Compromised Email Accounts

Why Do Cyber Threat Actors Target Email Accounts?

Email accounts are targeted to gain access to sensitive information and perpetuate subsequent attacks. Once a threat actor has compromised an email account, they can view previous communications, discover sensitive information, and create fraudulent emails to send to the victim's contacts in order to initiate further cyber attacks.

What Common Methods Are Used to Gain Access to Email Accounts?

Email-based Attack Vectors

• Links or attachments that download malware to steal passwords.
• Links to fraudulent websites that trick users into entering legitimate passwords.

Password Reuse

• The user establishes the same password across multiple online accounts.
  • If a password is exposed in a breach of one online account, that same password can be used to gain access to additional accounts. Using unique passwords across each account is vital to protect against password reuse attempts.

Weak Passwords

• Password spraying attacks.
  • Password spraying indicates a brute force attack in which a threat actor will use one password against multiple accounts to avoid account lockout that typically occurs when trying different passwords for a single account.
• Credential stuffing attacks.
  • Credential stuffing is the automated injection of stolen username and password pairs into login forms in order to fraudulently gain access to user accounts.

Account Recovery Steps

• Using guidance from the respective online account, follow the steps to regain access by resetting passwords and/or verifying your identity. These steps will vary depending on the email account service.
  
  • Gmail
  • Microsoft
  • Verizon
  • Yahoo
  • Comcast/Xfinity

Your Email Account was Compromised – Now What?

• Immediately begin account recovery steps, including resetting your password, choosing one that is unique, with special characters and at least eight characters long.
• Enable multi-factor authentication (also referred to as two-factor authentication). The best options are authentication app codes, hardware tokens, or biometrics, though SMS text-based codes are sufficient.
• Check for and delete any unauthorized auto-forward, auto-reply, and reply-to rules that the threat actor may have put in place to maintain access to emails even after losing access to the account itself.
• Change any security questions to ones that are difficult to know or guess. Users can also choose security questions answers that are incorrect to make guessing more difficult.
• Check folders, including Deleted and Sent, to discover any malicious/fraudulent emails that may have been sent on your behalf to notify contacts of the account compromise and advise they not take action on the associated emails.

Recommendations to Reduce the Risk of Email Account Compromise

• Keep operating systems, applications, and browser plugins updated.
• Implement multi-factor authentication on all accounts where it is offered.
• Filter emails and ensure spam filters are enabled.
• Refrain from clicking on links or opening attachments delivered in unsolicited or unexpected emails.
• Exercise caution with links posted on social media platforms.
• Avoid connecting to public and unsecured networks. If their use cannot be avoided, use a Virtual Private Network (VPN).