FBI warns of BEC scammers using email forwarding | Ion Bank
Email forwarding

Back in 2020, the FBI warned consumers that cybercriminals are increasingly implementing auto-forwarding rules on victims’ web-based email clients to conceal their activities. According to the FBI, cybercriminals then capitalize on this reduced visibility to increase the likelihood of a successful business email compromise (BEC).  This is now of concern once again.

Should you disable external email auto-forwarding?

Mail rules can be abused by attackers to get stealthy, persistent access to a mailbox, leak data and facilitate high-impact Business Email Compromise.

Automatic email forwarding is a significant security risk because when you set all your email to forward to an external email address, you are circumventing the protections put in place to prevent your accounts from being compromised.

It’s important to recognize that adding a malicious mail rule to a user’s mailbox is a post-compromise activity. That is, an attacker has already compromised the victim somehow – compromised their password, deployed malware on their machine, performed consent phishing etc. – they already have access to their mailbox.

What is the difference between redirecting emails vs. auto forwarding:

This rule will redirect the emails as if they came directly from the original sender’s email address. If you have auto forward enabled, your email will be forwarded to another email address, but you will not be able to reply to the original sender.

Why disable email forwarding?

If a hacker gains access to a user’s mailbox, they can auto-forward the user’s email to an outside address and steal proprietary information.

These are just a few instances as to when you should immediately change your password:

Your account was hacked

If you think someone has hacked your account, it’s important to act fast and change your password. Did everyone in your address book get a strange email that looks like it’s from you? Change your email password. This can help limit the amount of time a cybercriminal has access to your account.

After a data breach:

If you are made aware of a data breach from a company you may do business with or have done business with, you’ll want to change the password for any affected accounts. If you use that password for any other websites, you’ll definitely want to change your password to those accounts. If hackers get access to your password, they may try it on multiple websites to see what else they can steal.

You discover malware:

Your personal information could be at risk if malware infects your computer. If you have quality antivirus software and it detects malware, you’ll want to change your passwords.


When it comes to passwords, most of us would love nothing more than to set it and forget it. But that’s exactly what hackers are hoping for in fact, it makes their job a lot easier. This means the best line of defense is frequent password changes.

How to create a strong password:

A good password can make it more difficult for hackers to access your accounts. But what exactly makes a strong password? Here are a few examples;

It’s used only for one account. While it can be easy to use similar passwords for multiple accounts, hackers might be able to get into your other online accounts if they access just one.

It’s at least 12 characters long. To make it easy to remember, use a lyric from a song or name of a book Or make an abbreviation from the words in a sentence.

It’s a complex password. Include at least one capital letter, one number, and one symbol. There is readily available software than can guess a password, whether the password has 8 letters or 12. But a 12-character password with at least one uppercase and one lowercase letter, number, and a special character would take 34,000 years to crack. You can also create a passphrase. That’s a string of words that can be up to 100 characters long. Keep in mind that 90% of non-complex passwords can be cracked in less than 6 hours.

It’s hard to guess. Don’t use information that people who know you or look at your social media can guess. Avoid personal information like your nickname or initials, birthday, address or street name, or a child or pet’s name.

Lastly: Do not use common words like “password” or “qwerty.” You’d be surprised how many people use “password123” or “123456” as a password. A cybercriminal would not.

Does changing your password make it more secure?

Passwords should also be unique for each one of your account. We recommend changing passwords every 90 days or so. 80% of all cyber security attacks involve a weak or stolen password. Changing your password quarterly reduces your risk of exposure and avoids a number security dangers.

Attention: You are leaving the Ion Bank website.

The links to third party websites are provided solely as a matter of convenience to the visitors of the Ion Bank ("Bank") website. When you use a hyperlink to visit the website of another person or entity, you leave the Bank's website. Your use of hyperlinks to the websites of others is at your own risk.

The content, accuracy, and opinions expressed and other links provided by these resources are not investigated, verified, monitored or endorsed by the Bank. The Bank has no responsibility for products and services offered through another entity's website. The Bank makes no warranties as to the operation or usefulness of other websites. Other website operators may collect information about you and use such information in accordance with their policies and procedures. If you have any questions about another entity's use of your personal information, you should review that entity's privacy policies and/or ask that entity directly. We are not responsible for another entity's use of your information.

Click the OK button to leave Ion Bank's Internet site. Click the Cancel button to return to the previous page.