Email Account Takeover
We are seeing really concerning levels of email account takeover. It is particularly prevalent in businesses that have moved to cloud-based email facilities (e.g. office 365).
What does that mean and what are cybercriminals trying to achieve?
It is where a cybercriminal has been able to sign into your email account as you. Typically, the criminal will try and stay hidden, logging in as you and looking at email traffic searching for an opportunity to commit a crime. Most often they are looking for movements of money/payments. They will attempt to divert the payment into their fraudulent bank account, money that is then moved quickly and rarely retrievable.
So, they are literally reading each one of my emails?
Most often they will start by looking at the most recent emails and recent drafts, looking for immediate opportunities. Then we see 2 different approaches. In one, they set up an automatic mail forward to their own email account, auto-deleting the evidence. The emails are then filtered for potential money movements. The second approach is a little more hands-on, they find ‘senders’ of incoming emails that are of interest (e.g. they are talking about investment and payments of fees), they then divert everything that comes from this ‘sender’ to the RSS folder which is a default folder in every inbox. They log in frequently to find things of interest and reply to emails as if they are you, remember, you have never seen the original incoming email.
Are there any other consequences other than losing money?
Yes. Businesses that are breached in this way will need to look at what the criminal has had access to and consider their reporting obligations to their regulator, the ICO and to other third parties. Loss of client or customer trust may be the greatest damage. Regulatory fines and PR consequences can be significant and ransom attempts can also occur once the ‘takeover’ is discovered if they think they have something sensitive. Not to mention the wasted time of senior staff and others in trying to resolve the problems.
Who should worry about this and how do the criminals choose their victims?
The first thing to understand is that the cybercriminal does not discriminate, they just gather all the credentials they can get their hands on, and attack everyone on that list. They buy login credentials from the ‘dark web’, or they just attempt to break weak passwords, or they harvest sign in details from email phishing campaigns. At that point, they load the information they have into an automated tool that systematically works through the list seeing what doors they can open (and they rotate through different login pages e.g. Office 365). So, everyone is a target if you have email, but you only become a victim if the door isn’t locked properly.
Is it as simple as don’t lose your password?
Not really. You should understand how easy it is to end up on the target list.
- A Data Breach – companies lose data when their systems are hacked. This happens surprisingly often and may contain your details. Millions of personal details and passwords are stolen every year.
- Using a weak or common password, or one that relates to names associated with you.
- Re-using an identical or similar password on multiple accounts and subscriptions.
- Phishing attacks – large scale blanket emails are sent to thousands of people. They look very credible and send you to ‘log in’ on a fake web page or pop-up, where they record your password.
How do we protect ourselves?
We recommend five immediate steps, whether you have spotted suspicious activity or not.
- Change your password to be completely unique, strong (with numbers, symbols and capitals) and not related to anything that can be discovered about you on your social media.
- Switch on strong authentication (e.g. MFA for office 365 or “two-step authentication” for Gsuite).
- Get your email administrator to look at your historic ‘sign in’ logs and check for malicious behaviour (e.g. strange locations). You will be amazed how many times we do this and find someone has already been breached.
- Review email alerts and forwarding rules. Be careful, these rules may need to be checked on your mail application and on webmail.
- Get your systems configured to be more defensive including alert set-up, switching audit logs on and reducing the number of administrators.
It is important to recognise that you cannot defend yourself against email account takeover attacks or other types of cyber attacks, by technology alone. You should also appreciate that IT support is not the same as cybersecurity. Nor should your IT function be asked to mark their own homework.
You must undertake a proper risk assessment of your data, your systems, and the way you operate, and then put in place a risk management framework. It should cover your technology, your people and your governance. It is estimated that over 60% of problems are caused by staff error or staff falling for tricks. So, you must ensure that everyone in your business has access to ongoing cybersecurity awareness training and test that it has been understood. You must put in place the right governance regime, with the right policies that fit the way your business operates, to keep the whole organisation safe. You should also regularly review and update your security arrangements to ensure continued safety and operational resilience.
Don’t take the risk. Make sure your business is protected against cyber-attacks now.