It Didn’t Look Like a Cyber Attack

In most distribution businesses, cybersecurity does not show up in day-to-day operations. The issues that cause the most damage rarely look like cyber events when they happen. They look like normal business activity, and that is exactly why they work.
 

Picture a busy branch on a Monday morning. The counter has a line, the phone is ringing, and inside sales is working through a stack of quotes while checking inventory and answering contractor questions. An email comes in from what looks like a regular customer asking to update payment details before the next order goes out.
 

Nothing about it feels unusual. The request gets processed so the team can keep moving.
 

That is how the problem starts.
 

A few days later, the customer calls asking why their invoice has not been paid. The money was sent, but it went to the wrong account. By the time anyone realizes what happened, it is already gone.
 

This is one of the most common ways distributors get hit. It is often referred to as business email compromise, or BEC. An email gets used in a way no one expects. There is no system failure and no alert. Just a routine decision made under normal operating pressure.
 

The same pattern shows up in other parts of the business.
 

Someone receives an attachment tied to an order or shipment. It looks legitimate, and it may even be something they were expecting. They open it, nothing obvious happens, and the day continues. Behind the scenes, access has already been established. A few days later, systems slow down or stop, files become unavailable, and operations start to break down across the branch.
 

Credential theft is even harder to spot. A login screen appears that looks identical to the one your team uses every day. A rep enters their information without thinking twice. From that point on, whoever is on the other end is not breaking in. They are logging in as a legitimate user, reading emails, and watching how your team communicates with customers and vendors.
 

In many cases, that access gets used to extend the problem outward. Messages go out to customers that look real. Requests get made that seem normal. Because the communication is coming from a trusted account, it moves forward without much resistance.
 

Vendor relationships create another opening. Distribution depends on constant coordination between manufacturers, distributors, and contractors. If one of those partners is compromised, their account can be used to send messages, files, or requests that look completely legitimate. The trust that keeps the business moving also makes it easier for these situations to slip through.
 

Across all of these scenarios, the pattern is consistent. The issue is not advanced technology. It is exposure created by how the business operates.
 

There is often no defined process for verifying payment changes. There is no shared expectation for how to handle unexpected requests. Teams are moving quickly, and most of the time that speed is an advantage. In these situations, it becomes a weakness.
 

There is also a common assumption that if something were truly wrong, IT would catch it. In practice, the critical decisions in these situations are not made in IT. They happen in accounting, in sales, at the counter, and inside the branch. If those teams do not recognize what is happening, the system never has a chance to help.
 

When something does go wrong, the impact shows up quickly. Payments are lost. Orders are delayed. Customer relationships take a hit. Time and energy shift from running the business to trying to understand what just happened.
 

Afterward, the path usually looks obvious. In the moment, it does not.
 

That gap is where most of the risk lives.
 

This is why the ASA Cybersecurity Checklist and the Common Cyber Attacks Facing Distributors guide exist. Not to introduce more complexity, but to make these situations easier to recognize before they turn into real problems. In addition, ASA is developing tabletop exercises designed to walk teams through these situations in a controlled setting so they can see how their current processes hold up.
 

The ASA Cybersecurity Checklist and Common Cyber Attacks Facing Distributors are available in the ASA resource library under the Cybersecurity Starter Kit for Distributors, located in the Innovation section of the ASA website. Additional tools, including tabletop exercises, will be added there over time.
 

The checklist helps identify which controls are actually in place today. The attacks guide connects those gaps to situations your team can understand. Together, they move cybersecurity out of the background and into something the business can actively manage.
 

The takeaway is straightforward. These situations are not edge cases. They are normal business interactions used in the wrong way.
 

If your team has not walked through how these scenarios would play out inside your business, you are not managing the risk. You are assuming it away.
 

The next step is not more technology. It is clarity. Walk through how your team handles payment changes, unexpected requests, and access to systems. Decide what should happen before one of these situations happens for real.