Email Fraud

It sounds like a word made up by a five-year-old- Spoofing! The truth is that spoofing is more insidious than anything a child could imagine and is more along the lines of something Loki, the Norse trickster god, would conjure up. Spoofing is a method of cheating people out of their most valuable information or resources. When spoofing works, it opens a Pandora’s Box that can lead to devastating consequences for any business from infected computer systems and networks to data breaches and denial-of-service attacks. The resulting outcome could lead to a damaged business reputation, lost revenue, and even the failure of an organization.

So what is spoofing and how does it work? What can individuals and business leaders do to prevent being victimized by cyber criminals this way and how do you know if you’ve been spoofed? Read on to find answers to your most pressing spoofing questions.

What Is Spoofing and E-mail Spoofing?

When talking information and network security, a spoofing attack occurs when a person or program successfully poses as another through falsified data in order to gain some advantage. That advantage may be in the form of money, information, or access to systems and networks.

Today we specifically want to address e-mail address spoofing. When you send an e-mail, your sender information is shown in the From field of the e-mail so your recipient knows that the email is coming from you. E-mail spammers commonly use this technique to hide the origins of their e-mails and this can lead to issues such as misdirected or bounced e-mails.

How Does E-mail Spoofing Work?

Criminals can use corporate logos and graphics to create an authentic-looking email that appears to have come from a legitimate source. They will craft e-mails that appear to be from a trusted sender to request information, funds, or access. Just as one could write and send a forged letter, bad actors can send a forged e-mail in someone else’s name.

Imagine sending a forged letter via U.S. mail. The cybercriminal puts the fraudulent message in the envelope with your signature on it, puts a forged return address on it, adds a stamp, and the fake letter is on its way to the selected victim. Spoofing an email works in much the same way as the forged letter.

A hacker will craft a forged message (perhaps to move money or grant system access by way of a passcode, for example) and then change the information in the From field so it appears to be coming from the spoofed e-mail address. As long as the e-mail fits the requirements of the SMTP (e-mail) protocol, it will be sent just like a letter with proper postage. This means someone could receive an e-mail from “you” that you never sent with a deceitful message that could lead to them being victimized by a sneaky cybercriminal.

Who Is Being Targeted for E-mail Spoofing?

You might think you’re safe as you run a small business. The fact is, nearly half of businesses targeted by cybercriminals are small businesses. According to the 2019 Data Breach Investigations Report by Verizon, 43 percent of breaches involved small business victims. The danger of spoofed e-mails is that you often won’t know that your e-mail has been spoofed. Often it’s not until someone who has received a bad e-mail from “you” that you’re even made aware that there’s a problem.

Hackers have become keenly aware of who the best targets are in most companies when it comes to spoofing. They will target certain users within a business based on their seniority, job function, and title. Below are a few of the common targets of spoofing and ways to protect them.

Target 1: Executives

Chief Executive Officers (CEOs), Chief Financial Officers (CFOs), and other top executives are popular spoofing targets. As part of their job function, these high-ranking business leaders often make key decisions within a company such as authorizing the spending or moving money through wire transfer. They also tend to have access to sensitive information that could destroy a company if found in the wrong hands.

This type of fraud, known as CEO fraud, occurs when a hacker sends an email to an employee or employees of a company pretending to be the CEO. The cybercriminal posing as the CEO may request the transfer of funds or access to information. Employees often comply with such requests so they don’t “get in trouble with the boss” or as a function of their job.

ORAM Corporate Advisors once had a client who was working with their lawyer to handle an investment in a company. A wire transfer was planned for the investment to the tune of $750,000. Unfortunately, unbeknownst to the lawyer or anyone else, his email had been spoofed. When the client making the investment thought they were communicating with their attorney, they were actually communicating with a cybercriminal. The criminal sent directions to the client for making the wire transfer and the money was sent. It wasn’t until the company expecting the money failed to receive the funds was it discovered that a crime had been committed. By then, the three-quarters of a million dollars was gone.

