Corporate Email Hijacking: Know how it’s done
Businesses contribute heavily to the email traffic flowing across the internet. Corporate email accounts of top-level employees or decision-takers who handle financials are vulnerable to email hijacking. The potential payoff here for cybercriminals is greater, simply due to the volume and amounts of the sensitive monetary details of such emails. Corporate emails are targeted through keyloggers or phishing attacks with the intention of making illicit transfers, costing the company hundreds of thousands of bucks.
A report by Barracuda Networks, titled Spear Phishing: Top Threats and Trends Vol. 3 – Defending against business email compromise attacks says that 91% of BEC (Business Email Compromise) attacks take place on weekdays, during usual business hours in order to blindside potential victims through “urgent” click baits.
BEC attacks have high click-thru rates. 1 out of 10 spear-phishing emails successfully trick a user into clicking, tripling in number if the imposter poses as a trusted company peer.
5 types of Email Hijacking scams:
The Bogus Invoice Scheme – Attackers pretend to be suppliers requesting fund transfers for payments to an account which are in fact owned by the cyber-criminals.
CEO Fraud – Attackers pose as the company CEO and send an email to employees in finance, requesting them to transfer money to the account they control. This creates a fake authority, prodding the ‘lower-rung’ employees to loosen up the amount without much questions.
Account Compromise – An employee’s email account is hacked and used to request invoice payments to 3rd-Party vendors listed in their email contacts. Payments are then sent to wrongful bank accounts.
Attorney Impersonation– Attackers impersonate a lawyer supposedly in charge of crucial and confidential matters. Such bogus requests are conveyed through email or phone to avoid giving away the voice or facial recognition. To incite the victim, such calls are made towards the end of the business day to prevent second-thoughts on part of the victim.
Data Theft – Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives.
Prevention is Better Than Cure
Senior Vice President of email protection, engineering and product management at Barracuda, Don MacLennan explained how learning more about the tactics used by cybercriminals can help organizations from falling victim to BEC attacks in a press release, saying:
“Attackers continue to find new ways to make business email compromise attacks more convincing, ultimately making them more costly and damaging to businesses. Taking the proper precautions and staying informed about the tactics cybercriminals are using will help organizations defend themselves more effectively against these highly targeted attacks.”
As an organization, you must be sure that your customers & business partners only see emails sent by your legitimate domain and not by any fraudsters. Domain impersonation is one of such major threats for professionals and organisations. Make sure you analyse Domain traffic to achieve maximum compliance for your organization and protect your Email Domains from being Impersonated.
Logix DMARC Monitor protects your brand by preventing unauthenticated parties from sending mail from your domain and act as your expert guide, to move towards a p=reject Policy safeguarding your email domain from abuse.
The speed with which BEC and other attacks are evolving is dizzying. Wouldn’t you feel relieved to know your organization had the full backing of a third-party security service provider? We are glad to help.
We tackle Business Email Crime (BEC) attacks, Targeted Email threats, Advanced Malware (known and unknown Malware), Spear-phishing, Domain Impersonation/ Domain Spoofing , Whaling, , Zero day, Ransomware, and several other forms of attack. Our Email Security Services are fortified with our multi-layered, multi-tiered Security approach.