A common security scenario often ignored.
Updated: Jun 21, 2022
Come on a little security concern journey with me. This isn’t very technical. If you use email for business on a basic level, please come along for the ride. It will be useful and may help guide security decisions and bring some perspective to several common risks.
Your website includes a"Meet Us" section introducing members of staff, giving job title, email addresses and direct telephone numbers. A nefarious party might learn contact details useful for Spear Phishing.
Phishing might be the attack approach that is used. It may be via email, or telephone. Often finance related staff are the most common targets. However the information available may allow the process to go further, an attacker may lookup your website address / domain name and determine information about your email service.
A DNS MX Lookup performed against the domain name is easy to perform via one of many tools (eg https://mxtoolbox.com) and will often show the platform directly used by your organisation for email (such as GSuite or Microsoft365).
If Multi Factor Authentication (MFA) has not been employed, in many cases the only information now needed to access an account is the password? How strong are your passwords? How likely are your staff to fall for a Phishing attack?
If an account is being compromised via password attempts, its not a person sitting typing. Its software making attempts from a list of the thousands of most common. Check with HaveIBeenPwnd to see how common your password is. https://haveibeenpwned.com/Passwords
Once access has been gained to a mailbox most commonly the attacker will add rules to harvest a copy of new email or establish a means of easily monitoring and spy on mail to allow them to insert themselves in an email conversation.
Ways to address this very common concern: * Multi Factor Authentication * Don’t use common or easy to guess passwords * Be vigilant about vetting email * Try and avoid making staff contact details too public.