The Security Risks of Email Forwarding and How to Keep Your Business Protected

August 31, 2022

By Laura Kerns

Even with increased cyber awareness, threat actors continue to gain access to companies’ networks through human error. Employees may click on a link in a phishing email or threat actors may gain access through passwords found on the dark web. Once they gain access to the network, threat actors use existing email rules and forwarding to monitor client and vendor communications, obtain banking & wire transfer information, and collect personal identifiable information (“PII”). If email rules are not monitored, a cybercriminal may remain in a company’s system, undetected, for an extended period.

WHAT ARE EMAIL FORWARDING RULES?

Email Forwarding Rules allow an email account user to automatically redirect incoming emails to a separate account. This feature is a convenient tool for users and is utilized often in a business setting. For example, if a person will be out of the office for vacation or an extended period, they may forward their emails to a colleague in their absence. Cybercriminals use this feature to forward incoming emails to a separate folder or email account. Not only does this provide the attacker with intelligence for a subsequent broader attack, but it may also provide the cybercriminal with PII of other potential victims. In addition, the cybercriminal may have access to the emails even if the user turns on multi-factor authentication (“MFA”) or changes their password.

WHAT IMPACT COULD EMAIL FORWARDING RULES HAVE ON YOUR BUSINESS?

Once a threat actor gains access to a company’s email system, commonly referred to as a Business Email Compromise (“BEC”), they may access PII of your employees, vendors, and clients. Compromises may require forensic investigation to determine what individuals and regulators will need notification. BECs can be expensive and detrimental to a company; this is often only the beginning of a larger attack.

WHAT MAY HAPPEN NEXT?

• Ransomware: Cybercriminals now have access to a company’s network and could launch an attack.
• Wire Transfer Fraud: A threat actor may create a new email address or an email domain name so close to your company’s domain name that the vendor/customer may not notice. They may create a rule that forwards any emails containing keywords (e.g., bank, transfer or wire) to a new email address. They may use these to direct wire instructions. The email may even include a signature line with a phone number directly to the threat actor for verification.
• Disrupt Relationships: Threat actors may gain additional emails to vendors, clients, and customers for phishing campaigns allowing you to inadvertently serve as a catalyst for further attacks within and without your business network causing damage to relationships and potential liability issues.

HOW CAN YOUR COMPANY AVOID THIS TYPE OF ATTACK?

Cybercriminals continue to grow in sophistication. Companies can improve their defenses through detection and prevention.

• Be sure to implement employee cyber training on at least a quarterly basis.
• Determine if your business really needs email forwarding, disable if possible.
• Be sure your IT department is auditing logs to review existing email forwarding rules. Investigate suspicious activity immediately.
• Have users encrypt sensitive information to provide an extra layer of security.