By Anthony Haggerty, Platform Team Supervisor, Locknet Managed IT
Email consistently remains a favorite target for attackers, and it’s for good reason. Email is the digital front door to your organization, containing sensitive communications, financial data, and access to critical systems. One of the most damaging forms of attack is email hijacking, a deceptive and often undetected tactic that can lead to wire transfer fraud, data breaches, and serious financial and reputational consequences.
So, what exactly is email hijacking, and more importantly, how can your business defend against it?
What Is Email Hijacking?
Email hijacking occurs when a cybercriminal gains unauthorized access to a legitimate email account or uses spoofed and lookalike domains, known as typosquatted domains, to impersonate the account holder. This dual approach, using real accounts alongside deceptive domains, makes hijacked emails highly convincing and difficult to detect.
Once inside a compromised inbox, attackers can:
- Monitor conversations silently over time
- Send fraudulent emails to clients, employees, or vendors
- Request wire transfers or sensitive financial data
- Alter invoices or payment instructions
- Redirect funds to fraudulent accounts
- Spread ransomware or malware via links or attachments
This type of attack is especially dangerous in the context of wire transfer conversation hijacking, where an attacker inserts themselves into an ongoing email thread between a business and a client or vendor, often just before a wire transfer is scheduled to occur. Because the attacker has full access to real email threads, they can convincingly change banking details, make a typosquatted domain, and trick recipients into sending large sums of money to fraudulent accounts.
How Email Thread Hijacking Happens
Email thread hijacking usually begins with credential theft, which can occur through:
- Phishing emails designed to trick users into entering their login details
- Reused passwords across multiple platforms
- Malware or keyloggers installed on a device
- Weak or misconfigured security settings
Once they gain access, attackers often create forwarding rules to monitor email conversations, delete login alerts and sent messages, and wait for an opportune moment, like a wire transfer, to execute their scheme.
Signs Your Email May Be Hijacked
Common red flags of email hijacking include:
- Suspicious login activity or password changes
- Clients or partners receiving odd or urgent financial requests from your account
- New auto-forwarding rules you didn’t create
- Missing or deleted sent items
- Changes to payment or invoice instructions that no one authorized
7 Tips to Stop Email Hijacking and Wire Fraud
We highlight the multi-layered strategy that’s necessary to stop email hijacking, and the wire fraud it often facilitates. Here’s where to focus:
- Enable Multi-Factor Authentication (MFA)
MFA significantly reduces the chance of unauthorized access. Even if an attacker gets a password, they won’t get in without a second layer of verification.
- Use strong, unique passwords
Educate employees about using complex, unique passwords and encourage the use of password managers. Avoid reusing passwords across systems.
- Monitor for suspicious activity
Leverage security reports to watch for unusual login patterns, foreign access attempts, or new forwarding rules.
- Audit and restrict email forwarding rules
Regularly review email rules, especially automatic forwarding to external domains. Disable or restrict this function unless there’s truly a verified business need.
- Create and enforce a wire transfer verification process
Establish a dual-approval process for all wire transfers. No banking information should ever be changed based solely on email communication – always verify via a second channel, such as a phone call to a known contact.
- Educate employees on phishing and social engineering
Security training is key. Teach staff how to identify phishing attempts, suspicious messages, and tactics used in business email compromise (BEC) scams. Reinforce this regularly through simulated phishing tests and awareness campaigns.
- Develop a clear incident response plan
Your response plan should include:
- Immediate steps to secure a compromised account
- Procedures to notify affected stakeholders and financial institutions
- Guidance on internal communications
- Documentation requirements for legal and regulatory compliance
Email Hijacking Is a Financial Risk, Not Just an IT Issue
Email hijacking isn’t just about stealing information – it’s about stealing money. Attackers are leveraging trust and timing to carry out sophisticated wire fraud scams, often without triggering technical alarms. That’s why security tools alone aren’t enough. Organizations must pair technology with strong internal policies – especially when it comes to wire transfer verification protocols.
This article was originally published on Locknet Managed IT on June 16, 2025 and has been republished here with permission.
