On This Page

The well-known movie quote, “Follow the money…,” captures the opportunism of cybercrime as it takes advantage of our digital presence and our fast-paced culture.

What is an Email Account Takeover?

In an attack known as an Email Account Takeover or Business Email Compromise, hackers situate themselves in the middle of a payment between a vendor and a customer. Offering a lucrative payoff to hackers who can find a large transaction in process, this type of fraud combines the attack methods of impersonation and relationship-building. 

Who is Involved? 

Targeted are executives, bookkeepers and financial managers because they routinely move money. Emails sent from staff in these roles convey authority and urgency, based on their position alone. 

How Does it Work? 

The scam works when criminals gain access to an email account – often a vendor’s account – and lurk in the email system, waiting for a transaction they can capitalize on. The payoff comes when the hacker communicates from inside the vendor’s account, mimics the real account owner and insert emails (inside a conversation string) that are sent to an unaware recipient. According to the FBI, $1.86 billion was lost in 2020 in these types of attacks. 

Posing as the legitimate owner of the email account, the hacker persuades the recipient to send a payment. The hacker insists on urgency and emails new or one-time wire instructions, often using an official-looking bank form with letterhead, a bank logo and an account number. The hacker may insert emails inside a conversation string to change the course of a payment and then delete any evidence contained in prior emails.   

The faster the transaction happens, the more likely the scammer will win. Thousands of helpful people have been duped into transferring money because they believed they were working with a legitimate business associate. 

How is Account Access Achieved? 

The origin of the attack often involves a successful phishing campaign. An employee unwittingly clicks on a link in a phishing email and enters their credentials on a fake website. With the captured credentials, the hacker then logs into the vendor email account, impersonates the employee and initiates the wire transfer. 

The hacker may leverage the names in the employee’s contact list to try to trick others out of their credentials. The hacker may also mine the email account to learn other account numbers or passwords.  

Spoofing is a spinoff of an account takeover attack and occurs when the hacker does not actually have access to an email account. The cyberthief creates a spoofed account, with an email address that closely mimics the legitimate account, such as exchanging the “O” for a “0” in ‘CEO@company.com’ with ‘CE0@company.com’. Recipients, without studying the email, often miss the spoof, assume the email address is legit and respond accordingly. 

Tips to Avoid Email Account Takeover

  • Don’t click on links in emails. Hover over links to see their true destinations.
  • Closely examine the sender address and the content of emails you receive.
  • Be suspicious of emails with new or one-time wire transfer instructions.
  • Use a verified contact phone number to call the email sender.
  • Follow all protocols for moving money or making payments, including real-time verification of the sender.

Security tools cannot always stop a person from going to unsafe websites and giving away their credentials or compromising their machine by downloading files from an unknown source. Each of us has an important role in stopping cybercrime. Thousands of conscientious employees and consumers have stopped cybercrime by being security aware.