What is email spoofing, how does it work, and why is it so dangerous to your company? We’ll explain everything you need to defend your company and your customers.
Email spoofing is when a fraudster forges an email header’s ‘From’ address to make it appear as if it was sent by someone else, usually a known contact like a high-level executive or trusted outside vendor.
This kind of identity deception is widely used in phishing and spam attacks to help boost the open rate and efficacy of malicious emails. In many email attacks, embedded links lead to phishing sites designed to swipe sensitive information or login credentials from recipients. Others contain malware-laden attachments, or employ social engineering to bamboozle well-researched targets out of money in spear-phishing or business email compromise (BEC) scams.
These crimes often involve the use of lookalike domains and domain spoofing, though display name spoofing is the most common method of identity deception in email-based impersonation scams, employed in two-thirds of all attacks.
Typical scenarios include fraudsters impersonating an employee in emails sent to payroll seeking a change in direct deposit details before the next pay period, or posing as a senior executive requesting W2 information on employees. Increasingly, they involve cybercriminals masquerading as a trusted outside vendor.
In this post, we’re going to cover how email spoofing works, its effects, protecting against these attacks and more.
In order to spoof an email, all a fraudster needs to do is set up or compromise an SMTP server. From there, they can manipulate the ‘From’, ‘Reply-To’, and ‘Return-Path’ email addresses to make their phishing emails appear to be legitimate messages from the individual or brand they’re impersonating.
This identity deception is made possible by the fact that SMTP—the Simple Message Transfer Protocol used by email systems to send, receive, or relay outgoing emails—lacks a mechanism for authenticating email addresses. It’s also exacerbated when exploited through popular cloud-based email platforms such as Gmail and Office 365.
Because of their ubiquity and the precipitous volume of emails distributed by these and other email platforms, phishing attacks launched from cloud email accounts are far less likely to be detected and blocked than those sent from a lookalike domain.
Financial: Fraudulent emails being sent that appear to come from a legitimate, trusted source lead to nearly $1 billion in business losses worldwide. When these scams lead to a data breach, the cost to US businesses now averages $8.6 million per incident, according to Ponemon’s 2020 Cost of a Data Breach Report. And all of this is before any regulatory fines, which can range in the millions.
Reputational: If your customers start receiving emails that appear to come from your company but contain malicious links or simply lack credulity, they may begin to think twice about doing business with you. If they fall victim to a scam impersonating your company or one of its executives, the damage can be catastrophic to brand reputation, and ruinous for professional relationships across the industry.
Security: Usernames, passwords, and bank information are all personal credentials that can be stolen when email fraud occurs. If someone else has this information, they can then go into your system or account and get even more access to sensitive customer data, IP, or business plans.
Being able to identify a spoofed email can stop employees from clicking malicious links or putting company information at risk. Phishing awareness training can help employees recognize key characteristics to look out for, which include:
Mismatched “From” address and display name: While the display name may look legitimate at first glance, comparing it with the email “From” address can reveal a mismatch that can signal fraud.
“Reply-to” Header that doesn’t match the source: If the reply-to address doesn’t match the sender address or the domain the email purports to be coming from, there’s a good chance it’s a spoofed email.
Message content that’s out of the ordinary: Even if the email appears to come from a known and trusted source, unsolicited messages or requests for information or directions to open an attachment should be viewed with suspicion.
It’s also possible to check to see if your own email address is being spoofed. If someone has stolen your email address and is using it in their spoofing attacks, you will probably have undelivered email notifications in your inbox.
If this is the case, running a virus scan on your computer will help verify that there are no viruses currently on your computer. If the scan finds viruses, then your account might be compromised. In this event, it’s likely that fraudsters aren’t spoofing your email—they’re using your actual email account to launch email attacks.
Many organizations empower employees to report suspect emails to the security operations center (SOC) at the push of a button. If this kind of reporting mechanism is not in place, contact the IT department to ask about proper reporting procedures.
While phishing awareness training and employee reporting tools are critically important to spotting both inbound attacks and signs of outbound impersonation, they won’t be enough on their own.
So how can you better protect against spoofed emails that target your employees? And how do you prevent your own brand and its employees from being impersonated in email attacks against your customers and other businesses and individuals?
The best defense against spoofed emails that target your company is to stop them from ever reaching employees in the first place.
There are standard email authentication protocols that can help protect companies and their employees from having their email spoofed in attacks against customers and the general public.
To learn more about email spoofing techniques and modern approaches to protecting against them, read the H2 2020 Email Fraud and Identity Deception Trends Report from Agari.