How to Prevent Business Email Compromise & What To Do If You Get Hacked

Business email compromise seems to happen as often as the common cold— and yet it can lead to large financial losses, reputational damage, and further attacks on your customers and partners. In fact, the FBI recently shared that damages reached $43 billion in business email compromise “identified global exposed losses” (a term that includes attempted and actual losses) between July 2019 and December 2021. This represents a 65% increase during this reporting period.

In this blog, we will focus more on what YOU can do to reduce your organization’s risk from business email compromise. We’ll look at why criminals break into email accounts, how to prevent business email compromise and what to do if your business’s email gets hacked. For more tips on how organizations can reduce the risk of business email compromise, read this blog.

Why Do Criminals Hack Your Business Email Account? 

• Your data is worth $$. Business email accounts are potential gold mines. Your emails contain valuable data, such as Social Security Numbers, passwords, access to other environments, credit-card numbers, and other details that can be sold for money on the dark web. In some cases, criminals copy entire accounts of correspondence, which can later be used for extortion or data mining.
• Business email compromise is the first step in financial fraud. Often, criminals hack into a business email account in order to commit financial fraud. For example, a criminal might break into an email account and then immediately search for data that could easily be monetized (such as invoices or wire transfer instructions). Next, the criminal creates a fake invoice or wire transfer notification to redirect the funds, and then waits for the money to arrive. Sophisticated criminals add mail filtering rules that lengthen the time to discovery.
• Your contacts become the next victims. Once criminals break into an email account, they often make a point of targeting related accounts, such as co-workers, clients, or anyone listed as a contact.

How Do Criminals Get Access to Your Business Email Account? 

Here are three ways that criminals get access to your email:

• Infect your computer: Criminals infect your computer by enticing you to click on a link or open a malicious attachment. When you do, your computer may be infected with malware that monitors your keystrokes or steals your login information when you submit a web form.
• Fake (spoof) a website: Criminals may set up fake web sites that look just like your email provider, bank or other common web service. Then, they trick you into visiting the web site, using phishing emails or other methods. When you type your password into the fake web site, they capture it and use it to login to your accounts.
• Buy your password on the dark web: There have been so many data breaches that billions of passwords are available for sale on the dark web. If your password was stolen in the past, it may be sold on the dark web to others who will use it to login to your accounts.

Email Hacks Can Be Data Breaches 

In addition to financial fraud, extortion, reputational damage and more, an email account break-in may “count” as a data breach. If an attacker had access to confidential information, you may be required to notify the data subjects and report a breach under state or federal law, depending on the contents of your email.

Protect Your Accounts From Business Email Compromise 

You can protect your email (and other data online) using strong passwords and login security. First, here are a few important terms to know:

1. Authentication: A method for verifying a person’s identity. For example, I might tell my computer that I am “jsmith,” and I prove my identity by typing in a password.
2. Verification: There are three different ways that you can verify that you are who you say you are:
   • Something you know (for example, a password).
   • Something you have (for example, a key).
   • Something you are (for example, a fingerprint).
3. Multi-Factor Authentication (MFA): Verifying a person’s identity using two or more methods combined. Read our MFA tip sheet for more details.
4. Password Managers: A smart way to remember strong passwords is to not remember them at all! A password manager is a secure software that stores your passwords in an encrypted vault on your computer, or in the cloud. Watch our step-by-step video tutorials on setting up and using multi-factor authentication for Google, Microsoft, or Duo.
5. Educate your employees and community on how to avoid business email compromise: This can help prevent supply chain attacks and keep your organization, as well as your customers and partners, safe! We have created a free tip sheet on preventing business email compromise that you can share with your entire community!

Tips for Strong Password and Login Security 

Here’s how you can help reduce your organization’s risk of business email compromise:

DO

1. Use Multi-Factor Authentication! It’s easy (and often free) to set up with many providers, such as Office365 and Google.
2. Pick Strong Passwords. Choose a password that is long- at least 14 characters or more.
3. Use a Password Manager Program to store your passwords securely, so you don’t have to remember them all.

DON’T

1. DON’T Share Your Password with anyone—not friends, co-workers, vendors, or even IT staff.
2. DON’T Re-use Important Passwords. Avoid using the same password for multiple different websites or services. Never re-use personal passwords for work, or vice versa.
3. DON’T Write Your Password Down on Paper, unless it’s secured in a locked location.
4. DON’T Store Passwords in Files on Your Computer.

What To Do If Your Email Gets Hacked 

• Immediately reset your email password. Consider resetting other passwords, too, just in case a criminal was able to steal your other credentials.
• If possible, activate multi-factor authentication right away.
• Preserve records immediately. Export and make copies of any logs that might show who logged into your email account, where they logged in from, or what they did. This can potentially help you narrow down the scope of the incident.
• Call for professional help. Business email compromise can trigger breach notification laws, and lead to fraud and other crimes. Act quickly and get experienced guidance when you need it.

We hope you found this information helpful! Please contact us if you need help implementing policies to prevent business email compromise or help recovering and minimizing damage from an email breach.