Yesterday I was contacted by another IT service provider asking about how to deal with a business email compromise (BEC) which is when a hacker manages to hack into an email inbox. Usually a hacker gains access to a business email, typically a leader in an organization like the CEO/COO/CFO, starts sending emails as the leader to instruct staff to make financial transfers, and automates forwarding of emails to another address to hide their hacking activity. I know first hand of organizations being tricked into transferring anything from $10,000 to $500,000 after hackers have gained access to email!
Fortunately, there are some things we can do to help prevent falling victim to email hacking:
1.) Always use multifactor authentication (MFA)/two factor authentication (2FA) for email accounts.
If a user is tricked into handing over their username and password it is still difficult to log into their account if they have enabled MFA. Similarly, this helps prevent “password stuffing” wherein passwords from previous data breaches at big companies are used against their corresponding email addresses. Similarly, legacy protocols like IMAP and POP which do not support MFA/2FA need to be disabled.
2.) Require admin approval for email API use.
I’ve seen many newer BEC attacks try to get the user to grant api permissions to hackers. A phishing email is sent asking the user to log into Google Apps/Office 365 and when they do it grants permissions and allows hackers to run a BEC that bypasses usernames, passwords, and MFA/2FA. For this reason, end-users should have api permissions disabled or, better yet, when they attempt to grant api permission to an unknown service, it should escalate to an administrator to check whether or not the service is legitimate.
3.) Pick up the phone and call the person who sent the email.
One of the best ways to prevent a BEC based attack from actually stealing any money is to put a management policy in place that requires phone or in-person approval to make a transfer. There was a recent case of hackers managing to fool an employee into believing a computer generated voice was their boss approving a transfer; however, the majority of attacks are not this sophisticated and a quick phone call would reveal that a BEC has occurred and requires professional IT security expertise to resolve.
4.) Don’t allow emails to be automatically forwarded outside.
A BEC always relies on auto-forwarding emails so disabling auto-forwarding at the administrative level and generating email server rules that intercept emails that are being auto-forwarded helps prevent a BEC attack from getting very far , particularly if alerting is enabled when auto-forwarding is attempted. Microsoft recently introduced ATP outbound spam policies that block auto-forwarding but it’s still a good idea to block in Exchange and to re-route anything that gets auto-forwarded outbound.
Looking for Help dealing with hacked email?
GeekOut Technologies puts policies and procedures in place for our clients that helps prevent business email compromises and has helped organizations recover from having their email systems hacked. Call or email us today to discuss securing and protecting your email systems.