Business email compromise seems to happen as often as the common cold— and yet it can lead to large financial losses, reputational damage, and more. In fact, the FBI found that business email wire fraud cost companies $26 billion from 2016 – 2019. Learn why criminals break into email accounts, how to prevent business email compromise and what to do if your business’s email gets hacked.

WHY DO CRIMINALS HACK YOUR BUSINESS EMAIL ACCOUNT?

Your data is worth $$. Business email accounts are potential gold mines. Your emails contain valuable data, such as Social Security Numbers, passwords, credit-card numbers, and other details that can be sold for money on the dark web. In some cases, criminals copy entire accounts of correspondence, which can later be used for ransom or political gain.

Business email compromise is step one for financial fraud. Often, criminals hack into a business email account in order to commit financial fraud. For example, a criminal might break into an email account and then immediately search for data that could easily be monetized (such as invoices or wire transfer instructions). Next, the criminal creates a fake invoice or wire transfer notification to redirect the funds, and then waits for the money to arrive. Sophisticated criminals add mail filtering rules that lengthen the time to discovery.

Your contacts become the next Victims. Once criminals break into an email account, they often made a point of targeting related accounts, such as co-workers, clients, or anyone listed as a contact.

HOW DO CRIMINALS GET ACCESS TO YOUR BUSINESS EMAIL ACCOUNT?

In recent years, email has moved to the cloud, enabling users (and criminals) to access email from anywhere in the world. Here are three ways that criminals get access to your email:

  • Infect your computer: Criminals infect your computer by enticing you to click on a link or open a malicious attachment. When you do, your computer may be infected with malware that monitors your keystrokes or steals your login information when you submit a web form.
  • Fake a website: Criminals may set up fake web sites that look just like your email provider, bank or other common web service. Then, they trick you into visiting the web site, using phishing emails or other methods. When you type your password into the fake web site, they capture it and use it to login to your accounts.
  • Buy your password on the dark web: There have been so many data breaches that billions of passwords are available for sale on the dark web. If your password was stolen in the past, it may be sold on the dark web to others who will use it to login to your accounts.

EMAIL HACKS CAN BE DATA BREACHES

In addition to financial fraud, extortion, reputational damage and more, an email account break-in may “count” as a data breach. If an attacker had access to confidential information, you may be required to notify the data subjects and report a breach under state or federal law, depending on the contents of your email.

PROTECT YOUR ACCOUNTS FROM BUSINESS EMAIL COMPROMISE

You can protect your email (and other data online) using strong passwords and login security. First, here are a few important terms to know:

  1. Authentication: A method for verifying a person’s identity. For example, I might tell my computer that I am “jsmith,” and I prove my identity by typing in a password.
  2. Verification: There are three different ways that you can verify that you are who you say you are:
    • Something you know (for example, a password).
    • Something you have (for example, a key).
    • Something you are (for example, a fingerprint).
  3. Two-Factor Authentication: Verifying a person’s identity using two methods combined.
  4. Password Managers: A smart way to remember strong passwords is to not remember them at all! A password manager is a secure software that stores your passwords in an encrypted vault on your computer, or in the cloud. Watch our video tutorials for advice on setting up and using password managers and two-factor authentication.

TIPS FOR STRONG PASSWORDS AND LOGIN SECURITY

DO

  1. Use Two-Factor Authentication! It’s easy to set up with many providers, such as Office365 and Google.
  2. Pick Strong Passwords- Choose a password that is long- at least 14 characters or more. Use a passphrase (a sentence fragment, song lyrics, etc.) to help you remember it.
  3. Use a Password Manager Program to store your passwords securely, so you don’t have to remember them all. Popular options include LastPass and KeePass.

DON’T

  1. DON’T Share Your Password with anyone—not friends, co-workers, vendors, or even IT staff.
  2. DON’T Re-use Important Passwords. Avoid using the same password for multiple different websites or services. Never re-use personal passwords for work, or vice versa.
  3. DON’T Write Your Password Down on Paper, unless it’s secured in a locked location.
  4. DON’T Store Passwords in Files on Your Computer.

WHAT TO DO IF YOUR EMAIL GETS HACKED

  • Reset your password.
  • If possible, activate two-factor authentication.
  • Place a legal hold on any mailboxes that you suspect may have been compromised, to preserve all emails. That way you can conduct an inventory and evaluate any data that may have been exposed.
  • Preserve logs immediately. Export and make copies of any logs that might show who logged into your email account, where they logged in from, or what they did. This can potentially help you narrow down the scope of the incident.
  • Call for professional help. Business email compromise can trigger breach notification laws, and lead to fraud and other crimes. Act quickly and get experienced guidance when you need it.

Contact us if you need help implementing policies to prevent business email compromise or help recovering and minimizing damage from an email breach.