Danger! Hackers controlling businesses email accounts

9 August 2016

The power of Email

Email marketing technology is used by 82% of B2B and B2C companies to encourage repeat business and 50% of marketers anticipate their company’s spend on email to increase during 2016. This form of advertisement has become an essential part of day-to-day business, relying on email platforms for new products/services, and often to make essential sales.

Why so popular? When it comes to purchases made as a result of receiving a marketing message, email has the highest conversion rate (66%), when compared to social, direct mail and more. Giving email marketing a ROI of 3800%. But surely this creates the perfect environment for hackers?

How it works

There are a few different ways in which these email hacks can take place, Ransomware being one of them, which includes Lock-Screen. Lock-Screen is spam email which if clicked can prevent usage, demand a ransom payment from the victim and hijack a webcam – all of which convert the power from the owner, to the hacker. Another popular method is Phishing. This involves a hacker masquerading themselves as a trustworthy entity. Phishing can be broken down further into sub sections:

    • Spear Phishing – targeted phishing attack on a specific company or individuals
    • Vishing – use of a telephone to socially engineer access to information
    • SMiShing – use of SMS text messaging to elicit personal information
    • Whaling – targeting senior executives/high-profile managers

CEO fraud is becoming a prevalent form of whaling in recent news as Senior Management usually have access to the whole company. The hackers will research the movements of the CEO through social media channels and exploit a time frame where the CEO is unaware of the threat. By compromising a device of the CEO’s using malware, this may enable them to gain access to the company’s files. Through allowing the hacker to use the identity of the CEO to gain access to the information they desire/make requests on their behalf.

The Result

Hackers scam loyal customers from businesses ranging in sizes by firstly gaining access to their email accounts. By doing so they are able to use the brands image, and therefore tricking customers into transferring money for what they believe are legitimate goods/services. In reality the customer is transferring money into the hands of the hackers, exposing their personal and bank details in the process putting themselves at risk of further attacks.

Case Study

An example of the seriousness of an email infiltration is when British Communications provider TalkTalk were hacked in October 2015. Up to 4 million customers were affected through the hackers stealing customer’s data. The data accessed includes names, addresses, email addresses and telephone numbers all from the TalkTalk database. There was also the possibility that credit card details could have been exposed too, however thankfully the encryption prevented the details from being comprehendible.

This led to a 9% decrease of shares in TalkTalk and a total cost of damages between £30 million and £35 million. These damages are due to a loss of online sales and service capability due to the reputation of the company being harmed. One customer was scammed out of £2,800 after one hacker was able to email and call them impersonating a TalkTalk member of staff, which allowed them to gain bank details. These hacks have negative impacts on the company and the customers, which is why the correct precautions and security need to be in place.

How to prevent

There are a number of basic steps that organisations can take in order to provide substantial protection against these type of offences:

    • Ensure all IT systems are fully patched with OS and application updates installed as soon as possible
    • Protect all machines with up to date anti-malware
    • Implement a ‘call-back’ system to verify any unusual activity/payment instruction requests using a previously known and pre-designated phone number
    • Require dual verification of activity/external payment requests to prevent a single point of failure
    • Securely destroy/shred physical items such as papers and optical disks etc. prior to disposal to prevent opportunities for so called ‘dumpster diving’
    • Avoid opening any unverified email links
    • Install and utilise blocking software
    • Maintain a regular staff-awareness and training regime during which staff should be reminded about the type and quantity of personal information that they might post on social networking sites
    • Contact IntaForensics for Cyber Security services

Cyber Essentials

Cyber essentials is a Government-backed, industry supported foundation for basic cyber security hygiene.  The Scheme has been carefully designed to guide organisations of any size in protecting themselves against cyber threats. Here is the journey:

Two thirds of large businesses experienced a cyber breach or attack in the past year.  Cyber Essentials is now mandatory for all central government contracts advertised after 1 October 2014.  Even if you are not a government supplier, you should still seriously consider embarking on the Cyber Essentials pathway to ensure that your business has implemented basic cyber security controls. IntaForensics are a Cyber Essentials Certification Body.  We would be delighted to assist and support your achievement of Cyber Essentials Certification. If successful, we will award you the requisite certificate(s) and badge(s) that you can display on your company website. Therefore, making the company secure whilst promoting a reputation of security.

Cyber Incident Response Services

If you are the victim to a cyber-attack, then fear not. IntaForensics provide several options specifically designed to meet the needs of businesses large and small.  In addition to the standard offerings, we will be delighted to create a bespoke package for the unique requirements of your organisation.

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission