Email compromise is perhaps the most common type of data breach businesses experience. So much of what goes on in a business is discussed and transacted over email, which makes it an appealing target. Additionally, email is commonly hosted on a cloud platform such as Microsoft 365, which means it is accessible from anywhere in the world. That means you’ve turned this target from appealing to downright irresistible.
Before we discuss how to identify a victim of email compromise, let’s look at how these crimes are accomplished.
Like any security breach, the exact nature and methods used to break into an email system can vary widely. However, there are two very common methods.
The first is password redundancy. If you have used your email password elsewhere, like a vendor website, and their website gets hacked -- the bad guys get your email address and password. Once they have it, they will attempt to get into your email system.
The second most common way is tricking users into putting their email addresses and passwords into a website that the bad guys control. This is usually accomplished by phishing, where hackers will say you have an unpaid invoice or a package that needs you to sign off on. Whatever message they choose, it will generally take you to a website where they make you “log in” with your email address and password to verify it is you -- and then they have you.
Those are not the only two ways to compromise an email system, but they are the most common. Now, let’s take a quick look at what the hackers are after.
The long and short of this is: the bad guys are after money. The tactics used can vary significantly depending on the skill of the hackers and the information from your email.
One common method tricking someone into sending an ACH to a different account or changing accounts vendors use to deposit funds to. If you deal with sending money in your company, or with vendors, or if you are the person that tells people where to send money, this makes you an attractive target.
For example: if someone received an email from the CFO’s email asking them to send funds to a given account - few people are likely to question it. Another common request is changing the deposit accounts for all the employees in the payroll system. If the bad guys don’t see an immediate way to gain money, they will often just send out emails to everyone you have ever contacted in hopes of compromising them and finding an easy target.
Recently, we have seen an odd tactic where the attacker sets up an Indeed account with the compromised email, and then post a job. We can only assume that they are aiming to scam people that apply for the job, but have not yet seen the end result in action. Lastly, it is possible that the hackers are looking for specific information in your email system. For instance, if they know you are a medical provider, they may be looking for patient information to sell on the black market. Once again, the things they do can vary depending on what they find.
If the attacker is highly skilled, it can be quite difficult for a normal person to detect them. Often, the attackers will set up rules in your email system to automatically delete certain emails and forward other emails to themselves. So, checking to see if there are rules you don’t recognize is a good idea.
Check your sent and deleted items to see if there are emails you didn’t write. Most attackers don’t bother purging those emails from the system so they will show in your trash. Most often we see people find out they have been compromised because someone got a suspicious email from them and let them know. If you have received such an email you should CALL the person that sent it, using a verified phone number -- not one that may have been falsely added to the suspicious email. If you are using a system like Microsoft 365 then it is possible that an administrator can check the logs to see if emails have been logged into from unknown locations. While an advanced attacker may get around this, 90% of the time they will log in from areas not near the actual user.
If you think your email has been compromised, contact your IT department or IT provider immediately. They are able to investigate properly and determine if a compromise has likely happened. If it has, read our article on what to do if you have a data breach. At Sawyer Solutions, we take cybersecurity and data breaches -- such as email compromise -- very seriously. If you believe you are experiencing such an event and you need assistance, give us a call at 844-448-7767 or contact us. Even if this hasn’t happened to your business -- understanding the importance of awareness, proactivity, and training can make all the difference. We spend a lot of time working with clients to help prevent the likelihood of email compromise, and we can do the same for you!