At some point in time, we’ve all found ourselves facing a suspicious email in our inbox with an urgent call to action or even a threat. Back in the day, you were probably able to take one look and knew not to engage due to poor grammar, strange logos, or a message from a foreign prince with no legacy offering to send you millions.
These days, spotting business email compromise (BEC) or email hijacking is not nearly as black and white, and many times the information appears to be coming from a credible source or even someone you know and trust. Criminals can gain access to an individual’s email account not only through phishing emails, but also compromised credentials and outdated cyber security practices. Ultimately, businesses of any size can be targeted, and employees on any level of the corporate ladder are at risk.
Email hijacking has become one of the most popular methods of financially motivated hacking. So, if it’s happening to businesses daily, why don’t we hear more about these incidents in the news? In short, these attacks are big enough to cause financial problems for a company but not big enough to make the news. Additionally, these incidents are often being quietly swept under the rug to avoid the company’s reputation being ruined if their customers were to learn of the attack.
If you think your business is too small or that your company’s type of information isn’t being targeted, think again. According to Sean McNee, CTO at DomainTools, “A key reason BEC attacks are difficult to defend against is that they attack people and not technology per se. Everyone is susceptible to social engineering because we’re all human.”
What happens if your email is compromised?
Once the criminal compromises the account, they usually watch the email traffic, observe the types of emails that come through and who the employee converses with by email. They can create or use a folder in the account and redirect certain emails from specific users to that folder, so the owner of the account never even knows those emails are even coming in. The criminal can also respond to the redirected emails as the employee without their knowledge. Ultimately, once a criminal has access to the account, there is very little they can’t do.
“It’s important to understand that once the criminal can send emails as the employee, now the criminal can interact with everyone in the employee’s contact list, spreading their enterprise to other potential victims,” explained intelliSystems President & CEO, Kevin Wade. “Once the criminal has done their damage, they can then go in and delete the emails and evidence and walk away, leaving no evidence they were ever even there.”
How can you tell if your account has been compromised?
You might see unusual requests for payments or notifications that your banking information or passwords have been changed, or you may receive a multifactor authentication alert that someone is attempting to access your account. Additionally, you may receive emails from clients, vendors, etc., that they received an email from you and wanted to see if you were aware.
What are the consequences?
The loss of sensitive data, financial damage, and ultimate loss of trust in your business are all crucial elements at risk if your email account is compromised.
In the video below, Kevin shares a real-life example of email hijacking and how it impacted one company.
How can businesses protect themselves from email hijacking?
- Businesses should adopt a comprehensive cyber security strategy. This will not only require specific software and tools, but people who know how to use the tools and create the proper procedures to prevent cyber security issues from happening. When shopping for a new IT managed service/cybersecurity provider, request their certifications and credentials.
- Regular security training for employees. “We’ve had prospective customers where we’ve implemented a test to see how many of their employees would click on a fake phishing email, and it’s not unusual to have 40 to 50 percent of employees click on these things,” said Kevin. “Once they go through even as little as six months of regular, ongoing training on how to spot phishing emails, the number drops to a tenth of what it was, so around four or five percent. It’s partly because of the training, but also because of the awareness.”
- Conduct regular risk assessments to identify any software shortcomings as well as elements that are policy oriented that could cause a problem for a company.
- Be aware of the latest tactics – such as social engineering.
- Be aware of potential legal and regulatory implications of an attack. In some cases, there are certain industries that have compliance related issues if their data is compromised, such as healthcare or the financial industries. Many states are also adopting laws now that have penalties for exposing customer information. This will only become more of a problem for businesses as time goes on as criminals continue to get smarter.
The Bottom Line
“You can never do enough,” said Kevin. “We have a great track record here, and that’s because we don’t make cybersecurity optional. We feel it’s a disservice to our customers to allow them to assume it may not be a big problem.”
It’s important for business owners and employees to be aware of the various ways cyber criminals can gain access and wreak havoc in your company. BEC, or email hijacking, is just one of many ways that cyber criminals can damage or destroy businesses large and small.
If you would like to know more, or you are interested in having an assessment performed on your company’s technology to identify potential vulnerabilities, contact us at intelliSystems for more information.