Email Exposure Checks (EEC Pro) are special searches done by KnowBe4 to help organizations understand what kind of information about your users is publicly available. We gather information from social media sites, past data breaches, documents and files posted on the web, and more.
Information for a specific domain can only be sent to an email address of the same domain. If you would like information for your domain, enter a @yourdomain email address.
What Does the EEC Pro Search for?
The EEC Pro searches the web for any information it can find about your users and then, compiles it into a report. The search includes:
- Data Breaches to see if your users' information have been exposed during past data breaches. Your report will also include the category of information that was exposed in those data breaches, such as usernames, passwords, and other sensitive information.
- Publicly-available Forums and Archives, as well as publicly-available Files and Documents, including PDF, DOC, DOCX, XML, HTML, RTF, ODT, and Pages file types with information about your users. An excessive amount of available user or organization information online can be used by attackers to help identify your organizational structure for targeted social engineering or phishing attacks.
- Social media to see what information your users are making available to potential attackers through their social media presence. Users who post detailed information on social media may be more likely to receive highly-targeted social engineering (or spear-phishing) attacks. The availability of this information increases the likelihood a cybercriminal will be able to craft a very personalized attack.
The EEC Pro analysis report will be delivered to you via email and will include an attached PDF report as well as a website where you can view further information.
There are two ways to start an Email Exposure Check, you can create one by signing up for it under our Free Tools section at knowbe4.com or you can use the Email Exposure section under your Account Settings page in your KnowBe4 console. If you are using a Free Account, please follow the steps in the Enabling EEC Pro for a Free Account section. If you are using a Paid Account, please follow the steps in the Enabling EEC Pro from Your Account Settings section.
Enabling EEC Pro from Your Account Settings
- Go to the Account Settings page in your KnowBe4 console.
- Scroll down to the Email Exposure Check settings.
- Use the Run Scan on this Day of the Month drop-down to select which day of the month you would like to run an EEC Pro analysis.
- Click the Scan User Email Addresses Now to set up or start your EEC Pro analysis.
- Click Save at the bottom of the Account Settings page.
Enabling EEC Pro for a Free Account
- Go to the Email Exposure Check webpage.
- Fill out the form with the requested information. Make sure to enter an email address that uses the domain that you would like to generate a report on.
- EEC Pro will perform a deep scan for publicly available organizational data and find any users with exposed account information in any data breaches.
- Check your email for a summary report PDF and a link to a full detailed report with all of your EEC Pro data.
Risk Distribution Explanation
Users are placed in a Risk Distribution group after the EEC Pro has gathered data from the searches that it performs. The group placements, Very High Risk, High Risk, and Medium Risk, are based on how much data was gathered on that specific user. A description of each group can be found below.
- Very High Risk
This means that users were found in publicly-available breaches that contain either cleartext passwords or password hashes. Credential information such as this makes these users prime targets for attackers who may be able to use this data to gain unauthorized access to systems. The breach may also contain sensitive personal information that can be used for social engineering.
- High Risk
Results were found in publicly-available breaches that could contain sensitive personal information. This information can be used to create a sophisticated social engineering attack against individuals or an organization.
- Medium Risk
No breach information was found for these users. However, some of their information is publicly-visible, leaving them susceptible to phishing attacks.
Analyzing Your Results
The PDF report you will receive via email will contain a summary of the data that was gathered about your users. For additional information and details on what type of information was found, visit the website included in your EEC Pro email. Click the Click here to view EEC Pro results link within the email you received to do so.
Your PDF and website report will include:
- Your organization's Exposure Factor (EF). The Exposure Factor is the percentage of how many of your users were found to be exposed online versus the number of employees you have.
The calculation is equal to:
EF = (Found Emails+Identities)/Number of Users. The number of emails found + the number of identities found divided by the number of users in your organization.
- The number of Unique Breaches your users were found in. See the Frequently Asked Questions section for additional information about where we obtain our data breach information.
- The number of user Identities found. This is based on the social media presence we found for your users.
