Email Account Takeovers: How To Protect Yourself From This Sneaky Attack

Recently, one of our clients was targeted by hackers and their CFO experienced an email account takeover. Unfortunately, this type of cyberattack is becoming more common and can be somewhat tricky to detect.

Luckily, our client realized something was amiss and contacted us right away. Time is of the essence and because of their quick reaction, we were able to stop the hackers from accessing additional email accounts, their private data, and financial account information.

But sometimes, this type of breach can go undetected for weeks or even months, especially if you don't have proper security monitoring software in place. But by simply training your staff to spot malicious emails and use strong passwords, you can dramatically reduce your risk.

What is an Email Account Takeover?

An email account takeover (ATO) happens when cybercriminals gain unauthorized access to your email account. Once inside, they can read messages, download all your emails, reset passwords, and change your email rules. Worst of all, they can send emails to your contacts that impersonate you. Their main goal is to collect information so they can access financial accounts or get someone to send them money.

In the case of our client, once the hackers gained access to the CFO’s account, they started sending emails to their vendors and employees, as the CFO. No one really knew this was happening until one of their vendors called to ask about a suspicious email from the CFO.

Verifying over the phone was a masterclass in how to handle the situation. If their vendor had replied to the email instead, the CFO might not have even received it. Hackers often change your email settings to have all incoming email go directly into a hidden folder.

After our client got off the phone, they called us. We checked their login logs and noticed someone had logged in recently from out of state. We immediately signed out of all their active sessions and reset their password.

So, how did the hackers get access?

We’re pretty confident the CFO clicked on a link in an email that looked like it was from a service they commonly use. For instance, Microsoft, Google, PayPal, or their bank. When they clicked the link, they were taken to a fake login page where they entered their username and password, which sent this information directly to the hackers.

These phishing emails are designed to look like a normal email, often including the service’s logo and branding. At first, they seem legitimate, but once you read the text, something seems off. They typically include an urgent request like a security alert, an overdue invoice, or a shared document request.

Once they get your username and password, they can log into your account. But instead of locking you out, they just stealthily monitor your activity and identify contacts to target. 

CFOs, controllers, and accounting are targeted the most because they handle payments, invoices, payroll, and financial systems. If an attacker compromises their email or tricks them into sending a payment, they can steal large sums of money quickly, often before anyone notices.

Warning Signs

If your email account has been compromised, here are a few signs to look for:

• Complaints from contacts about strange or suspicious emails “from you.”

• Password changes you didn’t make.

• Login alerts from unfamiliar devices or locations.

• Messages in your “Sent” folder you don’t recognize.

• Missing emails or new inbox rules that automatically forward or delete messages.

What To Do If You Suspect Suspicious Activity

1. Notify your IT provider right away
   They can help determine how the account was accessed, remove the attacker’s control, and ensure no other systems are affected.

2. Change your password immediately
   Use a strong, unique password that you haven’t used anywhere else. 

3. Notify anyone who may have received emails from your compromised account
   Let them know not to click links or open attachments sent during the time of compromise.

What if I receive a suspicious email from someone I know?

Call them. If you receive an email from someone you know at another company and the email doesn’t sound right or is asking for financial information, their account may have been compromised. It’s a good idea to give them a quick call to make sure the email is legitimate.

How to Prevent Future Takeovers

For our clients, we recommend training and additional security software to protect their entire IT infrastructure. We offer security awareness training for their staff so they are aware of phishing attacks and know how to recognize suspicious emails. 

We also offer advanced spam filtering that blocks phishing emails from ever getting to their inboxes, along with identity threat protection that alerts them when someone logs in from an unfamiliar location.

After this incident, our client chose to implement these additional layers of security and also scheduled training sessions for their staff.

We’re Here to Help

At Grand Consulting, we help businesses stay protected from cyber threats like phishing, ransomware, and account takeovers. From security awareness training to advanced email protection and monitoring, we make sure your systems stay secure.

If you’ve noticed suspicious activity or want to strengthen your company’s defenses, reach out to our team today. We’ll help you lock down your accounts and keep your data safe.