Business Email Compromises: Tips for Prevention & Response

September 03, 2019 Malicious attackers continue to use email platforms for nefarious purposes. The resulting email account compromises can present multiple dangers to a business, including to the basic security of its network and sensitive information, and the malicious use of secondary sources of money.

By: Sean B. Hoar & David E. Artman

Malicious attackers continue to use email platforms for nefarious purposes. The resulting email account compromises can present multiple dangers to a business, including to the basic security of its network and sensitive information, and the malicious use of secondary sources of money.

Primary Risk: The Security of the Network

Perhaps the most serious risk is to the security of the computer network. As we have noted before, malicious attackers often target email accounts as a means to gain user credentials for access to a computer network. They typically send a sophisticated “phishing” message to the user of the account. The message is often crafted after substantial reconnaissance by the malicious attacker to appear to be from a friend, colleague, or known vendor. Even the most astute and scrutinizing recipient will perceive it as a legitimate message from a known contact. The messages may use multiple means to harvest user credentials – perhaps through malware embedded in an attachment, through a link to an apparent legitimate application that captures log in information, or through basic social engineering requesting certain information. Compromised email accounts often serve as an attack vector to a much larger computer network compromise, such as a large-scale ransomware attack.

Secondary Risk: Sensitive Information

Another serious risk from email account compromises is to the sensitive information contained in the email accounts. Depending upon the target of the attack, malicious attackers may steal a variety of valuable information. It may be proprietary information from executives or researchers, personal information about customers, or employee Form W-2 Wage and Tax Statements from human resources personnel. Email accounts often contain user credentials to the email account and to other online accounts, as well as access credentials for financial accounts. These credentials can be used by the initial attacker for malicious purposes, including sending spam messages to contact lists in order to infect others with a credential harvesting attack, or to steal funds from a bank account. The user credentials can also be sold on the dark web. The employee Form W-2 information can be used to e-file fraudulent tax returns for the purpose of stealing refunds. The bottom line is that an email account can be a treasure trove of sensitive data that a criminal can use for malicious purposes.

Tertiary Risk: Secondary Sources of Money

A third serious risk from email account compromises is that secondary sources of money can be obtained through malicious use of the account, or through stolen user credentials to employee portals. Accounting personnel and financial officers are commonly targeted in fraudulent wire transfer exploits. Once the attacker compromises the email account, rules are enabled to search for messages and attachments containing terms that pertain to wire transfers like “invoice,” “wire,” “transfer,” or “ACH.” If messages with those terms are received, another rule causes the messages to be deleted from the legitimate account and forwarded to the malicious attacker’s account. If the account belongs to an accounts receivable clerk, the malicious attacker typically alters the account number to which the funds are to be transferred and sends that information in a subsequent message from the legitimate account. This often results in the wire transfer or ACH payment being made to the malicious actor’s account.

Human resources personnel are commonly targeted in W-2 exploits in which malicious attackers attempt to phish Form W-2 information in order to fraudulently e-file tax returns. They are also targeted for employee portal user credentials. Malicious actors use the credentials to access the employee portals and change direct deposit information so that payroll checks are sent to the malicious actor’s account. Due to the actions of malicious attackers, every day, businesses lose millions of dollars to fraudulent wire transfers and misdirected payroll checks.

Tips for Prevention and Response

Defending against email account compromises should be part of every information security program. In addition to various risk-based information security frameworks that businesses must employe to protect against general online threats, here are a few specific measures that can help defend against email account compromises:

  • Obtain appropriate cyber insurance. Although cyber insurance should be part of any enterprise risk management program, it is more important than ever before. The expense of responding to an email account compromise can be substantial. Depending upon the nature of the exploit, a forensics investigation may or may not be necessary. If necessary, it will involve a review of various log files, enabled rules, and data which may have been acquired without authorization. If malicious attackers acquired personal information during the attack, data mining may have to be undertaken. If personal information was acquired, consumer and regulatory notification may be required. Although initial forensics investigations within an email account can be done relatively efficiently and often incur no more than a low five-figure expense, the process of data mining can often result in a substantial five- or six-figure expense. The cost of consumer notification and remediation will depend upon the number to be notified, but it is a necessary expense that victims of the compromise must be prepared to incur. Appropriate cyber insurance can help mitigate this economic risk.
  • Multi-factor authentication is essential to protect email accounts and should be deployed. In addition to requiring a user name and a password to access an email account, multi-factor authentication requires at least one additional piece of information to access the account. This requires authorized individuals to utilize both something they “know,” such as a user name and password, with something they “have,” such as a unique code sent to the authorized user’s smart phone, or something they “are,” such as a fingerprint or other biometric measurement, in order to gain access to the account. The concept of multi-factor authentication is to provide a secondary level of protection in order to validate online accounts beyond solely a username and password. Multi-factor authentication tools help prevent malicious actors from hijacking email accounts and using them for malicious purposes.
  • Deploy audit logging. Note that in some email platforms, audit logging is not enabled by default, so users must actively enable it for added security. Log retention schedules should be extended to at least 90 days, and then archived for up to 12 months, if possible.
  • Deploy Domain-based Message Authentication, Reporting & Conformance (DMARC) on the domain of the organization so that emails attempting to spoof the actual domain are blocked from delivery.
  • Deploy external message flagging, so that users will always have notice that a message is from an external source.
  • Use complex passwords of at least 12 characters or more. The longer the password, assuming some complexity, the more difficult it is to compromise.

All responses to email account compromises should involve immediately disabling any unauthorized connection, immediately changing the user password, deployment of multi-factor authentication (if not previously deployed), and the preservation of evidence in the account.