Imagine this: your office manager receives an email from someone applying for a job. She opens the attached CV. Nothing happens — or so it seems. A polite error message appears saying the file is corrupted. She closes it and moves on with her day.
In the background, however, your business has just been comprehensively compromised. Within 25 seconds, passwords saved in your web browser have been stolen and silently emailed to criminals on the other side of the world. Your computer is now secretly mining cryptocurrency for someone else — running up your electricity bill and slowing down your systems. And a hidden programme is sitting quietly on your machine, waiting for further instructions.
This is not a hypothetical scenario. This is exactly what a newly uncovered hacking campaign — dubbed FAUX#ELEVATE by cybersecurity researchers at Securonix — is doing right now, and businesses like yours are in the crosshairs.
What Is This Attack and Why Should You Care?
Phishing emails are nothing new, but this campaign is notable for how convincing and how fast it is. Criminals are sending emails that look like genuine job applications, complete with an attached CV file. The file appears to be a standard document, but it is actually a heavily disguised malicious script.
The moment someone opens it and clicks through a fake error message, the attack begins. There is no obvious sign that anything has gone wrong. Your antivirus software is deliberately blinded. The attack covers its tracks. And everything it needs to steal your data and set up a persistent presence on your machine is downloaded silently from legitimate-looking cloud services.
For a small business, the consequences can be severe:
- Your passwords are stolen — every login saved in Chrome, Edge, Firefox, or similar browsers is harvested and sent to the attackers. That means email accounts, banking portals, supplier logins, and your accounting software.
- Your computer becomes a tool for criminals — a cryptocurrency miner runs quietly in the background, consuming your computing power and electricity.
- A backdoor is installed — attackers can return whenever they like, monitor your activity, and potentially launch further attacks or sell access to your systems.
- Files from your desktop are stolen — documents, contracts, spreadsheets, and other files sitting on your desktop are swept up and exfiltrated.
How Does the Attack Actually Work?
You do not need to understand the technical details to protect yourself, but knowing the broad strokes helps you appreciate why this is so dangerous.
The CV file is a Visual Basic Script — a type of file that Windows can run directly. To avoid detection, it is padded out to nearly 10 megabytes with thousands of lines of meaningless text, hiding the actual malicious code among over 224,000 lines of noise. Only 266 of those lines do anything.
When opened, it immediately asks the user to run it with administrator privileges — disguised as a necessary step to fix the supposed corruption error. Once it has those privileges, it disables Windows Defender, removes its own traces, and fetches two hidden archives from Dropbox. One contains tools for stealing your passwords and mining cryptocurrency. The other handles keeping the attack alive on your system.
The stolen passwords and desktop files are emailed directly to the criminals using a mail service, meaning there is no obvious suspicious network traffic to spot. The entire process — from opening the file to your credentials being in criminal hands — takes approximately 25 seconds.
"The full infection chain completes in approximately 25 seconds from initial file execution to credential exfiltration." — Securonix Research Team
Why Are Small Businesses Particularly at Risk?
You might think attacks like this are aimed at large corporations with deep pockets. In reality, small businesses are often preferred targets precisely because they tend to have weaker defences.
Large enterprises typically have dedicated IT security teams, endpoint detection software, email filtering systems, and security awareness programmes. Small businesses often rely on built-in Windows security, free antivirus tools, and the common sense of their staff — all of which this attack is specifically designed to bypass.
Furthermore, small businesses handle valuable data — customer records, payment information, supplier contracts, banking credentials — that criminals can monetise quickly. A stolen set of business banking credentials is worth considerably more than a personal account.
If your business receives CVs and job applications regularly — and most do — you are a plausible target. The attackers are not sending these emails randomly; they are targeting businesses in specific sectors and locations.
Five Practical Steps You Can Take Right Now
The good news is that protecting yourself from this type of attack does not require a large budget or a technical background. These five steps will significantly reduce your risk.
1. Change How You Handle Email Attachments
Establish a simple rule in your business: script files — particularly those ending in .vbs, .vbe, .js, .wsf, or .bat — should never be opened from emails. CVs and application documents should only ever arrive as PDFs or Word documents. If someone sends a file in any other format, treat it as suspicious and do not open it.
Better still, ask applicants to submit CVs through an online form or to a dedicated recruitment email account that is separate from your main business systems.
2. Use a Password Manager and Remove Saved Browser Passwords
This attack specifically targets passwords saved in web browsers. If your team saves passwords in Chrome, Edge, or Firefox — as most people do — those passwords are vulnerable. Switch to a dedicated password manager such as Bitwarden (free for individuals, affordable for teams) and clear saved passwords from your browsers. This single step eliminates one of the most valuable things this attack is trying to steal.
3. Enable Multi-Factor Authentication on Everything Important
Even if an attacker steals your password, multi-factor authentication (MFA) — where you also need a code from your phone to log in — stops them from using it. Enable MFA on your email, banking, accounting software, and any cloud services you use. Most providers offer this for free.
4. Brief Your Staff
You do not need a formal training course. Simply share this article with your team and have a five-minute conversation about it. The key messages are: do not open unexpected attachments, be suspicious of error messages that ask you to click through, and never grant administrator access to a file unless you are certain it is legitimate.
5. Consider a Managed Security Service
For small businesses without in-house IT expertise, a managed security service provides professional monitoring and protection at a fraction of the cost of hiring dedicated staff. Services like those offered by Soc in a Box are designed specifically for businesses like yours — straightforward, affordable, and effective.
What If You Think You Have Already Been Affected?
If you suspect a member of staff may have opened a suspicious file, act quickly. Do not wait to see if anything bad happens — by then it already has.
- Disconnect the affected computer from your network immediately (unplug the ethernet cable or turn off Wi-Fi).
- Change all passwords from a separate, unaffected device — prioritise email, banking, and accounting systems.
- Contact your bank and inform them that your credentials may have been compromised.
- Seek professional assistance to clean the affected machine — do not simply run a scan and assume the problem is resolved.
- If customer data may have been exposed, you may have a legal obligation to report the incident to the Information Commissioner's Office (ICO) within 72 hours under UK GDPR.
The Bigger Picture: Recruitment Is Now a Common Attack Vector
This campaign is part of a broader trend. Attackers increasingly exploit normal business processes — onboarding new staff, reviewing invoices, responding to supplier enquiries — because these are activities where staff expect to receive files and are less likely to be suspicious.
Job recruitment is particularly attractive to criminals because it is an open channel: any member of the public can send you a file by claiming to be a job applicant, and your staff will feel obliged to open it. Criminals know this, and they are exploiting it.
The answer is not to stop accepting job applications — it is to build simple, sensible habits around how those applications are handled.
Conclusion
The FAUX#ELEVATE campaign is a sobering reminder that sophisticated cyberattacks are no longer the exclusive concern of large organisations. The tools criminals use are becoming cheaper and more accessible, and small businesses are increasingly in their sights.
The steps you take today — changing how you handle attachments, protecting your passwords, enabling multi-factor authentication, and briefing your team — cost very little and could save your business from a genuinely devastating breach.
Cybersecurity does not need to be complicated. It needs to be consistent.
Protect Your Business Before the Next Email Arrives
Soc in a Box provides affordable, professional cybersecurity monitoring and protection designed specifically for UK small businesses. No jargon, no enormous contracts — just straightforward security that works.
View our protection plans