Corporate email accounts are among the most exploitable entry points for scammers.
Phishing, ransomware and business email compromise (BEC) attacks cost companies billions of dollars annually, often originating from compromised email credentials.
That’s why the news this week (Oct. 30) that Amazon’s WorkMail enterprise email service now supports multi-factor authentication (MFA) through integration with Amazon Web Services (AWS) IAM Identity Center was so surprising to cyber-risk aware observers.
Multi-factor authentication requires users to confirm their identity using two or more authentication factors. This generally includes something they know (like a password), something they have (such as a smartphone or security token) or something they are (like a fingerprint or facial recognition). With MFA, even if a hacker manages to obtain a password, they would need the additional authentication factor to gain access to the account.
What is so surprising is not that Amazon embraced MFA, but that it took Amazon eight years to implement the security feature across its email business, and that even now MFA won’t be an automatic feature but something administrators running WorkMail will still need to configure by adding each WorkMail user to the IAM Identity Center manually, based on AWS documentation.
While Amazon’s WorkMail is far from a leader in the enterprise email space, behind platforms from the company’s Big Tech competitors like Microsoft Outlook and Alphabet’s Google Workspace, the lack of prioritization around low-hanging cybersecurity fruit has led its corporate users to repeatedly push for greater security functionality over the years.
It also comes against a backdrop where one of Amazon’s flagship products, Amazon Web Services (AWS), earlier in the summer announced pushing ahead with making MFA mandatory for certain users.
Read more: Why Business Email Compromise Scams Target Valuable B2B Relationships
Email is often the primary mode of communication for businesses, containing sensitive data, client information and internal discussions.
Phishing attacks remain one of the most common tactics cybercriminals use to steal login credentials. By mimicking trusted sources, attackers trick employees into revealing their usernames and passwords. MFA helps counteract this by requiring a second form of verification, such as a one-time code sent to an employee’s mobile device, making it much more difficult for attackers to gain unauthorized access even if they have acquired the account’s password.
BEC attacks, where hackers infiltrate legitimate corporate email accounts to impersonate executives, initiate fraudulent payments or acquire sensitive information, can be devastating for companies. The FBI estimates that BEC scams cost businesses billions each year. MFA adds a robust layer of protection by ensuring that accessing an email account requires more than just a password, making it harder for attackers to exploit accounts even if they’ve managed to steal login credentials.
In an interview with PYMNTS, nsKnox COO Nithai Barzam explained why BECs remain an attractive scam for scammers: “Fraudsters seek to attack targets that lack protection or have loose controls. They are adept at hacking email servers and manipulating employees into granting them access. Once they are in, they can easily mislead accounts payable and accounts receivable staff.”
“Fraud is growing as fast, or faster, than the pace that the overall B2B market is growing,” Eric Frankovic, general manager of business payments at WEX, told PYMNTS.
See also: MultiFactor Authentication Meets Passkeys To Address eCommerce Usability Concerns
MFA implementation also contributes to a broader culture of cybersecurity within organizations. Encouraging employees to use MFA not only helps protect against account compromise but also promotes security awareness. By fostering an environment where security measures like MFA are standard practice, companies can reduce human error — a common factor in many security breaches — and enhance their overall corporate security posture.
One of the main barriers to MFA adoption is the perception that it adds inconvenience. However, advancements in MFA technology have made the process far more user-friendly. Many authentication apps offer “push” notifications that allow users to approve logins with a single tap, and biometric verification (fingerprint or facial recognition) enables instant access. By implementing MFA in a way that balances security with convenience, businesses can ensure that employees are both secure and productive.
“What you want is a system that is designed to let in good actors as easily as possible, and that presents enough of a barrier to deter bad actors,” Siddharth Vijayakrishnan, SVP of product and financial intelligence at FIS Platform and Enterprise Products, told PYMNTS.