2018 saw a continuation of companies moving toward cloud-based email systems. Phishing incidents targeting those systems followed suit. Fully one-third of incidents addressed by our incident response team in 2018 involved unauthorized access to an online email account.
Phishing attacks continued to dominate the types of cyberattacks organizations experienced in 2018, owed, in no small part, to phishing’s low sophistication, easy replication and high profitability for the hackers. Attackers routinely defraud organizations with spoofing emails requesting phony wire transfers or switching the bank information for employees’ or vendors’ direct deposit accounts. Employees acting on fraudulent requests risk the loss of thousands, and in some cases millions, of dollars, not to mention the cost of forensic investigations, notifications to individuals and regulators, and reputational fallout.
Attackers are becoming more sophisticated in their techniques. Phishing emails often arrive from legitimate business contacts who themselves have been compromised. The email messages better mimic legitimate business requests and involve spoofed sites that look familiar to the employee, such as Dropbox or Google Docs. Attackers continue to rely on mailbox rules to ensure that replies to the imposter emails are forwarded to the attacker and deleted from the mailbox, thereby concealing the communications from the real user.
Oftentimes attackers leverage information available in a compromised email account to lend a sense of legitimacy to the fraudulent request. For example, an actor may intercept and modify legitimate invoices with fraudulent instructions for payment to the intended recipient. Another example of this fraud is when attackers create new instructions for payment based on common transactions seen elsewhere in the account, inserting new banking information directing the payment to the unauthorized actor. As a result, victims of these schemes are lulled into a false sense of security because a legitimate transaction is expected.
While the financial loss associated with phishing schemes can be significant, an organization’s notification obligations are usually determined by the content of emails viewed or accessed by the attacker. In 2018, changes to the Microsoft Office 365 platform limited available logs used to identify which messages or attachments may have been viewed by the attacker. While access to these logs are in flux, organizations should proactively enable all available logging in Microsoft or their email host provider application, including Audit, Message Trace and Owner Level logs.
Take Action: Many Ways to Reduce the Risks
Human defense remains a critical step in protecting an organization’s email environment. By reinforcing a culture that values good email hygiene practices, and by carrying out frequent training and testing of employees, organizations can work to lessen the number of phishing incidents that cause breaches. Training alone is not sufficient, however. Companies should address the following actions through policies and procedures:
- Enable Multi-Factor Authentication (“MFA”), particularly for employees with elevated account access or sensitive or confidential information.
- Enable available email alerts for suspicious activity, such as impossible travel and email forwarding.
- Disable unnecessary email tools and protocols that allow actors to hide their actions or download the entire contents of a mailbox. These include mailbox rule changes, particularly mail forward rules, as well as IMAP and POP3 protocols.
- Establish email retention policies that archive emails after a specific number of months.
- Adopt policies and procedures requiring verbal confirmation of all wire transfers or direct deposit account information changes.
- Establish strong password requirements, including minimum length of at least 16 characters, complexity, mandatory resets and rejection of reused passwords.
- Separate administrative accounts from user accounts and segment sensitive data.
- Enable a lockout policy after a specific number of failed logon attempts.
Protecting your organization’s email environment must be a multipronged effort, combining technological advancements with employee vigilance. One without the other is not nearly as effective as the two combined in securing email account credentials.