Email Account Compromise

What does it mean when an email account is compromised?

Email Account Compromise (EAC) or Business Email Compromise (BEC) for organisations is when an email account has been compromised. An attacker then uses the account to impersonate you to scam others in your contact list. The attacker wants to gain a user’s trust to exploit them for money, data or to get someone to download malware.

The statistics relating to EAC and BEC are staggering; Losses from business email compromise (BEC) have skyrocketed over the last year.  For example, the FBI’s Internet Crime Report shows that in 2019 BEC scammers made nearly $1.8 billion. That’s over half of the total losses reported by organizations through Cyber Crime.  You can read some detailed statistics for 2020 on BEC online. 

How is an account compromised? 

There are several ways this can happen. The easiest is for a hacker to simply purchase many thousands of identities online from data breaches that have users’ names, email addresses and passwords, and using techniques such as password spraying or credential stuffing look to gain access to accounts.

In a credential stuffing attack, these stolen credentials are used to attempt to gain access to many other online accounts as the same passwords are used across many services.

A password spraying attack is quite different. Here the attacker utilizes a small number of commonly used passwords (such as “123456”, “qwerty” or “Password1”) in an attempt to gain access to a large number of online accounts.

Other compromises may be through vulnerabilities or misconfiguration of email services in the cloud or via “social engineering” such as a phishing attack or gathering details online about a business and its senior managers.

What happens if your account is compromised?

You may have heard of someone before who has said that their email account has been “hacked”, and the cause of this is most commonly as a result of a “Phishing” attack, but phishing is not the only method used to exploit someone’s email account. 

Email account compromise is an impersonation attack.  The attacker is pretending to be someone they are not, usually someone in authority or a position of trust, a service provider that you use in the home such as a broadband provider, or in the case of BEC it could be a CEO or help desk person.  In a targeted campaign, the attacker may use information about your employees or company to make their messages even more persuasive and realistic - this is referred to as spear phishing.  Here are some examples of the types of schemes that attackers commonly use in the business world:

• Impersonating high-level business executives (Spoofing)
  Most commonly funds transfer requests appear to be sent from a senior manager to the finance manager.
• Bogus invoice schemes
  for example, money is requested by someone imitating a supplier that the business uses to pay them money. 
• Account Compromise Scheme
  this fraudulent scheme requests money from people who may owe the business money that is in the victims' contacts address book. 
• Legal representative impersonation
  lawyers, solicitors or their representatives are impersonated and the attacker will try and persuade the employee to act quickly, normally towards the end of the day or week. 
• Data theft scheme
  HR and Finance Departments are most at risk from receiving emails from a compromised account requesting personal information on employees.

An attacker/hacker will more than likely try to monetise the access to your email account in some way or another. Watch this short video clip on the ways in which Business Email Compromise occurs, how to avoid it and what to do if it happens to your business. 

Business email accounts

Business email accounts may not suffer the same insecurity around passwords as they may use things like a single sign-on domain login for their computer’s user account, however, that is the only difference and users should always be vigilant regarding phishing and password security for their account. 

In today’s business world some large companies are outsourcing some business functions and resources to online “cloud” services, for example, Microsoft Office 365.  This presents a new issue for businesses in terms of email account security as the email service is not hosted on an “in house” / “on-premises” server that they have control over.  Inevitably it means that users will potentially be logging in using their email address and password which could be compromised and then give an attacker access to do whatever they want with the email account.  Attackers will even go as far to go through past emails and search for any past invoice templates etc sent internally or between external business partners to appear more genuine when they attempt to steal money.  Implementation of two-factor authentication should be applied where possible to significantly reduce these attacks being successful.

Another powerful tool that businesses can use is called “logging”.  This is a way for a business to extract data logs from various sources within their IT infrastructure so that it can be analysed for common threats.  For email security, some solutions offer the ability to view data on email subject titles to expose common spam emails, or even statistics on attachments, or website links that have been clicked within emails.  More information on logging can be found on the National Cyber Security website, and there is also a handy article on the National Cyber Security Centre website on free logging solutions that are available.

Private email accounts

Private email accounts that have been compromised have been used in the past by an attacker emailing their entire contacts list telling them that you are stranded in a foreign country and need some money to get home.  Another real-world scenario is an attacker pretending to be a Solicitor for a house purchase and they masquerade to receive the funds for the deposit on the house sale!  More information on the consequences and financial value of hacked accounts can be read online. 

In the case of a phishing attack, a user or business would potentially be compromised as a result of either clicking a website link, opening an attachment such as a document or file, or even downloading a picture for example.  Phishing emails will appear to be genuine on first glance to entice you in and this method is referred to as social engineering.  In this scenario, the scammer will use the fact that you trust a certain company and will open and click on links in an email that they send you.  Common phishing emails appear to come from HMRC, TV Licensing, Netflix, Banks, maybe even a supplier to your business, and other generic phishing scams involve a fake promise of prize money for example.  See our Phishing advice on what to be wary of.

Private email user accounts can also be compromised as a result of another website or service they use being compromised in the past, and a user uses the same password for both services.  Further information on password security can be found on the National Cyber Security website. 

You can check to see if the email address you use has ever shown up on data that was leaked online via the following free search service at https://haveibeenpwned.com/

Real-life email compromise scenarios

The following articles are examples of some real-life scenarios. It's good to put into perspective the small inconvenience of updating passwords and reviewing your security to avoid the potentially disastrous fall out from a cyber incident.

• Twitter hack: Staff tricked by phone spear-phishing scam
• Coronavirus: How hackers are preying on fears of Covid-19
• Canadian university loses $10m in phishing scam
• Some people would literally just tell a stranger their passwords!

Email compromise prevention

Email compromise can be prevented through good password management and account protections.

• Implement strong passwords as outlined in the three random words guidance.
• Enable two-factor authentication where possible.
• Make all staff aware of Phishing attacks especially in high-risk areas such as finance or approval positions.
• Consider logging and alerts for irregular password change attempts

Password security

Password security should be top of the priority list for everyone.  A strong password will make it much harder for any hacker to guess or attempt to crack your password to gain access to your online accounts and services.  More information on what makes a good password can be found on our password patch and prepare campaign.  Of course, the longer and more complex your passwords will be, the more difficult it will become to try and remember these without writing them down.  However, writing them down in a notebook or diary is not the most secure way to store these passwords either, which is where a password manager or similar solution may be very helpful to you.  More information on password managers and how they can help you can be found on the NCSC website.

Two-factor authentication or Multi-factor authentication

This is now available for email services such as G-Mail to add additional security to your email inbox.  You will have to enter your normal sign in details but then verify this with a code which is sent to you by the service provider via SMS text message for example.  Most mobile devices also use this type of authentication in various ways such as fingerprint recognition or facial recognition and it is a very good way of both protecting your device and all the accounts on it.  More information can be found here: www.nicybersecuritycentre.gov.uk/mobile-device-security-support-hub

Educate your employees

For businesses, they must take the time to educate their employees about security measures and how to avoid the various types of attack. The damage caused by attacks on businesses can be massive especially due to the amount of sensitive customer information that they are responsible for. A business should also make sure that they make staff aware of their password policy and provide them with appropriate password guidance as well.