Security News > 2020 > December > Sales of CEO email accounts may give cyber criminals access to the "crown jewels" of a company
A hacker began selling access to hundreds of stolen executive email accounts last Friday, ZDNet reported.
Javvad Malik, security awareness advocate at cybersecurity company KnowBe4, called email account access the "Crown jewels" for anyone looking to damage an organization, and the accounts of C-level executives were even more integral to an enterprise.
"With access to an executives email, there is no limit to what a criminal can do. Not only can they send out phishing emails on behalf of the exec to defraud the company or its customers, but they can set up email rules which automatically forward emails to an external email address. These rules will remain functioning even if the account password is changed," Malik said.
Hosgood compared having access to an Office 365 account username and password to giving hackers access to internal corporate servers because most online accounts and passwords are synchronized between Office 365 and the internal domain controllers.
"Additional best practices like separating accounts with administrative privileges from accounts used for day-to-day computing can help protect from widespread damage from compromise. Finally it is important that organizations ensure that their financial institutions require telephone verification for any monetary transfers over a certain amount," Clements said.