In today’s mobile business environment, using autocomplete to plug your contacts’ names into emails and IMs isn’t just convenient, it’s essential. Unfortunately, the more contacts you have saved (and the larger your organization), the more vulnerable you are to a phenomenon known as email account takeover.

Email account takeover occurs when one or more compromised accounts are used as a hub to send phishing emails to contacts both inside and outside the target organization.

Because these emails come directly from a trusted contact’s network account, not a free email provider like Google or Hotmail, they’re more likely to lead the recipient to click on a harmful link. And when they do, their own network may become compromised.

Even though account takeover emails—and the fallout that comes from them—aren’t the fault of those whose accounts were breached, when a phishing email comes from your organization, it can be all but impossible to avoid leaving a bad impression with the clients and colleagues who have been burned by their trust in your business.

And with one in seven businesses falling victim to at least one account takeover incident within the last seven months, this cybersecurity threat will only continue to grow.

I recently got an email from a customer that read more like an email to a friend. It wasn’t at all IT-related. When I emailed him back, “Did you send this to me in error?”, I received a reply directly from the customer’s email that said, “No, I really need this. Please click this link.”

Fortunately, I knew better than to click a random link—and it’s a good thing too, because when I called the customer to confirm whether the information was needed, he had no idea what I was talking about!

The customer’s email account had been hacked in an account takeover.

When the account was first hacked, the hacker took over the web interface for the email. They could not only send email like a virus can but monitor replies to that email and redirect the replies to a special folder so it never went into the customer’s inbox. 

The hacker and I had a complete conversation with no email ever showing up in the customer’s sent or inbox. Without my call, the customer would have had no idea that his name was being used to encourage his email contacts to click on a virus-laden link.

Could you and your team fall prey to the same type of cyber attack? And how can you know just how vulnerable you are? Contact our experts today to set up your free 30-minute cybersecurity phone consultation.