- The number of user Emails discovered. This is the total number of email addresses at your organization that the EEC Pro gathered.
- A Risk Distribution pie chart displaying how many of your users were deemed to be Very High Risk, High Risk, or Medium Risk. For an explanation of the levels of risk indicated, see our Risk Distribution Explanation section.
Each of the entries may be clicked on to open a drop-down menu with additional information about that particular entry. For example, on VERY HIGH RISK user entries, you'll be able to see details on the breach that the user was found to be a part of. You can also download a CSV report of your analysis or delete your report from the website report.
Because the EEC Pro is a web crawler and does not interpret the data it gathers, you may occasionally see inapplicable entries depending on where the data was acquired.
If you'd like, you can choose to use one of these old or invalid email addresses as a “honeypot” email address. A "honeypot" email is an inactive email address that is set up to specifically catch spam. Using this email address, you can analyze what types of malicious emails may be coming into your organization. This can help you stay aware of the types of attacks or phishing emails your users may be receiving at your other, valid email addresses.
Frequently Asked Questions
1) Question: What is a data breach?
Answer: A breach occurs when a hacker illegally gathers private data from a system or network, typically by exploiting an existing software vulnerability. There have been monumental data breaches in the recent past, exposing millions (or more) of user accounts and details, credit card numbers, and other sensitive or private information.
2) Question: Where does KnowBe4 get the data breach information from?
Answer: KnowBe4 partners with Spycloud.com to search past breaches and determine what user accounts in your organization may have been compromised. Spycloud is a well-respected online resource which specializes in allowing users to search for their email address in about 12,000 different databases to see if their information has been made available in past data breaches.
3) Question: What should I do with the information in the EEC?
Answer: An excess of user information on the internet will leave both your users and your organization vulnerable to a cyber attack.
Therefore, it is vital that you 1) train your users, 2) have high-risk users change their passwords, 3) have high-risk users enable two-factor authentication, and 4) remove publicly-available information from the internet.
The emails reported in the EEC are all possible high-risk phishing targets. Anything we’re returning to you through EEC is publicly-available, meaning programs written to "scrape" email addresses for information will be able to gather this information as well. You should enroll your high-risk phishing targets in security awareness training and phishing campaigns immediately to ensure they have the skills they need to become a strong human firewall for your organization.
If you find users have been part of data breaches with their email addresses identified in the EEC Pro report's Very High Risk or High Risk categories you can contact them privately and let them know, in case they are still using the same passwords from when the data breach occurred. Many users also use the same password on multiple websites, so they should consider changing their password for all accounts where they've used the same password.
In addition to having your high-risk users change their passwords, they should also enable two-factor or multifactor authentication on accounts whenever possible, requiring a second authentication step, such as entering a code they've received in an SMS text, before being able to log in. This provides another layer of security to prevent the bad guys from accessing their private information.
If external sites are posting data about your users and you'd like to have it removed, we recommend you contact the site owners of those external sites. If you cannot get these emails removed, then you now know which emails you need to be aware of that will be high-risk phishing targets. You could perhaps deactivate these addresses or notify the users of those addresses that they may be subject to an increased amount of phishing and email-based attacks.
4) Question: How do I notify users that their information was compromised in a breach?
Answer: Below is a template you can use as a starting base for when you'd like to notify users of a breach. Make sure you read through the template and change any variables (shown in brackets) or any other text you'd like to change before you send it to your user.
We have discovered that some of your information was exposed in a data breach. A data breach is when secure information is taken from a trusted environment without permission. This does not mean that your data or identity was compromised, only that it is accessible to people who may want to use it for their own interests. However, you can take steps to lessen the damage and keep your data safe.
At a minimum, we strongly recommend changing your passwords for your various online accounts immediately. You may also want to look into two-factor or multi-factor authentication such as [insert recommendation] or even a password manager such as [insert recommendation] for an extra layer of security.
Please be aware that when your information is part of a data breach, cybercriminals may use this information to trick you as part of a targeted phishing attack. These attacks are only successful if we fall for them. Stay alert and be cautious.