Who’s Really Behind Your Email Account?

Who’s Really Behind Your Email Account?

Cloud-based servers can be extremely useful, wouldn’t you agree? You don’t have to worry about hardware maintenance, power consumption, redundancy or physical security. Not to mention, storage limits are more easily resolved with less down time. And how many of us have hit the “Save Password” button when the option presents itself just so we don’t have to remember yet another password? Cloud-based servers are convenient. They eliminate the need for extra software while providing access to applications like Microsoft Office or G Suite and resources like shared documents or photographs. Everything you need to do your job or any resources that are important to you are saved on the servers. But that’s the problem, isn’t it? Everything is saved on the servers, including personal data like passwords, usernames, personal identification information, etc. These cloud-based servers have made life easier for a lot of people, including bad actors who perform email account takeover attacks.

When a data breach results in a bad actor obtaining access to an email account, there is often more at stake than just email messages. They can steal important information, send phishing emails from the account, or use the email login credentials to gain deeper access into an organization’s network. This is known as Email Account Compromise (EAC) and is associated with Business Email Compromise (BEC). In about a third of the cases, when the bad actor gains access to one account, they can change the password and end up taking over multiple accounts, which is known as a cross-account takeover.

So, how does this happen?

Bad actors can gain access to email accounts through multiple channels. One channel is poorly created passwords. Simple passwords like “password” or “123456” allow for bad actors to easily access accounts. When bad actors use the brute-force method to gain access to email accounts, the simpler a password is, the faster it is guessed. Re-using a password from your personal life as a password for a business account, especially when those passwords are saved on the cloud, can also allow for easy access to email accounts.

Furthermore, the dark web is another channel that a bad actor can use to gain access to an email account. When an email address has been compromised, the password can be exposed on the dark web. And assuming the user doesn’t have extra security measures set up, such as security questions or multi-factor authentication (MFA) methods, all a bad actor would need to gain access to an email account is the email address or username and the, now compromised, password.

Additionally, phishing emails can provide bad actors with a way to access email accounts. When a user engages with a phishing email by opening attachments or clicking on links, the bad actor can retrieve the account password, as well as any other personal identification information. A bad actor who wants continuous access may also choose to install malware on the user’s device. And once one email in your organization has been compromised, the bad actor can spread to other personnel which can lead to a significant risk for your organization.

So, how can you prevent an attack like this in the first place?

Utilizing an IP block list or limiting the number of login attempts, or even tracking the locations of logins can all help combat these attacks. Bad actors will try to guess passwords through a process called “brute-force,” which is when a program systematically checks all possible password character combinations until the correct one is found. When you limit the number of login attempts a user has before locking them out of the account, this stops the bad actor from making an endless number of guesses until they figure out the correct combination.  Tracking the locations of login attempts can alert you to a bad actor attempting to log in to an email account from across town, across the state or across the globe.  Once you know where the bad actor is trying to login and brute-force from, you can deploy the IP block list. Placing these IP addresses on an IP block list will help stop the brute-force and foreign-login attempts by keeping this traffic from connecting to your server. However, a problem can arise when the bad actor uses a VPN to mask their true location, or to simply appear as a new IP address, which is why it is imperative to educate employees on the tactics of EAC and BEC as another line of defense.

Making sure employees are mindful of weak or poor passwords, as well as the importance of MFA/2FA methods, can help protect their email accounts and your organization as a whole. Security questions, when done properly, can also add a layer of protection to email accounts. Moreover, requiring users to change their passwords at specified intervals, enforcing minimum password length and complexity and preventing users from reusing passwords will provide protection against email attacks. Unfortunately, though, even with these security measures in place, bad actors can still find avenues to gaining access to email accounts. The good news is there are signs to alert users when their email account has been taken over.

It is crucial that employees recognize the warning signs that their email account has been taken over, so that swift action can be taken. One of the most notable signs of email account takeover is when a user is unable to access their own account. This could be a sign that a bad actor has gained access to the account and changed the password and/or username. Conversely, if a user can log in to their account, but they notice their information or settings have been changed, it could be a sign that their email and password have been compromised. If a user is notified that their contacts are receiving or have received spam emails from the user’s account or if there are sent items that the user did not send, that’s another indication that the user’s account has been taken over. Even if a user’s email account has been taken over, all hope is not lost, as the user can still stop the attack from spreading to other members of the organization.

There are key steps a user needs to take when they discover their account has been taken over. If a user still has access to their account, they need to change their password immediately. If security questions or MFA methods are not set up, the user needs to do so immediately. On the other hand, if a user is not able to access their account, they need to reach out to their email provider and request a temporary password. This will allow the user to access their account and change their password and/or security questions. If the takeover was severe enough where the user’s contacts were sent phishing emails, the user should reach out to their email contacts through another means to inform them of the account takeover. Preventing a bad actor from gaining access to other confidential information is vital for the safety of the organization.

It’s true that cloud-based servers make life easier and more convenient for a lot of us, but if you’re using your Gmail password for your business account or saving your passwords to the cloud, you’re opening the door for bad actors and enhancing your risk of email account takeover as well as cross-account takeover. And not only are you putting yourself at risk, but you’re also putting your organization at risk. Using strong passwords, security questions and MFA methods and persuading your employees and colleagues to do the same is an easy way to defend your email account and organization against an email account takeover.


John Cuneo is information security director for Vizo Financial. With over 10 years of information technology experience, Mr. Cuneo is well-versed in conducting information system risk assessments, providing security awareness training and analyzing security controls and reports.