Indicators of compromise
These are example indications of a business email compromise attack.
Unusual messages requesting financial or data information
Although the email might come from a genuine account, pay attention to:
- changes in language, especially in tone or urgency
- any requests to bypass normal procedures to access information
Always follow your financial and data protection procedures and verify with your SLT.
Unusual payments to unknown recipients
These may be:
- outside of your regular payment schedule or window
- from trusted suppliers that have been compromised
Make sure all payments are verified with:
- your SLT
- the user requesting payment
- financial teams
Unauthorised changes to payroll or personal information
If a user reports a change to their payment information that they have not made, verify the change with the HR or finance team before sending any payments.
If the change has not been authorised, tell your HR or finance team to block any payments to that account. If possible, disable the account and change the passwords so only the authorised user has access.
Login attempts at unusual times or places
Pay attention to:
- login attempts from countries that have no relation to your school
- users attempting to access their accounts while away or on leave – verify any activity directly with them
- accounts accessed outside of typical hours for that user
Multiple failed login attempts before a successful login
Users sometimes forget login information, so having a clear recovery process is important. If there are multiple failed login attempts in a short period of time, contact the user directly to check it was caused by them.
If multiple consistent failed attempts lead to a successful attempt, this may indicate of a successful “brute force attack”. That account should be disabled or isolated as soon as possible.