We regularly hear about cyberattacks and ransomware hitting businesses. Every day there seems to be another attack in the news. What do all these reports have in common? They almost always reference phishing being the number one point of entry. There is typically a list of ways to avoid phishing emails. For example, beware of emails from strange email addresses, don’t click links in emails from senders you don’t know. It seems a simple solution, avoid untrusted emails, so why does phishing continue to work? Why do employees click the link or open the attachment in a phishing email? It turns out employees do know and trust the sender because often the sender is someone from their own company or a company that regularly does business with their company. How is that possible? The bad guys use email spoofing.
What is it?
A spoofed email is when hackers send email from their accounts but fool email systems into showing the email came from a trusted source. Because email doesn’t have good built-in security by default, it’s easy to cheat the system. Spoofed emails look genuine, coming from a trusted colleague or legitimate company, hiding the hacker’s true identity. The sender’s email address looks accurate, with no typos, misspellings, or other strange content; thus, users trust the email and open it. This unfounded trust makes spoofed email very dangerous. Hackers can easily trick people into clicking on malicious attachments or clicking malicious links that install malware onto your computer. They also steal sensitive information like usernames and passwords, which could lead to identity theft.
In a recent spoofed email incident, hackers used a construction contractor’s email domain to send fake invoices to all of the contractor’s vendors and prime contractors. The emails contained images of invoices and links to download the invoice. The links lead to malicious websites where the criminals harvest information such as Microsoft 365 log-in credentials. In another business email compromise incident, duped finance employees sent $4.8 million to an offshore bank. The email appeared to come from the company president.
How do cybercriminals compromise email?
Hackers regularly search the Internet for unsecured email accounts. They are not looking just for email accounts they can steal and spew emails from; they also look for companies who did not secure their email domains. The email domain is the part after the @ sign in an email address, such as 5atechconsult.com. There are several ways to protect an email domain, preventing hackers from creating spoofed emails from it. Still, many businesses have not taken advantage of these settings or have not configured them correctly. Once the hacker finds an unprotected email domain, he will create an account at that domain and start sending spam messages. He may even register some fake names to make his message appear more legitimate. The attacker succeeds when the victim opens the email, thinking the email came from a trusted person or organization.
What are some reasons for email spoofing?
There are many reasons why people would want to send out spoofed emails:
- To steal money by sending out unsolicited bulk mailings;
- To impersonate another person or organization to gain access to sensitive information;
- To spread viruses or spyware through infected attachments;
- To make money off of unsuspecting victims by selling their private information;
- To commit identity theft by stealing identities;
- To sell counterfeit goods online;
- To defraud businesses by pretending to be customers;
- To harass others by bombarding them with unwanted communications;
- To distribute pornography or child abuse material;
- To advertise products or services without permission;
- To get revenge against individuals or organizations;
- To discredit critics or competitors;
- To distract attention away from real threats;
Who uses spoofed email?
Anyone can do it—even kids! But there are two main groups of spammers: professional cybercriminals and script kiddies. Professional criminal gangs often forge the email header to show that a well-known brand name sent the messages. Script kiddie spammers typically spoof addresses without manipulating the email header and pretend to be individuals rather than large corporations. Both groups target misconfigured email servers or services. Unfortunately, most small business owners are not aware they are easy targets.
Why should I care if my email gets compromised?
For starters, someone is pretending to be you or your company. They will send emails to your employees, colleagues, and customers that appear to come from a sender they trust. They can use this to trick the recipient into doing just about anything they want, all in your name. This can be anything from opening a malicious website, completing a wire transfer, or handing over a username and password. Your good reputation enabled the malicious actor’s successful phishing attack.
Internally, your employees might think they’re communicating directly with you, while externally, your clients might believe they are talking to a trusted colleague. As a result, your reputation suffers, and your brand becomes tarnished. You lose credibility among your current and potential customers. And the worst-case scenario, you become part of a more significant breach affecting thousands of others. Chances are the news will get out that the email came from your company. What will that do to your reputation? Can you honestly say you tried to prevent being part of the cyberattack?
How bad is email spoofing?
Every single day criminals gain unauthorized access to networks and computers through spoofed emails. In fact, according to Verizon’s 2018 Data Breach Investigations Report, nearly half of all attacks were launched via social engineering tactics, including spoofed emails. Additionally, these types of attacks are becoming increasingly sophisticated and challenging to detect. For example, a recent report found that a spoofed email campaign had targeted over 90% of organizations within the last year alone.
Email spoofing is a growing threat to enterprises around the world. Our research estimates that approximately 50 percent of global enterprise customers have experienced a successful spoofing attempt against their corporate mail servers. However, that figure is likely much higher than reported due to the difficulty of detecting spoofed emails.
How to Can I Protect My Business Email?
Protecting your business from email spoofing requires more than a spam filter and antivirus software. Those two security layers are essential components of a secure IT environment. Still, they will not stop email spoofing by today’s malicious actors. Therefore, protecting your systems and the email your company sends and receives requires more than one layer of security. In addition, your company requires additional security layers that can:
- Secure the emails your company sends.
- Stop spoofed emails from reaching your employees.
- Provide training for your employees.
Secure your email
The best way to prevent your employees from falling for spoofed email messages is to keep them from receiving them in their inboxes. That means ensuring that only legitimate messages reach your employees’ devices. The details to accomplish this depend on whether your company or an email provider runs your mail server. In either case, it starts with correctly configuring Domain Key Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting and Conforming (DMARC) for your businesses’ email system. Correctly setting these items secures your email domain, preventing cybercriminals from sending emails using your trusted domain. Email recipients know the email came from a legitimate sender.
Filter your email
Second, add an AI-powered anti-phishing service. Much more than a spam filter, these services use AI to examine all aspects of an email. For example, the anti-phishing service might check the subject, email body, links, email headers, and other data to determine if the email is malicious. These checks go beyond simple pattern matching, making it effective against new, more creative threats. Unfortunately, AI-powered anti-phishing services can catch legitimate emails in the anti-phishing net leading to false positives. Although very infrequent within the best systems, businesses should tune their selected system to limit blocking legitimate emails.
The final layer of defense is well-educated employees. No matter what security technologies are employed, some spoofed emails will make it to your employees. For example, an attacker could set up a Gmail account posing as the company president. Since many people use their Gmail account for business, untrained employees might trust an email from a fake Gmail account. Companies should perform annual email security training with regular reinforcement throughout the year. Make sure employees understand company email security policies. Encourage employees to reach out through direct methods such as a phone call to verify urgent requests for action, especially those involving finances.
For more information on how to protect your business from cyber threats, visit the SBA Cybersecurity Guide. You can also contact 5A Tech Consulting at [email protected] or at 903-303-2031 to receive specific answers to your cybersecurity questions.