In cybersecurity, the most damaging problems are rarely the loudest. Often the real risk comes after an incident is dealt with, when a business assumes the threat is gone.
QuietChain is a blog series by James Lugton (Security Officer and Infrastructure Specialist at Nochex), exploring the everyday gaps attackers exploit. The first post covered eSkimming: how attackers slip into a merchant’s website through something as small as an outdated plugin or a forgotten password, then quietly collect card details for months before anyone notices.
This second post looks at repeat targeting and what can happen after an incident is “over”, when attackers come back because they already know where the door was left open once before.
The Second Knock
Mark had been through an attack before. It was a small ransomware incident that locked up a few of his business files. He dealt with it the way many busy business owners would: he paid the small demand, restored what he could, changed a few passwords, tightened a few settings and got back to work.
The website still worked, orders still came in – business settled as if nothing ever happened. Until… Three months later, another message arrived:
“We know you have paid before. You will pay again.”
That’s repeat targeting: when attackers return to a business, website or system that has already been compromised once. The second attempt does not always look like the first. A ransomware incident may be followed by phishing. An eSkimming compromise may come back through the same vulnerable plugin. A stolen password may be tested months later against email, admin panels or connected services.
The method changes, but the reason is the same: the business has already been marked as a possible target, and attackers come back to see whether the same password still works, whether the same plugin is still out of date, whether the same admin account is still open.
Mark had not been careless. He had simply done what many people do after a scare: fix the visible damage and move on. But attackers often do not move on as quickly. They knock again.
Why it happens?
To an attacker, a merchant who has been hit once is not a closed case – it is a promising lead. Someone who paid is likely to pay again, and someone compromised once probably still has the same gap, often very small: a reused password, a forgotten user account, an old plugin, a missed update, a third-party integration nobody thinks about. On its own, each one can feel minor. Together, they create a pattern attackers know how to revisit.
Because once attackers have been inside your digital space, they understand more than you might realise:
⚠️ which system was weak,
⚠️ how access was gained,
⚠️ what kind of data exists,
⚠️ how quickly the business responded.
Fixing the visible damage is not the same as closing the way in. Mark restored his files and changed a few settings, but if the original crack was still there, the attackers already knew exactly where to knock.
Why “back to normal” can be risky?
After an incident, getting back to normal feels like the goal. And that’s completely understandable. Merchants have customers to serve, orders to process, staff to manage and bills to pay. Nobody wants to spend weeks thinking about an attack that already caused enough disruption.
But “normal” is not always safe. If the same access points stay open, attackers may come back through them. If old accounts are still active, they may be reused. If monitoring is weak, a second attempt may go unnoticed for even longer than the first.
The period after an incident is the right time to ask a few uncomfortable but useful questions:
✅ How did the first attack happen?
✅ Was the original access point fully closed?
✅ Are there other systems with the same weakness?
✅ Who still has access?
✅ What would alert us if someone tried again?
These questions are not about blame. But rather about making sure the same door cannot be used twice.
What merchants are responsible for?
Even when a payment provider handles card data on your behalf and reduces your PCI DSS scope to SAQ-A, your own website and business environment still matter. An attacker does not always need to reach your payment provider – they may only need to reach your website, email account, admin panel, or someone inside the business.
Security is shared. A payment partner can reduce exposure and add controls, but merchants still need to look after the parts of the environment they control. After any incident, even a small one, it helps to pause and reset. In practice, this means:
Patch properly and on time: do not only fix the system that was obviously affected – check connected software, plugins and integrations too.
Review access: remove old users, unused admin accounts and anyone who no longer needs access.
Change weak or reused passwords: especially for email, website admin panels and systems connected to payments.
Monitor activity: watch for unusual logins, unexpected changes, suspicious traffic or repeated failed access attempts.
Learn from the first incident: document what happened, what was fixed and what still needs attention.
Where a PayFac or Payment Orchestration Platform helps
A strong payments partner does not replace merchant responsibility, but it can make repeat attacks harder to ignore and easier to respond to. A well-built PayFac or Payment Orchestration Platform can help by:
✅ detecting repeated patterns across transactions or attempts
✅ blocking suspicious flows before they become bigger issues
✅ applying consistent controls across payment environments
✅ supporting merchants, customers and partners when unusual behaviour appears
Repeat targeting is often about patterns. Where a single merchant may only see one strange attempt, a payment partner may recognise the same pattern appearing across several merchants, regions or transaction types. And that broader view can help identify risks earlier.
It’s like having someone who remembers the first knock and is ready for the second.
The quiet truth
Attackers do not always disappear after the first attempt. Sometimes the first incident gives them enough information to decide whether trying again is worth their time.
Mark’s story isn’t unusual. Many businesses treat an incident as finished once the visible damage is repaired – files are restored, passwords are changed, the website works again and everyone moves on. But security does not end when things look normal. It continues in the habits that follow: patching, reviewing access, monitoring activity and working with partners who can help spot patterns you may not see alone.
Security is not about being perfect – it’s about being consistent.
Regular habits + strong partners = real protection.
In the next QuietChain series…
…what happens when a busy moment leads to a rushed decision, and how a single click on the wrong link can quickly turn into a serious security issue.
In the meantime, visit James Lugton blog ‘Security e-drift: the quiet compromise‘ for more cybersecurity insights.
