I’m reproducing below some generic advice in relation to e-mail account compromise. Why? Because it comprised about 90% of what I saw on business victim lists every week, and in most cases it is preventable. Hopefully you’re reading this advice before you end up on that list! I have done a more in depth article on the topic which you can find here, but if you like bullet points, this one is for you.
- Enable Two Factor Authentication (2FA) for any accounts in the Cloud/Web Based (including personal, for example Facebook). You will probably find that most of your employees/colleagues handle sensitive personal information. If your e-mail accounts (or remote access) are exposed to the internet with only a password as a security barrier, you can expect to be breached again at some point in the future. 2FA is the most effective way to prevent this from taking place. (You can find helpful guides on how to switch on 2FA for a variety of common applications at www.turnon2fa.com)
- Use a unique password for e-mail accounts. Re-used passwords can be breached elsewhere, and if they are breached in conjunction with e-mail details, full access to the e-mail account is now available to an attacker. You can find guidance on how to create strong, memorable passwords on the National Cyber Security Centre website. I advise using this method to create two passwords, one for your e-mail account, and one for a “password manager” (an application that will generate long complex passwords for all your online identities – not to be confused with your browser “remembering” your logins)
- Be wary of links within e-mails that require you to “login” to your e-mail in order to view them. These may come in the form of “shared” plans, or offers of business from seemingly legitimate client prospects. The login screen will visually look identical to your Cloud system portal (Microsoft 365 being the most common), but it is actually a captive portal hosted on a criminal domain, set up to harvest Cloud login credentials. 2FA, described above, mitigates against the impact of this threat, but remember that the password will still be compromised.
- Check your e-mail accounts regularly for any unusual “rules” or folders that have been set up without your knowledge. Rules can typically be found in the same menu as “Out of Office”. Criminals will often set rules to forward all inbound mail into duplicate folders in your account (or externally to their own e-mail account) so they can read and act on them before dropping them into your active Inbox so you don’t notice.
- Please maintain securely all records/screen captures/logs that you or your IT team gather in relation to any incident. Key information that should accompany such records is when they were obtained, by whom, and how. This material will be useful to any investigator assigned to your case.
- You should be aware that an e-mail account takeover incident may represent a reportable data breach under GDPR. Please consider whether personal information was passing through the compromised e-mail account, and whether an attacker might have had sight of that data as a result. If so, the organisation has a statutory obligation to report the incident to the Information Commissioners Office (within 72 hours of discovering the breach). Police do not automatically pass on the details of crime reports to the ICO, and nor do Action Fraud, and therefore you should consider performing this additional report if you have not already done so.