Securing the corner office at home: How CEOs can protect their personal email

While your company is busy fortifying your corporate accounts, your personal email — that treasure trove of family photos, online shopping confirmations, and even "password reset" links — is a surging frontier for cyberattacks.

Recently, we’ve seen AI-powered voice spoofing attacks, deep fake scams stealing millions of dollars, and North Korean IT workers posing as legitimate job applicants, hoping to infiltrate organizations. We’ve also seen steady growth in business email compromise (BEC) attacks, which target executives, and even an increase in personal email compromise (PEC).

PEC is less well-understood and less protected against than the far more common BEC, but personal email accounts can still represent a serious risk to businesses and organizations. At a minimum, compromise of these accounts can lead to reputational risk for both the organization and the executive.

However, Mandiant has witnessed attackers using PEC to further their goals of corporate credential and device compromise, and we’ve seen evidence in Mandiant investigations of PEC on the rise this year. Everyone should be on higher alert for the threat it represents.

Phishing attacks over email nearly doubled from 2022 to 2023, according to our M-Trends report. Executives are attractive targets for cybercriminals due to their public profiles. Information shared on LinkedIn, earnings reports, and news articles can be used to craft targeted phishing attacks. These bits of personal information can be used to great success in highly-targeted spear-phishing campaigns designed and tailored uniquely for their victim.

Mandiant has witnessed highly-targeted attacks that involve reconnaissance of a target to identify hobbies or memberships that an executive has. After identifying, for example, a charitable foundation or country club that the target belongs to, the attacker will then target these organizations as they often have poor cybersecurity. From there, malware and phishing can be sent from these trusted email addresses to an executive, potentially leading to compromise.

Strategies to protect your personal email

Everybody in an organization is responsible for cybersecurity, but the responsibility for protecting personal email accounts falls almost solely on you. To remain vigilant of the aforementioned threats and protect yourself, consider these strategies and techniques.

You can better protect your personal data when you:

• Use multiple email accounts to separate your digital life. For example, an email address that is used solely for banking and another for online shopping. This ensures that if one email is compromised in a hack, your entire digital identity isn’t at risk of exposure.
• Limit the amount of information you share on social media and other publicly-available sources to minimize the intelligence an attacker can gather.

There are technical steps you can take, too. We strongly recommend using multi-factor authentication (MFA) to help protect email and other online accounts, which adds a second form of identity verification to the login process. It may seem burdensome, but there’s a good chance that you already use MFA — such as when you use a PIN with your ATM card to access your bank account.

We advise using the strongest form of MFA available to you for all of your online accounts, such as a passkey or security key.

There are more MFA choices for email accounts, including software-based one-time passcodes generated by an app (including Google Authenticator) and hardware-based USB keys you must insert into your device and touch to activate (such as YubiKey and Google’s Titan Security Key).

MFA is the top security mechanism that should be implemented for all personal accounts, and when implemented properly it can often negate other poor account security practices. This is our strongest recommendation for personal account security. You can also:

• Use a dedicated password manager to store account information and more easily manage unique passwords. Most password managers can also help you create long, complex, and unique passwords.
• Use a unique password for each account stored in the password manager. Reusing passwords means that a data breach for one account may lead to compromise of unrelated accounts that use the same password.

How Gmail can help

Google makes it easy to harden your Gmail account and protect against the aforementioned threats — making personal email compromise much more difficult for an attacker to execute. We recommend enrolling in Google’s Advanced Protection Program, our strongest form of account security that provides protections from phishing, fraudulent access to data, and malicious downloads.

Advanced Protection requires strong MFA, so enroll with your security key or passkey. We also recommend performing a Google Account Security Checkup as well as a Password Checkup.

You can check Have I Been Pwned to find out if your email has been part of a larger breach. If it has been “pwned,” we advise changing the password out of an abundance of caution.

What to do if you suspect your account is compromised

If you suspect that you have been the victim of a PEC, the worst thing that you can do is remain silent and attempt to fix the situation yourself. While you are busy running a business, the attacker likely has more technical knowledge and can dedicate their time to thwarting your attempts to regain control of your account.

The first thing that you should do is perform a password reset of every account that you can, starting with the most critical ones, to ensure that the attacker’s access does not spread. Next, notify your corporate cybersecurity team since the attacker may turn their gaze towards your corporate environment next.

Learn more

Google has easy to follow instructions to make your personal Google account more secure. You can also stay current on threat research at our Threat Intelligence blog.