How To Defend Against Persistent Email Breaches

“Hey boss, I think I have been hacked.”

Words that a small business owner or office administrator never want to hear. Sadly though, it is almost an inevitability. Your employees are constantly bombarded with phishing and other social engineering attacks and the law of averages always wins. But knowing that you have suffered a breach is the end of the threat. Now you can work towards closing the doors on the attacker. The real risk of the breach is how long it has existed and how much information has already been lost.

When a cybercriminal gains access to your email account, via phishing or purchasing stolen credentials from the Dark Web, they have many options. They can phish all your contacts, try to login to your personal banking or eCommerce accounts, or they can simply wait. This is known as a persistent email breach.  Some bad actors will sit silently on your account, sometimes for months, waiting for the right opportunity to strike. They will begin to learn your workflow, read your sensitive documents, download invoices and banking information, and start to formulate a plan. The end goal of these persistent breaches are typically to convince a target to alter banking and invoicing details and redirect payments to an account controlled by the attacker.


Let me give you a real-world example of
how a persistent breach works:

A cybercriminal gains access to your email credentials. They sign-in and begin looking for anything of value. Banking statements, invoices, company letterheads and so on. Next, they will setup rules within your email account. These rules can be used to hide their presence as well as auto-forward emails with keywords such as “banking,” “payment,” “invoice,” etc. to an email account they control. Once they have enough information, they can then create convincing emails to re-route payments or fake invoices that appear to be from familiar organizations. The longer the criminal has access to the account, the more sophisticated and credible their emails will appear. With this amount of insider information, it becomes increasingly difficult for employees to spot a malicious email.

Sadly, this happens every day. And the impact can be significant. While some companies might lose only a few hundred dollars, local businesses have lost over $150,000 from just one attack. The reality is that this style of attack is here to stay, and business owners must do what they can to protect themselves.

The good news is that there are many tools and best practices that business owners can leverage to prevent these types of attacks from being successful. Below is a list of 4 components that we strongly recommend all our clients implement to mitigate loss due to a persistent email breach.

Dark Web Monitoring:
This tool searches the Dark Web, the illicit portion of the internet, for any email address and password associated with your domain. If found, actions can be taken to prevent access to that account or remove any current persistent access a cybercriminal may already have.

Cybersecurity Awareness Training:
Training your employees how to defend your business against cyberattacks is crucial. They are the targets, and it is imperative they know how to spot and respond to phishing and other social engineering attacks. Providing effective, ongoing, and memorable training has been proven to significantly lessen the risk of breaches.

Multifactor Authentication:
A simple to use, often free tool that can stop unintended access in its tracks. If a cybercriminal were to gain access to an employee’s password, they would be unable to login without the additional authentication factor. The additional factor is typically a text message or push notification sent to a smart device. Without access to that device, the bad actor can not access the account.

Email Rules:
Most email users have one email rule in place. These rules help keep our inboxes organized and insure an important email is never missed. A recommended best practice for all email users is to occasionally check their rules for any changes. Any unfamiliar or new auto-forwarding or auto-delete rules can be indicative of a breached account. The more often you check your rules, the quicker you can shut down a persistent access breach.

These 4 components are a great start towards a robust cybersecurity plan for your organization. If you are interested in implementing any of these components into your cybersecurity plan, reach out to us today!

Get Award-Winning IT Support Today



Get Access to Resources to Help You Thrive

Download Now