Neither Phish nor Flash: How Cyber-Criminals Target Business Email Inboxes Without Phishing

  • Date 04 Jun 2019

Neither Phish nor Flash: How Cyber-Criminals Target Business Email Inboxes Without Phishing

04 Jun 2019, 12:00 - 12:25

Strategy Talks

Well-resourced actors typically access business email accounts through targeted phishing campaigns or using information-stealing malware. The barriers to entry, however, have fallen dramatically, with cyber-criminals able to gain access to inboxes in other ways. In this talk, attendees will learn how cyber-criminals access inboxes without the need to phish, including: Business Email Compromise-as-a-service offerings sold on criminal forums; reusing credentials available in breaches or third-party leaks; and through the 12.5 million email archive files exposed across online file stores. The talk will also cover security measures and processes to help organisations avoid becoming victims of these campaigns.

Learning Outcomes:

  1. Understand the declining barriers to entry for this type of BEC fraud, including methods that have hitherto been under-discussed. By understanding these methods, organisations can ensure their training measures and technical defences are appropriate to the threat.
  2. Realise how BEC attacks are not always about requesting wire transfers, they are often about gaining access to sensitive documents. This is of vital importance for accounting and finance departments to be aware of. 
  3. Learn how measures around compromised credentials and business processes for wiring funds can protect against BEC, such as  multiple person authorisations to approve significant wire transfers.
  4. The dangers of improperly secured email archives. Attendees will learn how to ensure any online file-sharing services, like rsync, FTP and SMB are not inadvertently misconfigured and exposing sensitive emails.
  5. How cybercriminals solicit BEC-services. This is revealed through a HUMINT engagement conducted by Digital Shadows, where a cybercriminal targeted email inboxes of finance departments across more than 100 construction, higher education, and public health sector targets.



  • James Chappell


    Co-founder and Chief Innovation Officer

    Digital Shadows

    James has led teams in Infosec and Cybersecurity since 1997, working across the private sector and government organizations. He spent over ten years...

Business Issues covered

  1. What will this session help you to do?
    • Mitigate the effects of new vulnerabilities and exploits‎
    • Understand internal and external threats and keep a business secure‎


We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies.