Business Email Compromise Made Easy for Cybercriminals as 12.5 Million Company Email Inboxes and 33,000 Finance Department Credentials Openly Accessible on the Web

Digital Shadows also reveals the rise of BEC ‘as a service’ – advertised on the dark web with hacked accounts available from $150, delivered within a week

LONDON & SAN FRANCISCO--()--Digital Shadows, the leader in digital risk management and relevant threat intelligence, has today announced the findings of new research revealing the diversity of methods used to infiltrate company emails. The FBI has estimated that scams resulting from business email compromise – such as fake invoices and wire fraud – have cost businesses $12bn globally over the last five years.

While phishing is a common means of attack, the research reveals criminals are resorting to a wide variety of methods to access business email accounts. But in many cases, companies are inadvertently making it easy for cybercriminals. Digital Shadows discovered entire company email inboxes exposed – over 12 million email archive files (.eml, .msg, .pst, .ost, .mbox) publicly available across misconfigured rsync, FTP, SMB, S3 buckets, and NAS drives. By improperly backing up these archives, employees and contractors are unwittingly exposing sensitive, personal and financial information – Digital Shadows discovered 27,000 invoices, 7,000 purchase orders, and 21,000 payment records.

Finance professionals, in particular, are in the firing line. 33,568 finance department email addresses have been exposed in third-party breaches and are circulating on criminal forums. Of these, 83% (27,992) have passwords associated with them. Digital Shadows detected criminals specifically searching for company emails that contained common accounting domains such as “ap@,” “ar@”, “accounting@,” “accountreceivable@,” “accountpayable@” and “invoice@.” These credentials are considered so valuable that one individual is offering up to $5,000 for a single username and password pair.

For criminals looking to outsource their work, Digital Shadows noted that business email compromise ‘as a service’ is widely available for as little as $150 – with results available in a week or less. Alternatively, some cybercriminals are offering a percentage revenue share of the total earnings in return for access to inboxes. As an example, one cybercriminal specializing in the construction sector, engaged with Digital Shadows via the Jabber instant message service offering a 20% cut of the total proceeds that could be harvested from exploiting email vulnerabilities.

Rick Holland, the Chief Information Security Officer at Digital Shadows comments: “Phishing continues to be a very serious problem associated with business email compromise but unfortunately, we discovered that is far from the only risk, especially as barriers to entry for this type of fraud are coming down. Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online. With the right knowledge it is relatively easy for cybercriminals to find whole email boxes and accounting credentials – indeed we found criminals actively looking for them.

Holland continues: “Naturally as the return on investment from acquiring such sensitive information are so high, we also found cybercriminals actively collaborating with each other to target specific companies. Organizations can never mitigate these issues entirely; however, it is within their power to at least tighten up on their own processes to ensure that their data exposure is kept to a minimum.”

Digital Shadows recommends these seven steps for organizations that want to reduce their risk:

  1. Update security awareness training content to include the Business Email Compromise (BEC) scenario
  2. Include BEC within incident response/business continuity planning
  3. Work with wire transfer application vendors to build in manual controls, as well as multiple person authorizations to approve significant wire transfers
  4. Continuously monitor for exposed credentials. This is particularly important for finance department emails
  5. Conduct ongoing assessments of executives’ digital footprints – threat actors will perform their reconnaissance on high-value targets. Start with using Google Alerts to track new web content related to them
  6. Prevent email archives being publicly exposed
  7. Businesses should be aware of the risks of their contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default.

The full report entitled ‘Pst! Cybercriminals on the Outlook for Your Emails’ is available to download at:

A blog with further context is available at:


Digital Shadows enables organizations to manage digital risk by identifying and eliminating threats to their business and brand. We monitor for digital risk across the widest range of data sources within the open, deep and dark web to deliver tailored threat intelligence, context and actionable remediation options that enable security teams to be more effective and efficient. Our clients can focus on growing their core business knowing that they are protected if their data is exposed, if employees or third parties put them at risk, or if their brand is being misused. To learn more, visit


Digital Shadows
Susan Helmick

Release Summary

Digital Shadows today announced the findings of new research revealing the diversity of methods used to infiltrate company emails.


Digital Shadows
Susan Helmick