Email spoofing exposed!

Picture the scenario: you’re at your desk, actioning your inbox, when you receive an email from your CEO. It’s close to your financial year-end, and they’ve shared a file with your company’s performance. You’ve been anticipating these figures (well, maybe) so you click eagerly on the file. It doesn’t open an Excel spreadsheet as you were expecting. Strange, you think, but you continue with your work because you’re up against it again this month. Suddenly, what’s this? Your desktop has changed; it’s now a ransom note.  

You see that your files have been locked down and, in a blind panic, hit your folder storage and try to open that important Word document, with lots of sensitive information in, you’ve been working on. But it’s no longer a Word document, and you see the ransom note pop up again. How could this have happened? Has your CEO been hacked? Was it something else you clicked on? Most likely, you’ve been a victim of email spoofing.

Email spoofing as a tactic has been used by hackers for years. But thanks to online information on people and businesses and sophisticated technologies, it’s easier than ever to convincingly pose as someone reputable. When executed well, it’s hugely successful.

Email spoofing, you say? But they spoke like themselves. Their name came up and their exact email signature came through. But then you look more closely at their email address and realise the ‘o’ in their name has been cunningly replaced with a ‘c’. You feel like a fool.

When we think of hackers, we still think of hooded loners using ‘spray and pray’ tactics to send nonsensical emails with a funny looking link. When you see your CEO’s name land in your inbox, you often won’t give it a second thought, and that’s why these hacks are so successful.

It’s not just dodgy attachments that are catching people out, however; email spoofing has led to a very specific type of attack known as Whaling, or CEO Fraud. You can read more about that on our blog. Email spoofing is at the core of various hacking attacks, including Ransomware, Whaling and Phishing.

The earlier example is specific to a Ransomware attack, and is a form of CEO fraud. Phishing emails often purport to be from a reputable company; Apple, PayPal and Amazon are regularly spoofed. I personally received a spate of emails purporting to be from Apple over the summer (summer…remember that?)

These emails, like most sophisticated phishing emails, contained fake invoices or receipts for purchases the potential victim apparently made. These can range from the realistic to the ridiculous; I received an email from ‘Apple’ about my purchase of Goodies by Ciara for ’87.19 GBP’ – I must love that song! Many of those emails told me I’d purchased recurring monthly subscriptions; they were easy to spot to me, because I use some of those services – they cited Netflix and Apple Music – and I know the prices I pay for those; the spoof emails often contained much higher prices. But if you’re not aware of the prices of the things you’ve supposedly bought – one email published in various news outlets claimed the recipient had spent £69.49 on ‘Amscan International Baby Little Angel Costume’ – it’s easy to panic and immediately click their ‘refund’ link, which they’ve placed oh-so conveniently below your ‘purchase’.

With so many variations of email spoofing to look out for, how can you protect yourself from these hackers, phishers and general cyber criminals? Here’s some tips to help you fight email spoofing.

Check the sender’s email address

This is the most important factor. Unless someone has actually hacked your CEO’s email account this is always a dead giveaway. The brighter hackers will make their email address look as realistic as possible – so they might change an ‘l’ to an uppercase ‘i’. The slapdash hackers might use a completely random email address, which is easier to spot. But always look past the convincing email content.

This is an example of one a convincing ‘Apple’ email I received. The layout of the email was identical to an actual Apple invoice that I’d received days earlier (is anybody else a Cut the Rope fanatic? No, just me?) and while there were some discrepancies in the email copy (for example, Ipod instead of iPod), the email address was the real tell-tale sign.

No matter how legitimate an email looks, whether it’s identical to Apple’s style or it’s got your CEO’s exact email signature, always check the email address.

If you’re on Office 365, there’s an easy way to tell if that person really is in your network – with its integration across emails, calendars and Skype, you can see when your colleagues are available, away, offline or busy. If you can’t see a status attached to your ‘colleague’, double check their email address.

It’s also important to check the email content – in the example email, Apple’s house-style wasn’t used, which is a red flag to an avid Apple fan – but the devil is always in the email address detail.

Educate your staff

An IBM study found that 95% of successful cyber-security attacks can be attributed to human error. Yes, the hackers are at fault, but it’s hard to infiltrate a system without an end-user activating your Ransomware, making a wire transfer or plugging in an infected device.

The new era of digital natives might be more acclimated with online threats and attacks, but in every company there’s a hidden technophobe. Fewer people are falling for Nigerian prince scams nowadays – in fact, one of my favourite videos is this James Veitch Ted talk on replying to an amateur spam email – but due to the clever, almost-invisible nature of these attacks, it’s easy for even the tech-savvy to miss.

Teaching your staff to be vigilant is essential to the security of your business. In a few short years, these scams have evolved from spelling error-riddled text emails to sophisticated carbon copies of emails that your CEO or Amazon might send out. Teaching your staff not only how to spot these scams, but to not give into the immediate fear caused by unexpected ‘invoices’ means they can become your frontline defence.

Use a robust anti-virus solution

People still make mistakes. It’s hugely important to educate your staff, but that doesn’t mean you’re safe from attacks. Having a strong anti-virus solution in place filters out those emails before they hit you and your employees, removing the risk completely. Symantec email security offers a sturdy defence against spam emails, and searches out hacker tactics including dodgy email addresses, links and attachments.

We’re also seeing the advent of next-generation security solutions like Sophos Intercept X, which is designed specifically to prevent and remove Ransomware viruses; Ransomware is the most profitable form of malware in existence, and 41% of businesses experienced an attack in 2016. Don’t become one of those victims – protect your systems from these attacks before they hit you. Find out more about spotting and preventing Ransomware.

Sign up to our Futuretech event to find out more about ever-evolving security threats.