The Case of Email Spoofing: How to Identify And Avoid Email Attacks

By Gerard D’Onofrio [ Join Cybersecurity Insiders ]
9843

Email has a lot going for it. It’s quick, easy, and incredibly widely used. However, just like every other remote form of communication, it faces a glaring challenge. How can an email recipient be absolutely sure that the email is from who it says it’s from?

Welcome to the world of email spoofing. Thankfully, there are some simple techniques you can adopt to fight it. Let’s dive in. 

What is email spoofing?

Email spoofing is what happens when, in a phishing attack, an email appears to be from somebody it actually isn’t from. What has happened is that a fraudster has forged the email header so that the receiving server mislabels the email’s sender. 

The receiver then gets the email and thinks that they know the sender. As a result, they are more likely to treat the message content with a degree of trust than they would otherwise. Where this ends can mean data breaches or even corporate funds being appropriated. 

So, it’s serious. The phishing that’s often associated with email spoofing is rising at a phenomenal rate. 

Why is email so vulnerable to spoofing? The main reason lies in the limitations of the actual process used to send emails. SMTP (Simple Mail Transfer Protocol) doesn’t have the facility to check that the sender’s identity is actually genuine. 

So, if somebody wants to send a spoof email, all they have to do is to find one of the many free SMTP services that are available online. Then, they can create the message, and input the desired address in the From box. That’s it. No, email spoofing is not the exclusive realm of criminal masterminds, using hi-tech banks of computers and hardware like an IBM AS 400 mainframe.

There are even dedicated email spoofer programs available. So a would-be email spoofer’s work is basically done for them. 

You may be thinking to yourself ‘Ah – but if the hacker inputs a fraudulent email address in the From box, then surely any replies will go to that address rather than the hacker’s. What’s the point in that?’

This is the reason why the message itself will have links within it that the recipient is strongly urged to click on. Enticements might be positive (‘Click to win!’) or negative (‘Follow this link to stop your car insurance from going through the roof’). Whatever they are, they tend to work. 60% of security professionals report that their organizations have lost data thanks to a phishing attack. 

So, it’s clearly a major problem with enormously damaging potential consequences. What can be done about it? An increasingly important source of help is the government. For instance, in the UK, the National Cyber Security Centre has launched an Email Security Check service to combat the problem of email spoofing. 

This aside, there are plenty of ways you can help yourself. 

1. Check the address

Although the identity may be fraudulent, the actual address that’s in the mail-to box will be authentic. In other words, look beyond the stated identity to see the blahblah@blahblah.com address. Be alert for real addresses that ape respectable ones. Like g00glehelp@gmail.com.  

Check things like domain extensions. For instance, if you’re dealing with Australian companies, they’re likely to have Aussie domain names. If not, a closer inspection might be warranted. 

Gmail users have a powerful weapon here. You can open the email, then click on the drop-down under the sender’s name. This will reveal information about the sender’s address as well as a signed-by field. Other email servers will have this information available in their own ways. 

If this all looks consistent, the chances are you’ve received a legitimate email. This is because it’s passed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) verification protocols. These are security techniques put in place by the server. 

See below for further details on these and other software means of verification. 

2. Does it seem out of place?

This might be more of an obvious one, but sometimes the obvious needs to be pointed out. Does the email clash a little with what you would normally expect to receive? 

Say you’re a VoIP engineer, ordinarily engaged in matters related to call routing in Dialpad. If you receive an email concerning how much money there is waiting for you on the other end of just one little click, then you might be somewhat taken aback, and more than a little skeptical. 

3. Try asking

If you receive an email you’re not sure about, there’s nothing wrong with asking for more information. But let’s have a caveat here – make sure to only use the sent-from address. Don’t click on anything in the message itself. 

A further caveat. Let’s say the email looks like it comes from a family member, in which they ask for an emergency loan. You can email them back, asking to see if it’s legitimate. If they reply from their own address saying ‘yeah, cash please!’ then that should be fine, shouldn’t it? Actually, not necessarily. Your family member’s email account may have been hacked. 

In short, by all means ask for more information, but still don’t commit to doing anything fast and drastic. Best bet? Give them a call. 

