How Can You Check If Your Email Is Compromised?

Stu Sjouwerman | Sep 16, 2019

Email Exposure Check_1200x675Rudy Friederich, a KnowBe4 friend at Marshal Security LLC sent me the following interesting tips related to finding out if you are the victim of Business Email Compromise. He wrote:

"Any business which hasn't developed a formal policy on double checking/'checks and balances' of the validity of financial transactions—both coming and going—is just asking for trouble. Email account security should be a section of this policy. Things like:

  1. Regularly checking account activity
  2. Regularly checking 'Trash' folder to see if attacker has set up a rule directing certain emails to go into 'Trash.'
  3. Regularly checking the list of all your folders to see if a folder has been created by an attacker so he could set up a rule directing certain emails to go into this folder. (For example, if you created your own folder called 'Junk' in Gmail and then used the 'Hide' feature, would its existence really jump out at you - even if you saw it on a list?)
  4. Regularly checking the list of all your folders to see if a sub-folder has been created by an attacker within one of your legitimate folders so he could set up a rule directing certain emails to go into this sub-folder.
  5. Regularly checking 'Settings' to see if emails are being forwarded to an attacker's account
  6. And enforce a multi-factor authentication system

Train your critical staff to go over the extent of the problem and the policy and the countermeasures you have developed.

To illustrate the critical level of the problem, Friederich commented: "The problem is so severe that I would even consider requiring all employees to change their passwords on Monday morning. Start afresh. Know for sure - or at least for better sure - that nobody can continue to get into your email accounts."

We all know the practicality of that measure is low, but how about some additional features in email clients that look for points 1-5 above, and alert the end-user or admin that something is amiss? That sounds like a great new security feature. Anyone at the software side, you guys listening?

Here is an example, this rule totally works. Coupled with first creating a folder called 'Junk' and then 'hiding' it, an email from a specified email address will appear deep down in your Gmail folders and not show any indication it is a new email. There is no doubt if you had chosen to forward the email to another address that would have worked to.

When we tried to make one such rule work simultaneously for multiple incoming email addresses, however, the rule then did not work for any of the those specified email addresses. So apparently it's something you would have to do for each and every email address you want to set up the rule for.

rule-example

Discover Your Organization’s Exposed Email Attack Surface

Cybercriminals constantly scan the deep web and thousands of breach databases to find exposed employee identities, credentials, and passwords to launch targeted social engineering attacks. Run our free Email Exposure Check Pro (EEC) to safely uncover your at-risk users and see what your organizational structure looks like to an attacker before they exploit it.

Get Your Free Email Exposure Report

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.