Conversation Interception: What it is, warning signs, and how to stop email thread hijacks

Conversation Interception

What it is

Conversation interception is when attackers sneak into an email thread—by hacking a mailbox or buying stolen archives—and quietly read along. Once they know the context, they can impersonate one side (e.g., a supplier or buyer) to reroute payments, change delivery details, or derail deals.

How it works 

  • Access: stolen passwords, malware on a device, or purchased mail archives.

  • Eavesdrop: attacker learns names, amounts, timelines, tone, and signatures.

  • Impersonate: they reply in-thread from the real account or a look-alike domain to change banking details or send booby-trapped files.

Red flags

  • Sudden banking changes or “urgent” updates mid-thread

  • Subtle domain look-alikes (vendor-pay.com vs vendorpay.com)

  • Odd tone, spelling, or new contacts CC’d without reason

  • Attachments or links replacing previously shared docs

If you suspect it (fast steps)

  1. Stop payments/shipments and verify by phone using known numbers.

  2. From a clean device, change email passwords and turn on MFA.

  3. Review mail rules/forwarders and remove anything unfamiliar.

  4. Check recent login history; sign out of other sessions.

  5. Inform partners and finance; preserve logs for investigation.

Prevent it

  • MFA on all mailboxes; block legacy, password-only protocols.

  • Train teams: never accept banking changes by email alone—verify out-of-band.

  • Use allowlists for payee accounts; require a second approver for changes.

  • Monitor for auto-forward rules, impossible travel logins, and look-alike domains.

  • Keep endpoints protected (EDR/AV) and patched.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Phishing

        What it is Phishing is a scam where someone pretends to be a trusted person or service to trick you into giving up passwords, card numbers, or other sensitive data. It shows up in email, texts, social DMs, and look-alike websites. For a quick ...

      • Account Hijacking

        What it is (in plain words): Account hijacking is like someone slipping into your online life and wearing your name tag. They post as you, peek at your messages, even lock you out. It often starts small — a fake login page, a weak password — and ...

      • Social Engineering

        What it is Social engineering is tricking people into doing something they shouldn’t - like clicking a link, sharing a code, or paying a fake invoice. Instead of hacking computers, attackers hack trust with stories that feel urgent, helpful, or ...

      • Baiting

        What it is Baiting is a social-engineering trick: attackers dangle something tempting—an “urgent” work file, free software, a giveaway—to make you install malware yourself. The lure feels legit; the payload hides in the download. How it works A ...

      • Account Compromise

        What it means: Someone who isn’t you gets into your account and can act as you. They might read your messages, change settings, or try to steal money. How it usually happens: Phishing: you’re tricked into typing your password on a fake page. Malware: ...