We asked Todd Gifford, our resident Information Security expert, for his take on the risks posed to small and medium-sized businesses (SMEs) from email system hijacking (Otherwise known as Business Email Compromise). Here’s what he had to say on this growing security threat:
“I’ve spoken with a number of different organisations in the past month who have fallen victim to having their email systems hijacked. The one thing they have all had in common is that they first became aware of it when their ISP notified them that they were going to be blacklisted. For one of those organisations, being blacklisted meant having no access at all to their email for several weeks, a situation that caused many challenges for the day to day operation of their business.”
WHY WOULD SOMEONE HIJACK AN EMAIL SYSTEM?
Hijacking email systems are mostly used for sending out spam emails and phishing campaigns with the aim of gathering personal and account information which can be used for fraud. Compromised email systems can also be used as springboards for other attacks from within networks.
Is it a serious issue? Here are the stats:
- 75% of businesses victims of hacking report fraudulent emails (Cyber Security Breaches Survey 2018)
- 55% of emails received in 2018 were categorized as spam (Symantec)
- Half of all cyberattacks in the UK involve phishing (PWC)
- 22% of employers in the UK don’t train their staff to spot email attacks (Hubspot)
With so many email attacks on a daily basis and a lack of employees aware of how to identify their email being hijacked, it’s no wonder so many cybercriminals attempt to hack email systems. Should a hacker be successful at hijacking an email system, they could have instant access to personal, sensitive or confidential information and hacking passwords in the mail system; as well as giving them the ability to read new incoming and outgoing emails.
The uses for such information are limitless. Mostly, hackers want important information, such as credit card details, company bank passwords, account passwords and identity information. This allows them to do anything from stealing company money to making financial operations in the company’s name or stealing an employee’s identity.
For those businesses working in industries where privacy is of the utmost importance, successful hackers can hold companies at ransom for the return of the information they have stolen.
WHY HACK A WEBSITE AS WELL?
The most common reasons for email hijacking websites include stealing confidential data, such as account information and credit card numbers, and spreading malicious software. There have been several high profile cases of this kind of attack in the news recently.
Some hackers also hack company websites simply to prove themselves to their hacking community or make a name for themselves. There doesn’t always have to be a reason for hacking. Sometimes it’s just showing off. Other hackers have been known to hack government websites, purely to show the government how weak their security software is.
Ultimately, it’s likely that the reason your site is hacked is to make some form of monetary gain. With the sheer amount of information that can be stolen through your website, a hacker could steal the company’s money or take out a loan in a matter of hours.
WHY WOULD YOUR BUSINESS BE A TARGET?
The majority of small and medium-sized organisations don’t have mature Information Security practices and are vulnerable to attack as a result. Many on-site email systems are exposed directly to the internet and, if not properly maintained, can be easy targets. Hackers use sophisticated automated tools to find and attempt to exploit these vulnerabilities.
One big mistake many SMEs make is believing they’re too small for hackers to care about. This may be true, but often hackers will leverage the server resources of several websites to make the significant impact they’re aiming for. Your website may not be the primary target — it could be another website that’s simply under the same hosting or hosting roof, or several websites sharing the same server.
Don’t let your small site become one of several victims in one big hack.
Let’s not forget the primary motivator for hackers: Money!
The majority of hackers criminals who are merely trying to monetise you in some way. One of the easiest ways of doing that is simply asking for money. Getting access to your email, pretending to be an employee, accessing or changing invoices or simply impersonating the Finance Director or MD, asking for a money transfer are all easy and very common ways of using a compromised email platform or account to extract money from you or one of your customers.
WHAT ARE THE COMMON TYPES OF EMAIL HIJACKING?
Email hijacking can be executed in several ways; most commonly, hackers use identity theft, phishing, viruses and spam emails to seize an email system successfully. A common factor is staff members falling victim to a phishing attack, often a prompt to change a password which is really a way of collecting users’ login information.
Without an appropriate second level of security (also known as 2nd factor or multi-factor authentication), remote access to cloud-based email is very easy to accomplish for attackers.
Identity Theft
The majority of companies today use software such as Microsoft 365, G-Suite and other Cloud services. This has made email hacking much simpler for cybercriminals as user’s information and sensitive data have been centralised into these pieces of software.
When using software that uses a single email address to control and access multiple email accounts across lots of different applications, if a hacker can compromise that email address, they can get access to vast amounts of personal data, passwords, private information and more. With this information, they can steal the individual’s identity and steal money, buy goods, take out loans and much more.
Email Phishing
Email phishing is one of the most popular methods of email hijacking. Cyber attackers have been phishing ever since email systems were created and it is a tried and tested method for hacking. Phishing includes several different techniques that are effective for hacking an email system.
The majority of phishing attacks are sent by email. The attacker will create and register a fake domain, which mimics a genuine organisation. They will then send thousands of generic requests via email to prospective victims. Spotting a fake domain is not always easy, sometimes it can be the difference of just one letter making an untrained eye susceptible.
They can also use the company name in their email address, hoping that unsuspecting victims don’t notice that the email address is not from an official employee. For example, an email might be received from [email protected] or simply appear as ‘HSBC’.
Virus
A virus is often concealed within a downloadable attachment. The email received will appear to be official and from an organisation you’re connected to. It will then ask the recipient in the email to download an attachment. An email received with a virus is rarely just trying to hack an email system. A virus once downloaded will spread quickly and can compromise an organisation’s entire system within minutes. Training employees on how to spot these emails and avoid downloading attachments is critical for preventing viruses.
Spam
Some people believe spam to be just annoying or repetitive emails from companies that have collected their email address either directly or indirectly. But, in the world of cybersecurity, spam is much more than just annoying emails. If an attacker can compromise a company’s email system, they can use newsletters containing thousands or millions of subscribers to spread phishing scams or viruses in an instant.
Spam emails can come from legitimate company email addresses and look just like a regular email, making them very dangerous. The consequences for the company’s customers and the company themselves are severe and can lead to complications with internet service providers and questioning from governing authorities. At their worst, spam can cause a company to stop all operations until the issue is resolved.
HOW CAN YOU PROTECT YOUR BUSINESS?
The UK Cyber Essentials scheme – which lays out the basic measures you need to put in place to help protect your organisation from cyber threats – highlights the top 5 ‘must-do’ activities that can immediately help protect your information and systems:
- Install boundary firewalls and internet gateways
- Implement secure configuration
- Implement access control
- Install malware protection
- Implement patch management
One way we have been helping our clients improve their email system security is by removing their reliance on on-site email servers, and therefore the need to patch and protect them. There are excellent cyber security capabilities available in the Microsoft 365 suite, including in-built advanced filtering and multi-factor authentication capabilities.
Optimising IT are a cyber focussed managed service provider with a wealth of experience in transitioning customers to the cloud securely.
If you need help understanding your organisation’s current Information Security maturity or would like help putting in place solutions to reduce your risk and exposure, please give Todd a call on 01242 505470 or send us a message.