The next few months are likely to be dominated by the NIS2 Directive in the cybersecurity industry. Let’s find out which article will trigger the most reactions! There are emblematic passages in European cybersecurity regulations that can be found in everything from the press, through sales presentations by major technology [...]
You might think your corporate email accounts are safe enough, maybe you have a decent password policy, and your email service does a pretty good job of filtering suspicious emails and malicious URLs. Still, there are ways attackers could gain access, and the playing field isn’t level, cybersecurity threats are asymmetric. Meaning an attacker wins even if they succeed once out of a million tries, while defenders have to fend off all of their attempts without exception.
According to IC3’s 2020 report, BEC/EAC (business email compromise, email account compromise) makes up a whopping half of the money lost to cyber crime each year, almost $2 billion a year in itself, dwarfing categories like identity theft, tech support scams, investment fraud or credit card fraud.
In a business email compromise (BEC), an attacker sends an email message to the victim, impersonating the real owner of the sender email account. There are two sides to this:
Consider these scenarios:
Long story short, the attacker impersonates e.g. a vendor or the CEO of your company and attempts to social engineer an employee into transferring funds in one form or another. Attackers’ writing style is often spot on, mimicking that of the person they’re impersonating, even email signatures and non-English language proficiency.
To look into a bit of a futuristic scenario, advanced attackers could also try to impersonate someone’s voice or video image in real time using machine learning algorithms. Think of a phone call or Zoom call, talking to your CEO, except it’s not really them, but a scammer impersonating their voice or video image with uncanny precision using advanced technology.
While this technique is intriguing and there are a small handful of real-life targeted scams carried out like this, we don’t have to worry about deepfake scams in practice (yet). Email compromise is much more common and it’s the low-hanging fruit that attackers will go for.
It’s not enough to be vigilant about emails you receive. You yourself could also easily be the person whose business email account gets compromised and abused to trick your colleagues or clients. This will likely lead to financial damage and a loss of trust towards your business as a whole.
These days we need to be able to access our email from anywhere, anytime. Think of all the laptops and smartphones that employees carry with them, working sometimes from the office, other times from home, in the field or on the go. For Exchange Online, this is made possible by the service being exposed to the Internet where users can sign into their business email accounts.
Users, employees need to authenticate themselves somehow, otherwise anyone could sign into their accounts. Traditionally this has been done with only a username and password combination, which turned out not so well.
Microsoft’s Azure AD identity management service, responsible for securing all Exchange Online accounts, manages 1.2 billion identities and handles 8 billion authentications on a daily basis. (“Identity” basically means a user account.) Millions of accounts are probed and sometimes hundreds of thousands are breached daily.
Logic would dictate that if we avoid simple passwords like dictionary words or anything related to us personally, then we’re all good and safe. That’s true to some extent, a password like 2ouCy7eWqqNkisRA definitely beats something like 1234qwer.
Except Microsoft’s data shows that the largest impact on account security is not password complexity, but whether or not MFA (multifactor authentication) is set up for the account. Your accounts are 99.9% less likely to be compromised when using MFA, even with SMS or secondary email based MFA. It’s simply too much effort for most attackers to circumvent even the most basic forms of multifactor authentication, not to mention stronger options like a mobile app or a hardware security key.
See here for information on how to get started: https://aka.ms/securitysteps
Elevating your state of security requires a constant effort, implementing a few key measures may not be enough with the current threat landscape. Also, being inside an organization and infrastructure sometimes creates blind spots where it is simply impossible to see clearly how some steps could help. We can help you pinpoint the areas in need of improvement – contact us for a free initial online consultation.
White Hat IT Security offers managed security solutions and classic cyber security services for its medium and large enterprise clients and has recently become a member of MISA, the Microsoft ...