Protecting Executives

Institute methods for additional authentication or verification for the distribution of large sums of money, wire, transfers, and requests for sensitive information such as multifactor authentication. Require that such requests be followed up by a direct phone call to the executive by staff before such transfers of money or information are completed. Train all executive-level employees about cybersecurity best practices including limiting who they connect with on social media and what they share there.

Target 2: Administrative Assistants

Administrative assistants are the first line of defense for most executives. They multitask daily between screening phone calls, handling emails, and arranging schedules. What makes administrative assistants an enticing target for cybercriminals is that they typically have access to both company and executive accounts.

Attacks on administrative assistants typically come in the form of a request by e-mail spoofed from an executive. The e-mail may ask them to wire funds, request financial information, or ask them to review an attachment. Not only can such e-mail spoofing attacks lead to a loss of funds or sensitive information, opening an attachment or following a malicious link could allow a cybercriminal to perpetrate a malware attack on the company. An astounding 94 percent of malware was delivered via e-mail, according to the aforementioned report 2019 by Verizon.

Protecting Administrative Assistants

Every company should start with a good spam filter and firewall. These will help keep out bad e-mails to begin with. Provide regular, ongoing training for best cybersecurity practices to all employees including every administrative assistant. Implement clear procedures for administrative assistants to follow should they encounter a suspicious email so they know how to report it immediately.

Target 3: Human Resources Personnel

Human resources personnel are also common targets for cybercriminals. This is due to the fact that they are so heavily connected within a company. Not only does human resources deal with existing employees and their personally identifiable information (PII), but they also work with past employees and potential employees. With all of this communication, they utilize their e-mail constantly.

Criminals looking to take advantage of their access to information will target human resource employees with malicious attachments made to look like resumes or will spoof an executive’s email requesting personal information. A common seasonal ploy is for human resources employees to get requests for employee’s W-2s during tax time from cybercriminals posing as CEOs. According to a piece by Krebs on Security, human resources and accounting departments have been spoofing e-mail targets because of their access for several years.

Protecting Human Resources Personnel

One of the best ways to protect your human resources personnel from falling victim to e-mail spoofing is to invest in benefits software such as employee portals. This allows confidential documents such as resumes, social security information, W-2s and more to be delivered securely rather than by email. As with administrative assistants, human resource employees should be trained to follow up with requests for sensitive information with a phone call to the requestor or simply ask in person. As with all employees, they should also be trained at regular intervals on cybersecurity best practices as well as how to report suspicious emails.

Recognizing E-mail Spoofing

All business leaders should remain skeptical of every e-mail and train every employee to do the same. Explain the threat of e-mail spoofing to your employees and how it could impact the business. Have written policies and procedures in place for employees so they know exactly how and to whom they should report suspicious e-mails.

Additionally, train employees on red flags that suggest an e-mail spoofing attack. For example, if an e-mail requests sensitive information including usernames and passwords, follow up with a phone call or face-to-face conversation before proceeding. This is also true of sending funds. Tell them to look at where the sender’s email address to see if it matches the details in the e-mails from a known, legitimate source. Another tip of a spoofed email may be poor grammar and spelling or diction not typically used by the alleged sender. Such training empowers your employees to know what to look for, avoid the threat, and how to report it.

Better Protection

Add better protection to your business emails by implementing strong security such as a Sender Policy Frameworks (SPFs), Domain Keys Identified Mail (DKIM), and Domain Message Authentication Reporting and Conformance (DMARC) procedures. These block spoofing emails and reduce the odds of your business suffering from a spoofing attack.

Every organization should also have comprehensive cybersecurity policies in writing that are shared with employees to assist in the detection of and response to spoofing incidents. Require all employees to confirm financial transactions by phone or in person.  Ask clients and colleagues to contact you about any suspicious emails. Finally, every company should have a backup disaster and recovery plan in place should the worst occur.

For more information about e-mail spoofing and methods for protecting your business, contact ORAM Corporate Advisors now at (617) 933-5060.