One of the key capabilities of an email security solution is the ability to detect anomalies. When something happens that's out of the ordinary, it can be a sign that malicious behavior is afoot.  

It’s key because it happens a lot. In one study, Javelin Research found that account takeover increased by a whopping 90% in 2021. These losses totaled $11.4 billion, making up nearly a quarter of all identity fraud losses in 2021.  

This correlates with the data that HEC researchers see. In March alone, we saw 1,345 unique compromised accounts. Of those, 783 began sending out phishing or spam messages. That’s a 179% increase from the previous month. 

Hackers can take over an account in many ways, and they can do many things once they are there.

One of the most classic examples is the Direct Deposit change. 

In this attack brief, Avanan researchers will discuss how hackers use compromised accounts to switch banking information.


In this attack, hackers are taking over legitimate email accounts and then using it to ask finance or HR to change banking information on payroll to that of the hacker. 

  • Vector: Email
  • Type: Account Takeover
  • Techniques: Social Engineering, Financial Fraud
  • Target: Any end-user


Email Example 



There are a number of stages to this attack. The first happens before this email is ever sent. 

In this attack, a hacker has already taken over someone’s email address. How did that happen? Although phishing messages are the most common way for hackers to gain access to an account, they are far from the only method. Large, third-party data leaks like Yahoo and LinkedIn have created a market for hackers to exchange stolen passwords. A breach might include passwords for one service that employees have re-used on corporate accounts. Even a breach that doesn’t include raw credentials might include the personal information (street address, high school, mother’s maiden name) that makes it possible for attackers to gain temporary access by requesting a password change. 

Once the hacker has access to someone’s email, then they can start sending out attacks. With this account already compromised, the attacker goes to work. In this particular case, the hacker disguises as an employee to send an email to HR, asking for the direct deposit of their paycheck to be sent to a different bank account. 

It’s not crazy for someone to email HR or finance and ask for their paychecks to be deposited somewhere else. People change banks all the time; sometimes people want the money split into multiple accounts. Whatever it is, it’s not unusual to receive this sort of request.

So in this case, when a hacker does it, the idea is for the company to deposit the next pay period into their account, not the actual employee’s. At some point, the actual employee is going to realize that their pay didn’t reach their account. But, for at least one pay period, the hacker might be able to get away with it. 

Once an attacker has control of an account, they have free reign to try anything. Send malicious emails that link to Trojans; send files infected with malware, or try to get money deposited into their account. The Direct Deposit Change is a classic of the genre. It may be simple, but it can be devastating. 


An organization can monitor for warning signs that an employee’s account has been compromised. Some key indicators include: 

  • Failed Logins: Account takeover attacks that attempt to guess or stuff credentials on online portals can generate a large number of failed detections. Monitoring for these failed login attempts can help with detecting some types of account takeover threats. 
  • User Analytics: Users typically have certain patterns of behavior, logging in at certain times from specific places, etc. Access attempts that break these patterns of behavior can be warning signs of a compromised account. 
  • Insecure Configurations: Cybercriminals will commonly disable security controls and set up unusual configurations such as mail filtering and forwarding. These types of changes may indicate that a user account has been compromised. 

It’s imperative to monitor these–and many more. 

But monitoring is tough, because employees may take action quickly. Think about the above email. If you’re in finance or HR and you receive that email, would you think it’s suspicious? Everything about the email is clean. It comes from the actual email address of the employee. There are no links or malware embedded. It looks perfectly fine and the setup is plausible, too. You can’t confirm that the bank information they are requesting is actually theirs. 


So yes, implementing account takeover in email is key. Another key? Real-time abilities. Finding out that an account was taken over immediately after the malicious login is critical to prevent the hackers from gaining access to what they shouldn't see or using the account as a jump-board to launch additional attacks. 

So, now that you have accurate detection in real-time, what next? 

Automation is important because you often don't have time to wait for someone to review every event. It is vital to revoke the hacker's access to the account immediately before any damage is done. Otherwise, your organization could be in a world of trouble.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Implement security that uses AI to look at multiple indicators of account compromise
  • Implement security that allows for the automatic blocking of compromised accounts
  • Consider implementing stricter policies for submitting direct deposit or any other HR-related changes