SMEs are most at risk of email account compromise: Three ways to protect your business


Source: Unsplash/Stephen Phillips.

The pandemic has seen a lot of us change our ways of working — cyber criminals included, who have adjusted their targets and intensified their focus on low-hanging fruit.

In fact, new research by global association ISACA indicates that only 51% of technology professionals and leaders are highly confident that their cyber security teams are ready to detect and respond to the rising cyber security attacks during COVID-19.

Additionally, 58% of respondents say threat actors are taking advantage of the pandemic to disrupt organisations, and 92% say cyber attacks on individuals are increasing. 

It is easy to assume that only the top end of town is the target.

However, recently, international cyber crime groups have shifted to target organisations of all shapes and sizes in Australia.

From industrial businesses in regional Queensland, to car dealerships in Sydney, cyber crime groups based on other continents are making a concerted effort to target our local businesses.

Sophisticated attacks still take place. However, the majority are based on common weaknesses that are easy to avoid.

The financial losses of such attacks range from tens of thousands to millions.

A fraud event increasing in frequency and intensity is email account compromise (EAC), which takes advantage of a weakness in an organisation’s email security. The cyber criminal pretends ‘to be the employee’ by accessing their mailbox and sending emails under their identity. 

Since most email providers do not make two-factor authentication mandatory, cyber criminals discover employee passwords through data breaches. They then access the mailboxes of those that hold financial responsibility in an organisation — the common targets being accounts, payroll and senior management, who can approve out-of-band payments.

After gaining access to the mailbox, the cyber criminal will bide his or her time, sometimes for hours, days or even weeks, to gain an understanding of emails being sent and received with suppliers. 

Then, at the end of a legitimate email thread to order goods from a supplier, the cyber criminal will send a final message to request that the payment is diverted to a new bank account.  

To cover their tracks, they delete the message from sent and deleted folders, and if a response is received to acknowledge the change in bank account details, a mailbox rule is pre-setup to delete the response or move it to another folder, so the employee is not alarmed.

Where things get interesting is that cyber criminals on the other side of the world work to the same time zone as the target organisation. They know that if messages are sent at night it may send alarm bells ringing, so they work the business hours of the victim and only send emails during this window.

As seen in a lot of recent breaches, IT service providers are sometimes negligent by not taking the necessary steps to ensure their customers’ email systems are secured, which ultimately exposes them to being sued and the customer being exposed to fraud.

It is important that businesses check with their IT service providers to ensure that basic security controls are in place.

There are a few simple steps that greatly reduce the likelihood of account compromise, from an EAC perspective.

  1. Multi-factor authentication helps to block most attempts of unauthorised access to employee mailboxes. This sometimes comes at a small monthly cost, but provides a safety net in case employee passwords are compromised. Multi-factor authentication via a smartphone app is more secure than SMS token messages.
  2. Security awareness training on email fraud helps key employees to detect when fraud may be taking place.
  3. Deploy an email fraud defence solution that can detect and prevent fraudulent emails being sent from legitimate email mailboxes.

Following a fraud event, there is often the need to complete a forensic investigation.

However, in a lot of cases, events are not logged sufficiently in email systems such as Office 365, which does not allow a full investigation to take place.

Again, it is important that organisations ask their IT service providers to ensure that logs are retained for a sufficient length of time to support investigations.

NOW READ: How fear, uncertainty and doubt are employed to sell cyber security packages to businesses

NOW READ: Not concerned about cyber crime? This business owner’s story might be a wake-up call


Notify of
Inline Feedbacks
View all comments
SmartCompany Plus

Sign in

To connect a sign in method the email must match the one on your SmartCompany Plus account.
Or use your email
Forgot your password?

Want some assistance?

Contact us on: or call the hotline: +61 (03) 8623 9900.