Business email compromise (BEC) is when a cybercriminal impersonates a trusted source in an attempt to defraud someone else into sending across sensitive information or making a fraudulent transfer.
BEC starts in one of two ways. Either the attacker spoofs an email address that closely resembles a real one, or they're able to takeover a legitiamte email account. The latter is far harder to detect and deal with, so it's important not to let credential theft via phishing spiral into account takeover.
In this article, we'll explain what you should do if you've fallen victim to a phishing email. By halting the attack early on, you may be able to prevent it from morphing into full-on business email compromise.
I fell for a phishing email. Now what?
If you believe your email account has been hacked by a scammer after clicking on a suspicious link or attachment, you must act quickly to prevent them from doing further damage.
Here are some tips on how to stop credential theft spiralling into business email compromise:
1. Change your password
The very first step you should take is to change your password to prevent the hacker from getting back into your email account. You need to choose a strong password that is difficult to guess and bears no similarity to your previous one.
Don't simply change a small aspect of your password either, especially if it's a number. Changing 'JohnsPassword1' to 'JohnsPassword2' is unlikely to protect your account against the hacker attempting to gain access to your account in the future.
Try abbreviating a sentence. "I like to walk my dog every day" would turn into 'Il2wmDOGed', for instance. The seemingly random mixture of uppercase and lowercase letters and numbers will give your email account maximum protection against hackers.
As an extra security measure, it's also worth taking the time to change your passwords on any accounts that share the same password as the hacked account. Cybercriminals could attempt to use your credentials elsewhere.
2. Contact your IT team or manager
Once you've changed your password, you must immediately alert your manager or IT team that you have been the victim of a phishing email. Reporting the incident enables your IT team or manager to make others aware of the scam and find methods of preventing similar situations in the future.
We've provided an email template you can send to your manager or IT team below.
I am writing to inform you that I believe my email account was hacked on [date].
Here is the email with the [link/attachment] I [clicked on/opened]:
<Screenshot of original phishing email including sender's details>
I have already changed my password and will warn my contacts that someone may be impersonating me via my email account.
3. Alert others that your email account has been hacked
If your email account has been hacked, the cybercriminal will be able to send emails out, pretending to be you. Chances are, if someone you know receives one of these emails, they will open it.
Once your colleagues, clients or customers open one of these impostor emails, the risk of a successful BEC attack significantly increases. It can be tempting to avoid the embarrassment of admitting your mistake but a warning may prevent your contacts from falling for the scam.
We've provided a helpful email template below to get you started.
I am writing to inform you that my email account is compromised.
Please ignore and delete any suspicious emails that come from my account; especially if they contain links or attachments, or if they ask you to provide sensitive data.
I have informed our IT team of the situation and taken steps to secure my account.
Thanks for your understanding at this time.
4. Protect yourself from future attacks
The vast majority of account takeover attacks start with phishing. Intelligent anti-phishing solutions such as Egress Defend can prevent account takeover and BEC from happening within your organization again. Defend uses machine learning to analyze both the content and context of emails, meaning it can detect the underlying building blocks of a business email compromise attack even if a legitimate account has been taken over.