Finance teams targeted as ‘email hijack attacks’ rise by 22%

Cybercriminals are targeting finance teams with attacks designed to intercept their emails and divert client payments into the hackers’ bank accounts, according to a security monitoring specialist.

bluedog Security Monitoring has reported a 22 per cent increase in the second quarter of the year in phishing attacks which aim to hijack email accounts. It says every single company is now being targeted at least once a week and in some cases, employees are receiving five or six such emails a day.

Tim Thurlings, CTO of bluedog, says the fraudsters are in particular targeting accounts, finance departments and credit collections teams and trying to breach their Microsoft 365 accounts. “Once the attackers get inside a mailbox, they can see the type of work the person does from the messages within it,” says Tim.

“They can then change the mailbox settings and set up a ‘forward and delete’ rule. That means any emails the employee sends out are automatically forwarded to the hacker who can then amend the bank account number or insert a request to change the payment details before sending on to the victim.

“It is difficult if not impossible for victims to detect a fraudulent email like this as it looks to all intents and purposes as if it has come from the company’s address. And as the original email is automatically deleted from the sender’s mailbox, there is no record of what has happened, unless you have some type of security monitoring in place.”

bluedog has also detected a rise in brute force attacks, usually automated attacks where the ‘robot’ tries repeatedly to guess the employee’s Microsoft 365 log-in. Again, fraud is the main driver. It says 66% of companies it monitors have been subjected to these in the second quarter, up from 48% in the first three months of year. In total, around 8% of companies have been successfully breached.

bluedog says the rise in attacks is linked to the lockdown, as more companies have switched their employees to the cloud-based Microsoft 365 system to facilitate homeworking.

Tim Thurlings says finance staff need to be aware of the risks and urges employers to put safeguards in place. “These type of phishing attacks trick the user to go the genuine Microsoft login page and give permission for a third-party app to access their files. IT teams can impose controls to restrict the use of third-party apps, while the use of multi-factor authentication will help prevent brute force attacks.

“However it is almost impossible to remove the risk altogether and ultimately companies need to use monitoring to detect where a breach has occurred. A Microsoft 365 monitoring service is a simple, low-cost solution that will spot the warning signs, such as a change of settings or permissions, so companies can take action and block access to intruders before any real damage is done.”