an Information Security Management System (ISMS) comes in – not as an IT buzzword, but as a business necessity.