Now that most people are familiar with and thus able to avoid standard phishing attacks, malicious actors have shifted to something more insidious. Email spoofing, which is a form of spear phishing, is an attack in which attackers impersonate someone the target knows, is a much more subtle way to compromise a user’s credentials or device. Like phishing, however, once you know the signs of a spoofed email and train other users on how to spot them, addressing the issue is often straightforward.
What is email spoofing?
Email spoofing is when an attacker sends an email to a user that impersonates someone else, generally someone the user knows. Often, this person is a supervisor, manager, or executive at the same company. Because of email headers, the user’s email software displays an email address that looks legitimate to the average user, who is unlikely to look closely at the address if the name is familiar.
Because users trust people within their organizations, they are highly likely to complete an action as instructed in the email. This might be simply clicking on a malicious link that installs malware, or it could be purchasing hundreds of dollars in gift cards and sending them to a provided address. While this is similar to phishing, the two attacks are distinct. Although phishing emails also aim to spread malware or compromise users, their primary purpose is theft. Spoofing emails, in contrast, are only impersonations that can lead to phishing attacks. Email spoofing attacks might also request user credentials, and if those credentials are shared, the organization’s security and data are at risk.
Check out another type of spoofing in IT, geo-spoofing.
How does email spoofing work?
Attackers are able to forge email addresses due to a lack of security in Simple Mail Transfer Protocol (SMTP), which does not support encryption, authentication, or other similar security measures. If you’re using Gmail or Outlook, for example, you’re using SMTP, so it’s not difficult for an attacker to find and compromise an SMTP server. Once he has a server, the attacker will then begin adjusting the header of an email.
In the header, there is a designated space for the sender’s identity (Mail From). Because SMTP lacks authentication protocols, an attacker can very easily change the listed email address in the Mail From line. There are a few details an attacker must consider, such as whether the domain being used is legitimate, whether there is any quarantine or other protection around that domain, and whether the SMTP server has been set up correctly. Failing to consider these will land the email in the victim’s spam folder.
However, supposing that an attacker has a properly configured server and chooses a usable domain, the process is simple. Change the sender’s address, write up an email that looks like it might have come from a trustworthy person, ensure that any commands or prompts in the code have been adjusted for the new sender address (or just use an online tool, if he really wants to make it easy on himself), and the email spoofing begins.
How to identify spoofed emails
Given that these email spoofing schemes are so simple, it’s no surprise that their frequency is increasing. To combat these attacks, one of the best things you can do is learn to identify them and train users in the environments that you manage. Here are some things you should look for when you open emails.
- Email Signature Accuracy: If it’s company policy to have a specific email signature, an email from another employee or supervisor ought to have one. First, check to confirm there is a signature, then confirm details. For example, make sure that the email address in the signature matches the email address in the Mail From line, and check the phone number area code. If your offices are all in one state but the phone number originates in another, this could be a red flag.
- Misspelled Email Address: Before clicking on attachments or responding to the email, take a quick look at that Mail From line. If a familiar domain like bestbuy.com is instead typed as betsbuy.com, it’s a spoofing email.
- Generic Email Address: Although many email spoofing attacks will have legitimate domains in their email addresses, sometimes the sender won’t put in the time or effort. Instead, you might receive an email from a Gmail, Outlook, or other generic domain that clearly does not match your organization’s domain or conventions.
- Email Content: While not every urgent email is spoofed, an email that attempts to alarm you or encourages you to act immediately should be considered suspect.
Implications and risks of email spoofing
The problem with email spoofing is that it’s both very easy for attackers to use and very convincing to the average user. If you don’t address the problem, your organization will very quickly suffer a security incident that could be very costly.
Your organization may wind up paying large amounts of money to attackers under the assumption that any requests they make are legitimate. If an employee provides credentials, the organization’s private data is at risk. Users, whether your customers or your employees incur a higher risk of identity theft and financial losses following any breach by a bad actor.
Prevention techniques for email spoofing
It’s important to train users to avoid spoofed emails, but that’s usually not enough to protect your organization. Human error accounts for the vast majority of reported security incidents, so the following preventative measures may be needed to limit your risk of a successful attack.
- SPF (Sender Policy Framework): SPF is not the most sophisticated solution, but it’s a good start for filtering illegitimate emails. It works by using a record attached to emails that identify your domain’s authorized servers. The receiving server must then determine, based on that record, whether the email should be allowed to come through.
- DMARC (Domain-based Message Authentication, Reporting & Conformance): More comprehensive than SPF, DMARC provides both the record that the receiving server can analyze and instructions for what to do if the email fails to pass muster with that receiving server. It also requests reports, a useful feature if you want to know more information about the emails passing through your servers.
- DKIM (DomainKeys Identified Mail): DKIM focuses on authentication. The good news about this is it’s more secure than some other options; the bad news is you can break your email if you configure DKIM incorrectly. This prevention method also requires records, but it also publishes signatures to verify legitimacy.
- Email Filtering and Advanced Threat Protection: Deploying email filtering solutions to detect and block spoofed emails is another good preventative measure. Filters detect things like suspicious links, particular words or phrases common to spam, and the sender’s IP address reputation. Once detected, the filter will move the email to a separate folder to indicate that it may not be legitimate. Additionally, implementing advanced threat protection, which is a cloud-based application that is more sensitive than a traditional filter, can further reduce the number of illegitimate emails that you and other employees receive.
Avoiding the dangers of spoofing
As with most things in IT, an ounce of prevention is worth a pound of cure. Anything you can do to reduce your risk of email spoofing and the likely consequent phishing attacks will save you time and money in the long run. Don’t put your organization’s financial health or your customers’ private information at risk. Use prevention methods like filtering, advanced protection, SPF, DKIM, and DMARC to provide robust email security and protect against spoofed emails.
Ultimately, the best way to prevent email spoofing is through awareness. Although prevention methods are useful, some spoofing emails can still slip through to your users. As long as the teams within your organization are aware of the threat and know what to look for, they can take steps to actively avoid and prevent security risks, thus ensuring that your organization and its data remain safe.
