Auto-forwarding of emails can be very useful, for instance, if one of your staff leaves, you might want to auto-forward their emails to your inbox for a few months, just to make sure that you don’t miss anything important.
Or you might decide to forward all mail that comes to ‘sales@’ or ‘info@’ to your own email address, so that you only need to log into one account, not three, to check your emails.
However, if a cyber attacker can get into your email account, and set up auto-forwarding to themselves without your knowledge, they may be able to find out interesting information that can be used in an attack against you.
What might the attacker do?
Once they have access to your email, an attacker has lots of options available to them:
- They could auto-forward a copy of all emails to themselves, for filtering and searching at their leisure.
- They could decide to forward just emails that contain key words, such as any of the words ‘account’, ‘bank’, ‘payment’, ‘invoice’, for instance. This means they may well be able to find out bank details, or what day you tend to pay invoices (so they could send in a fraudulent one).
- They could find out information about how your organisation works, and who key individuals are, so they can create spear phishing messages as part of another attack, perhaps persuading a colleague to change bank account details for payments.
- They may be able to extract intellectual property or other confidential information that is sent to you as an attachment.
- They could set up a rule that deletes (or moves to a less obvious location and marks as read) emails containing warnings about spam, or alerts about attacks, so that you don’t notice them, or don’t receive them at all.
They can log out of your account once they’ve set up these auto-forwarding instructions, and don’t need to log back in. They can just wait until emails containing useful information arrive in their own inboxes.
What’s more, even if you change your email password, the auto-forwarding rules will still be in place.
What can I do?
Check to see if there are already auto-forwards set up on your email. Exactly how to do this will depend on your provider, so you may need to ask for help with this.
If there are unwanted auto-forwards, then your email has already been compromised, and you should start to work your way through the following steps.
- Disable / delete the unwanted auto-forwarding rules.
- Change the password to your email, so they can’t immediately get back in and put the rules back in place.
- Change the passwords to all other important or sensitive accounts first (you can work your way through the rest later). Assume that if they’ve got into your email, they have access to any other account related to that email address.
- Add multi-factor authentication (MFA) wherever you can, so that you get alerted via a different channel if someone is requesting access to your accounts.
- Review all your financial accounts for unexpected transactions.
- Run anti-malware scans on your computer.
- Try to find out how your email account was compromised. You could try:
- looking back in your inbox for obvious phishing emails (don’t click any links)
- reviewing the results of the malware scan
- looking for malicious file downloads: don’t touch any files you don’t recognise, but ask for professional help.
- Update any out-of-date software, in case that was exploited.
You will also need to check whether anyone else in your organisation has been hacked in this way.
If there are no unwanted auto-forwards, then you should consider strengthening your defences, to reduce the risk of this happening to you or your organisation.
- Consider disabling email forwarding to addresses outside of your organisation.
- Create an alert, if you can, whenever an auto-forward is set up and then review the alerts when they arrive.
- Add MFA wherever you can, to make it harder for the attacker to gain access.
- If you are using the same password with that email address anywhere else, change it everywhere, choosing a unique password for each account.
- Make sure you and your staff understand what a phishing email might look like, to reduce the risk of someone clicking on an initial phishing email and accidentally sharing their credentials.
- Make sure you keep your software up-to-date.
If you’d like some help or advice on how to secure your business, please contact the Click and Protect team via the contact form or call us on 0113 733 6230.