Eyes wide, palms sweaty, adrenaline in your veins. You’re staring at your screen (or your employee’s screen) and trying to figure out what happened.
“Did I really just click that link?”
“This doesn’t look like the FedEx website…”
“What are all these strange messages in my sent folder?!”
Email scams are one of the most common threats we face when we go online. The average email user receives 67 spam messages per day, many of which are phishing attempts. One of the most effective types of phishing is Business Email Compromise. The cost of BEC is huge. The FBI estimates that Business Email Compromise cost organizations $1.77 billion dollars in 2019.
We hear about it all too often at Asylas, so we composed a list of steps to take if you or one of your employees gets duped.
What is BEC?
Business Email Compromise (BEC) (also known as Email Account Compromise) scams look like legitimate business or personal interactions. They arrive in the form of spoofed email addresses or phishing emails. They may also include hacking your account for the purpose of using it as a distribution point for more phishing attacks. (The nerve!)
A spoofed email might look like your boss or colleague’s address but with a single character added or omitted. The message might ask you to click a link to get flight information. Or maybe pay an invoice to a “vendor.”
A phishing email often looks like a shipping receipt from a standard carrier or a quote from a nationally recognized brand. (Do you get a lot of emailed car insurance quotes you didn’t ask for? That’s phishing.) The trick is not sophisticated–it only has to fool you for the split second it takes for you to click.
Have I….Been Hacked?
Ever get that feeling that something is just not right? Something about your account login process was different. You’re not sure what’s wrong, but you’re suspicious.
Here are the signs that your email has been compromised/tampered with:
- You can’t log in with your password. (And, yes, you double checked all your capitalization and non-standard characters.)
- You received an unexpected password reset message via text or in your recovery email account.
- There are strange messages in your sent folder.
- Your contacts have received strange messages from your account.
- You notice an alert that an unusual IP address or browser is logged in to your account.
It Happened. Deal With It.
Despite all your best intentions, a scam has slipped through the cracks. You or an employee have clicked on a phishing link or your email password was cracked and your account is compromised.
How do you know if you’ve cleaned up the mess and contained the damage? You are likely panicking right now. So take a deep breath and follow the steps below.
If you or an employee clicks on a phishing link or suspects your email account has been compromised, you might feel embarrassed and helpless. But this is an all too common problem and there are concrete steps to take:
- Don’t enter any data.
- Disconnect from the internet immediately. Turn off device WiFi. Unplug the ethernet cable. Whatever you have to do to get offline now. If the email compromise happened at work, stop now and notify your IT department or security team. There may be specific steps you need to take as required by your company’s cyber liability policy. In the event of a breach, the security team may also need to collect evidence for a forensic investigation.
- Back up files on all the compromised devices (but make sure you aren’t saving malicious files to shared drives/locations).
- Complete a full anti-virus, anti-malware scan on the initial device and on any devices on the network (laptops, mobile devices, smart home devices, servers, etc).
- If viruses or malware are discovered, re-image the device, removing and reinstalling all software, including the operating system. (Note that not all phishing attacks leave behind easily discoverable malware. Expert help might be needed if you’re unwilling to start from scratch on the affected device.)
- Change passwords and enable 2FA/MFA wherever possible (start with your email account). For bonus points, investigate other security options like alerts when signing in from a new location or device.
- Complete an email account audit. Check to see if your account recovery email addresses or phone numbers were changed. Check your account forwarding and auto-reply features. Is your email being forwarded to an address you don’t recognize? Are auto-replies enabled that you did not create? Check to see if other accounts were affected (accounts that you access using the compromised email address).
- Set up a fraud alert for your personal or business credit.
- Report phishing. Your email provider should have a way to report phishing emails with just a couple clicks. (Here’s Gmail’s protocol.) You can also report scams to the FTC.
- Alert your contacts to watch for anything suspicious coming from your accounts.
- Stay vigilant in the following weeks and months.
- Analyze the threat. Why did you/your employee fall victim? Did they report their misstep in a timely manner? Create and maintain an environment of openness and honesty that encourages employees to admit when they goof up. The timeliness of response makes a difference! Follow up with ongoing staff education.
When To Call For Help
If you’ve completed these steps and still think you are at risk, call for help! Asylas can help you determine if the current risk has been mitigated. And we are pleased to offer security awareness training to prevent future mistakes. Call Asylas at 615-622-4591 or email firstname.lastname@example.org. Or complete our contact form.