We’ve seen clients lose 100s of thousands of dollars in fraudulent wire transfers by not protecting their email. But when I encourage some clients to adopt a stronger security posture and implement multi-factor authentication, I receive the typical “We don’t have trade secrets in our email” type of pushback.
Even if that’s true and they wouldn’t mind someone sending email as them (think about all the havoc that could reek beyond wire transfer fraud), I encourage our clients to think about all of the sites for which they use their work email address as their username – their domain name registrar, their website host, social media sites, vendor sites where their credit cards are stored, their payroll service, etc.
A bad actor who has access to their email would be able to get access to those other sites by initiating a password reset which would send a confirmation email to their work email account which the bad actor controls.
If the bad actor is smart, they would breach your domain name registrar first and move the target’s domain name to another registrar of bad actor’s control at which point it’s game over! You’ll never get that domain name back, and worse, they’ll be able to destroy your business’ online reputation.
All of those downsides make checking the authentication app on your phone for a 2FA code once in a while seem trivial now, doesn’t it?