4. Google it

If you’ve received an email that seems suspicious, put its details into Google. You can just copy and paste the whole message if you like. If it’s a phishing gambit that’s doing the rounds, the chances are it’ll pop up in your SERP. 

If it’s as dodgy as you thought it might be, go back to your email and delete it. And report to your line manager if it happens at work. 

5. Distrust urgency

When you get an email emphatically prompting you to click in order to avoid some dreadful impending misfortune, the chances are it’s a spoofed email. By intoning urgency, the sender is hoping to bypass the recipient’s natural skepticism, encouraging them to stand checkpoints down in the interest of averting disaster. 

There are certain words in the subject line to beware of that are often associated with spoofed emails. These include request, follow-up, business proposal, are you available, invoice due, and, simply, hello.

If the email warns of something like irregular bank account activity, go directly to your account via your usual means. Don’t click on any link in the email. 

It should go without saying that if you’re feeling in any way coerced or manipulated, then you should apply the brakes and report the email to your line manager. 

After all, if it really is an emergency, there’s always the phone. 

6. Look at grammar

If the message claims to be from an authoritative source but they struggle to string a sentence together without glaring typos and grammar issues, it’s time to get suspicious. Typically if senior management are getting paid the big bucks, they should at least be able to spell, so it’s worth double checking.

7. Don’t use the same email account for everything

If you’re just using an address in order to sign up for something but you’re not bothered about subsequent interactions with that business, then use throwaway addresses. This way your primary email address won’t get included on so many mass mailout databases, which means it won’t get so spammed up or spoofed up. 

8. Software solutions

There’s a wide range of verification protocols that you can implement in order to single out spoofed emails. We’ve already mentioned SPF and DKIM, but on top of these there’s also DMARC, or Domain-based Message Authentication and Secure/Multipurpose Internet Mail Extensions. 

Whatever system you use, the idea is that they work automatically, intercepting spoofed emails without you even being aware of the process. 

9. Training

There needs to be an extensive rollout of best practices for detecting email spoofing, just like with all other aspects of cybersecurity. Every user represents a vulnerability that a hacker can exploit, so make sure all your users are as savvy as possible. 

Give them easy-to-remember techniques for spotting spoof emails, and make sure they know what to do if they find something that looks suspicious.

Remember to update them on the latest threats, and carry out tests to see where the vulnerabilities appear to be concentrated. It might be an individual who needs a little more support, or it could be that there’s a high volume of emails that results in a number of employees feeling overwhelmed hence not capable of proper vigilance.

Staff need to be told that there’s no embarrassment in falling for an attack. After all, studies suggest that CEOs are the worst offenders. The most important thing is to let others know if there has been an incident. 

10. Stopping outgoing spoofing

Obviously, you’re not just going to want to spot spoofed emails coming in. You also want to stop hackers using your business as a means by which they can spoof emails to your customers and partners. If a client expects to receive a consulting report from you, but gets phished after clicking on a spoofed email’s links, they might leave with a negative impression of your company even though you had nothing to do with it. 

Apart from the above software protocols, you can also implement practices such as having clear branding and bold design in use on every official email that a spoofer might find difficult to copy. Branding is, after all, all about authenticity. 

The email newsletter below from the New York Times includes its distinct font and logo which both can help make a potential recipient feel more confident in clicking on the contents of the message. 

Put your business phone number from Dialpad on there too. This way, people can call to check if it’s really you. 

Conclusion

So, unfortunately spoofing is a lot less funny than it sounds. It can create havoc both with businesses and individuals and is incredibly widespread. 

Thankfully, there are a great many ways we can seek to combat it. Using these techniques, we can be reasonably confident. But we must stay vigilant. Often, the hacker only has to get lucky once to bring catastrophe to your business. Don’t have nightmares though. Just keep your eyes peeled. 

Bio:

Gerard D’Onofrio – Country Manager, Australia, Dialpad

Gerard D’Onofrio is the Country Manager for Dialpad Australia, an AI-equipped business communications solutions platform for better communications at work through features like Dialpad’s enterprise VoIP. Gerard is experienced in discovering world-class developments and turning them into effective business advancements, wherever he goes. He has also written for other domains such as Spa Industry Association and Agility PR Solutions. Here is his LinkedIn.

Ad

No posts to display