Auto-Forwarded Emails Costly to Small Organizations

by

One of the least publicized but most dangerous cyber attacks against small businesses involves auto-forwarding emails to cyber criminals.

Hackers use Social Engineering tactics like phishing emails to con email login credentials out of unsuspecting users. The hackers then use those credentials to set up the compromised accounts to automatically forward the victims’ emails to themselves.

From there, the hackers can collect the victims’ forwarded emails to perform all sorts of frauds including Business Email Compromise attacks, Payroll Diversions, blackmail, extortion, malware infections, and the resale of Personally Identifiable Information or proprietary files.

The FBI considers it enough of a threat to warn businesses about such attacks after seeing losses from BEC’s in the U.S. of more than $10 billion from 69,384 victims from 2013 to 2019.

We have seen this attack ourselves at a client that lost more than 8,000 emails to the attackers before the scheme was discovered four months after an auto-forwarding rule was installed in an email account.

The lost emails included the PII of the client’s customers. The client had to notify each customer and offer free credit checks for a year. Had there been more than 500 PII records stolen, the client would have suffered the embarrassment of notifying the media.

In a typical BEC attack, a hacker pilfers the email user name and password of the victim with a phishing email that warns that their email account has been compromised and they need to log into their account and change their password.

Of course, the link in the phishing email takes the victim to a fake web page that sends the user’s original password to the hacker while the victim mistakenly believes they have protected their account by changing their original password.

The hacker then watches the victim’s account for emails with, say, suppliers and, mimicking a legitimate contact from one of those emails, sends a fake invoice that looks authentic enough that it is paid by the victim’s company.

The hacker might also jump into an email chain between the victim and a supplier about an order and submit their own quote or proposal to the victim in a malware-laced attachment.

To protect yourself against a forwarded email attack, consider these options:

  1. If you use Office 365 in your business, your system administrator can set an alert to notify you if email forwarding has been set up to automatically forward an employee’s emails. That forwarding rule can then be deleted.
  2. If you use another email program or service, routinely check your account for any auto-forwarding rules that you did not set.
  3. If your email service allows it, prohibit automatic email forwarding to external email addresses.
  4. Be wary of quotes, proposals and other emails seeking payments that do not match the tone of the contact you routinely work with or have spelling or grammatical errors. In those cases, call the contact if something seems amiss.

The FBI provides more information on BEC attacks here.

For help with disabling auto-forwarding emails, you can call us at 302-537-4198 or use our Contact Form to email us.