As kids one of the first phrases we shouted in playground games was "Not it!" before running away. No one likes to be it, but if you are unfortunate enough to be phished and have your email account compromised by a cyber criminal, you are it.
Your compromised email account will likely be used by the cyber criminal to send out loads of messages to your internal and external contacts, trying to spread the phishing email, so new targets can become it along with you. The bad actor may use your email account to send direct messages to your vendors and clients that prompt a change of payment terms, and thereby, a redirect of funds into offshore accounts. Being it is awful, and it happens too often in the digital world.
In a 2020 cybersecurity survey by Cybersecurity Insiders, it was reported by respondents that 38% had a coworker who fell victim to a phishing email within the last year, and the remediation time for that bad event lasted an average of one to four days.
Multiply that uncomfortable feeling of being it as a kid by 100 when it results from an email compromise. All of your colleagues and contacts can see that it was your email account that was accessed to phish and solicit them. Their own Security Awareness Training tells them that you gave up your credentials or had a weak password. With the weight of what has happened, it is natural to want to bury your head in your work and not address the compromise head on. But you're in a dangerous state of denial if you don't say anything, thinking it won't be as bad as it could be and just maybe it will fizzle out.
This is a time to throw yourself on your sword! When you delay in communicating your misfortune to others, your contacts and their contacts may end up falling prey to the same phishing email that started the series of events since your contacts trust you and may believe the email is legitimate. Your contacts deserve immediate notification from the real you in as many forms as it takes you to reach them quickly.
The person experiencing an event which compromises their email goes through the 7 Stages of Grief when they realize their privacy and data have been violated. It's frightening and happens to many people, so let's walk through these steps together as they relate to a compromised email.
The 7 Stages of Grief
1. Shock and denial
Contacts have started calling and emailing the compromised person, asking "Did you send this email"? Usually, the response is "What? No, I didn't send that." The compromised person searches their mailbox looking for evidence of the email going out. Most often though, nothing is there because the cyber criminals covered their tracks by creating mailbox rules.
2. Pain and guilt
Often, it are those people who stay overwhelmed with too many emails and too many deadlines. With one quick click of a link in an email, they've likely sent hundreds of phishing emails to their contacts, who may then become compromised themselves. They experience painful anxiety thinking of the havoc they've unwittingly unleashed on others, and they feel guilty.
3. Anger and bargaining
The compromised starts thinking of how this just can't be happening. There is anti-virus software on the computer. There are email filters that watch for this. "Someone didn't do their job! I'm supposed to be protected from this!" But Security Awareness Training tells us that phishing emails are constantly changing and targeting in new ways that bypass filters. The phishing emails do not contain a virus or any type of data that a mail scanner would see as dangerous. It is the act of clicking on a link in the message which then takes the person to a web page designed to steal their credentials.
During "Anger and bargaining," the compromised person usually contacts technical support.
With the weight of dealing with the email compromise now in the hands of technical support people, the compromised person finally has a moment to reflect. Grief and sorrow take root, and the compromised person likely can't even work at this time because their account must be isolated from the network. They are left dwelling on the bad event and wondering, "How could this happen? How will this affect my job?"
5. The upward turn
Technical support begins remediation on the compromised account and stems the flow of phishing emails. A mail trace shows which email contacts received messages related to the event and suggests that the compromised person send an email BCC'd to those people, letting them know their account was compromised and to disregard the harmful email sent to them. Additional information about the event may be included to assist support down the line if others have been compromised outside the organization.
6. Reconstruction and working through
Remediation complete, technical support looks to identify the original email that started the phishing event. It is time to identify how and when the bad event began and to learn from it. "Did I put my credentials into a web page to access a file sent to me by a colleague? Was the file just a blank page? Was that a phishing page?" Understanding the bad event helps the compromised person process what has happened and can assist cyber teams in putting up blocks to the new phishing attack.
7. Acceptance and hope
Lessons have been learned. There is an extra pause when opening an email. The compromised person scrutinizes the email header and body of an email to look for tell-tale signs of a bad message. They hover over links in emails to see if the revealed address matches a legitimate website. They look for type-o's and variations in names since these are signs of bad actors. The compromised person has come out on the other side of the cyber event stronger and more vigilant. "Never again" is their mantra.
Compromised Email Conclusion
Aside from the most obvious point of paying close attention to Security Awareness Training to avoid an email compromise, the biggest takeaways from a compromised email account event is to act quickly and to be transparent. While going through the 7 Stages of Grief is likely in this type of scenario, owning up to the compromised account and notifying affected contacts as soon as possible is critical to stemming the tide of a phishing attack. The embarrassment of acknowledging your account was phished will pale in comparison to the anger you may receive if one of your contacts is phished from your email account, and you didn't warn them.