We are seeing new, more expeditious methods emerge to gain access to business email accounts. Hackers can buy compromised credentials online in criminal forums. From those purchases, new email scams arise. How do they get there? They’re either exposed through third-party compromises, or vulnerable through misconfigured backups and file-sharing services.

As a result, new email scams make the opportunity to profit from business email compromise(BEC) easier than ever.

Hackers are using inboxes to request wire transfers, steal financially-sensitive information stored within these accounts, and to request information from other employees. With declining barriers to entry for BEC and more ways to monetize these new email scams, we can expect the losses to continue to rise and perhaps even accelerate in the near term.

Regardless of the method attackers use to perform new email scams, these security measures help mitigate the risks. 

1. Update your security awareness training content to include the BEC scenario. This should be a part of new hire training, but you should conduct ad-hoc training for this scenario now.
2. Build BEC into your contingency plans, just as you have built ransomware and destructive malware into your incident response/business continuity planning.
3. Work with your wire transfer application vendors to build in manual controls as well as multiple person authorizations to approve significant wire transfers.
4. Monitor for exposed credentials. This is crucial for your finance department email, but it’s important for all user accounts. Multifactor authentication will also increase the difficulty for attackers to perform account takeovers.
5. Conduct ongoing assessments of your executives’ digital footprints. You can start using Google Alerts to track new web content related to them.
6. Prevent email archives from being publicly exposed. For services like Server Message Block (SMB), rsync and the File Transfer Protocol (FTP), use a strong, unique password and disable guest or anonymous access and firewall the port off from the Internet. If it needs to be on the Internet or without a password, then make sure you whitelist the IPs which are expressly permitted to access the resource.
7. Be aware of the risks of contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access. Opt  for NAS devices that are secured by default. Ideally, organizations should provide training on the risks of using home NAS drives, as well as offer backup solutions so that contractors and employees don’t feel the need to back up their devices at home.

Be aware of your vulnerabilities

As a result, these new email scams are profitable for hackers. Organizations make it easy for them to access the valuable information within their inboxes.

However, with the right combination of people, processes, and technology, organizations can mitigate the risk. As said, the source of this story is the excellent SecurityWeek site. Cross-posted with grateful acknowledgment.

aNetworks’ new-school security awareness training platform allows you to run multiple simulated BEC scenarios. That way there’s frequent ad-hoc training for high-risk employees. Finally, inspect what you expect.  Have experts examine your systems periodically. That way you can be sure your compliance standards are met.

FREE CYBER SECURITY ASSESSMENT