Your employees’ accounts are doorways into your organization’s data. They enable access to all of the applications that make up your network, and all the information stored within those applications. Cybercriminals know this, which is why they consistently attempt to gain access to corporate data via account compromise attacks.
Account compromise is when a bad actor hacks into—and takes control of—a user’s account. They usually do this by cracking weak passwords via brute force, or exploiting user vulnerabilities and human error to steal passwords from users via social engineering attacks. These are some of the most prevalent causes of data breaches we’re seeing today; in fact, 85% of breaches involve a human element, and 61% involve misused or stolen credentials.
There are a number of solutions available to help prevent and mitigate the risk of account compromise, such as password managers, which secure your employees’ passwords; multifactor authentication solutions, which ensure that a hacker can’t access a user’s account even if they crack its password; privileged access management solutions, which ensure your most critical corporate accounts are secured; and post-delivery email security solutions, which scan inboxes for signs that an attacker is trying to steal a user’s credentials or has successfully managed to hack into their account, and shut down the attack.
In this guide, we’ll explore the best-in-breed of each of the above types of solution. We’ll give you some background information on the provider and the key features of each solution, as well as the type of customer that they are most suitable for, so you can be certain you’re choosing the best account compromise protection for your organization.
What Is Account Compromise?
Account compromise is a type of cyber attack that involves a threat actor taking control of their victim’s account, and then impersonating the account’s legitimate user. Once they’ve compromised a user’s account, cybercriminals can access all that user’s data and sell it or use it to carry out further attacks. For example, they may read their victim’s conversation history to find out more about their colleagues, so that they can send those colleagues a spear phishing email and compromise those accounts.
Account compromise is particularly dangerous for businesses that use cloud-based application suites, such as Microsoft 365 or Google Workspace. That’s because, once one set of credentials is compromised, the attacker can access all of their victim’s applications (email, collaboration, instant messaging, etc.).
How Can An Account Be Compromised?
Threat actors usually gain initial access to an account through one of two ways:
- Brute force: The attacker programs a computer to “crack” the user’s password. The computer will usually start by guessing common passwords and then work systematically through all possible letter, number, and symbol combinations one character at a time, until it finds the right one. These attacks are particularly effective against organizations that don’t enforce good password practices, such as updating passwords and using passphrases instead of hackable eight-character codes.
- Spear phishing: The attacker contacts the user (usually via email), impersonating a trusted sender, and attempts to manipulate the user into resetting their login credentials or entering their credentials into a fake login page. These attacks are highly effective against all organizations as they rely on basic human error and can be very difficult to spot without the right security awareness training and email security solution.
How Can You Spot Account Compromise?
There are a few signs to look out for, that may indicate an account has been compromised:
- A legitimate user’s inability to access their account, or multiple accounts – this suggests that a cybercriminal may have changed the password
- Phishing attacks being sent by internal users
- Suspicious email activity such as emails being deleted, configuration changes, automatic forwarding, and emails being sent with lots of BCC addresses
- Multiple failed login attempts or password changes from an unknown location
- Unexpected updates to an account’s personal information such as the user’s phone number or address
While searching for these indicators of a compromised account, it can be very difficult to keep tabs on so many small details across multiple users’ accounts. For that reason, we recommend implementing security that can help you prevent account compromise form happening in the first place (e.g., MFA, PAM, password manager) and a solution that can help you identify account compromise when it does happen (cloud-based email security).