Business emails could represent a major security flaw for UK companies, after it was revealed millions of account details are openly available for purchase through criminal networks and on the dark web.
The financial details of almost 5,000 UK companies were found to be exposed in third party breaches and sit within criminal forums, including email addresses and matching passwords, research from cybersecurity firm Digital Shadows will today reveal.
Poor security practices such as not updating back ups have left over 12m email archives, including entire company inboxes, available to buy on networks. Analysts also discovered that sensitive information was freely available via a stockpile of 27,000 invoices, 7,000 purchase orders and 21,000 payment records.
Email addresses for finance departments were particularly targeted, with more than 33,000 emails listed on networks. Such credentials are considered as highly valuable, with one email address and password set fetching $5,000 (£3,843).
Recent research from the FBI suggested scams resulting from business email compromise, such as fake invoices, have cost businesses $12bn globally over the last five years.
Digital Shadows executive Rick Holland warned it is relatively easy for cybercriminals to find whole inboxes and accounting credentials, and in some cases, bidders actively request them.
"Phishing continues to be a very serious problem associated with business email compromise but unfortunately, we discovered that is far from the only risk, especially as barriers to entry for this type of fraud are coming down," Holland explained.
"Millions of companies are already exposed through misconfiguration issues or finance department emails and passwords circulating online."
"Organisations can never mitigate these issues entirely; however, it is within their power to at least tighten up on their own processes to ensure that their data exposure is kept to a minimum."