Email Account Takeover is one of the most profitable cybersecurity threats for criminals and as a result, has become increasingly common. In fact, according to Agari, email account takeover has seen a 126 percent increase month-to-month since the beginning of 2018. Agari also indicates that 44 percent of businesses reported being victims of targeted email attacks. Regardless of the type of email system, whether it is hosted in-house or in the most robust cloud solution available, the level of vulnerability and ease in which a user can fall victim to this threat tend to remain consistent.
As one might suspect, passwords are often the weakest link in email security. They are usually obtained through traditional means such as social engineering, malware, buying passwords off the deep web, or users simply reusing the same passwords for different sites or applications. Once passwords are compromised, hackers then use that opportunity to watch and monitor email usage to determine and ultimately target the best ways to profit from this access. This happens by emailing malware from a known user account within a legitimate contact list; a payment request for seemingly business-related items or services; or a request for another user’s passwords. Unfortunately, criminals are displaying endless levels of creativity in executing their fraudulent activity.
The Impact of Email Account Takeover
Email account takeover attacks are particularly dangerous (and very effective) because they often originate through emails from trusted senders. Because there is a pre-existing trust relationship with the sender, the attack is then more likely to succeed. In addition, since the attack originates from a legitimate account, it often goes undetected by traditional security controls.
When email account takeover attempts are successful, not only are the user and the organization directly impacted, but the losses and hardships extend far beyond those tied to that individual account. Account takeover puts a significant strain on customer and member relationships and can result in long-term damage to a financial institution’s brand and reputation.
Imagine an email with malware imbedded was sent to all of your customers or business partners. This has the potential to infect hundreds of customers’ machines. Now imagine $10,000 being wired to a rogue account based off of an email that included the correct language and information; or all of your employees receiving emails from your network administrator requesting they confirm their passwords. These are not hypothetical situations, but rather real-life examples that have all happened multiple times, regardless of industry or location.
How to Mitigate Email Account Takeover
Many banks and credit unions have realized that simply having the correct username and password is no longer enough to ensure a truly secure email account. Successful email account takeover attacks reveal a lack of adequate protection which, when recognized, can be corrected. Some proven methods to effectively prevent an attack include the following.
Increasingly, banks and credit unions are recognizing employee training as an important security mechanism and prevention protocol. Employees who are not adequately trained on how to properly use email, including: email attachment protocols; how to deal with unknown senders; and how to spot suspicious emails; can quickly become a top vulnerability and security threat for their institutions. Training for all employees—from tellers and loan officers up to the President and CEO—is critical.
Remembering all of the passwords required to secure daily activities has become a tall order, one which often results in employees using the same (or a limited set) of passwords for all accounts. This is not a good idea as once your password is compromised in one place, you are then immediately vulnerable in multiple places. Whenever possible, one should randomly generate a unique password for each program or site that they use.
Community banks and credit unions can leverage an outside security company to conduct security training and checks to verify exactly how their employees interact with suspicious emails. This allows network administrators to evaluate different levels of risk based on whether an employee a) ignored the email, b) opened the email, or c) clicked the link and provided information. After conducting this test, the administrator can then use that opportunity to educate employees on what happened during the test, explain how the system was compromised, and provide applicable advice on how to recognize these types of attacks in the future.
Stop Email Account Takeover Attacks with Multifactor Authentication
A proven way to protect your bank’s email system is to implement multifactor authentication, which requires more than one method of authentication to verify a user’s identity for a login or other transaction. This security option is designed to make it more difficult for cybercriminals to access bank accounts and other sensitive information.
While there are different ways to implement multifactor authentication, the three basic elements that can be used in this process include: Something the user knows, like a password or PIN; Something the user possesses, like a smart card, token or mobile phone; and Something the user is (i.e., biometrics), such as a fingerprint or retina scan.
Many of our customers rely on Safe Systems SafeSysMail O365 hosted email solution, which provides them the option to turn on dual-factor authentication to increase the layers of security. When employees login to their email account, they must first type in their username and password. Then, as a second factor, they use a mobile authentication app, which will generate a code or PIN to enter on the screen and only then are they given access to the account. If you or your employees don’t have a smart phone, that’s ok. Microsoft provides multiple ways to implement their multifactor solution. Implementing multifactor authentication is a powerful step toward preventing hackers from gaining access to accounts — even if a password or security answer is stolen.
For such a seemingly simple act, account takeover presents significant reputation risk and financial risk to your institution, but by ensuring that your bank or credit union adopt proven strategies to counter it – and remain diligent in performing them – it is a threat that can be prevented.