Beware: Attackers are finding new ways to avoid detection when they compromise email accounts.
Researchers from Barracuda and UC Berkeley, conducting a large-scale analysis of email account takeover and the timeline of attacks have highlighted the behaviors hackers are using to try to avoid detection, ways to identify suspicious activity that could indicate an email account has been compromised, and precautions you can take to protect your business.
Among the key findings:
- Attacks are spread out over a period of time; they don’t always happen as soon as the account is compromised
- Attackers are getting smarter about geography; they send phishing emails and perform other actions from IPs tied to similar regions and countries of the hacked account
- IP addresses and ISPs provide important clues; attackers tend to use anonymous IPs belonging to ISPs that are different from the hacked account’s provider
Protecting Against Email Account Takeover
Monitor Account Access and Inbox Rules
Get granular with your monitoring. Use technology to identify suspicious activity, including logins at unusual times of the day or from unusual locations and IP addresses, potential signs of a compromised account. Track IPs that exhibit other suspicious behaviors, including failed logins and access from suspicious devices.
Be sure to also monitor email accounts for malicious inbox rules, as they are often used as part of account takeover. Criminals log into the account, create forwarding rules and hide or delete any email they send from the account, to try to cover their tracks.
Train staffers to recognize and report attacks
Educate users about spear-phishing attacks by making it a part of security-awareness training. Ensure staffers can recognize attacks designed to steal login credentials and that they know how to report attacks. Use phishing simulation for emails, voicemail, and SMS to train users to identify cyberattacks, test the effectiveness of your training, and evaluate the users most vulnerable to attacks. Help employees avoid making costly mistakes by creating guidelines that put procedures in place to confirm requests that come in by email, including making wire transfers and buying gift cards.
Use Multi-Factor Authentication
Multi-factor authentication, also called MFA, two-factor authentication, and two-step verification, provides an additional layer of security above and beyond username and password, such as an authentication code, thumb print or retinal scan.
Take Advantage of Artificial Intelligence
Scammers are adapting email tactics to bypass gateways and spam filters, so it’s critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise and email account takeover. Deploy purpose-built technology that doesn’t rely solely on looking for malicious links or attachments. Using machine learning to analyze normal communication patterns within your organization allows the solution to spot anomalies that may indicate an attack.
Deploy Account-Takeover Protection
Some of the most devastating and successful spear-phishing attacks originate from compromised accounts. Be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.