Email Spoofing: What To Be Aware Of

The concept of ‘email spoofing’ has been around for a while – spoofing is when an email is made to look as though it’s coming from a certain person, when in reality it’s coming from a completely different source. And most likely not a good one.

It’s a trick many cyber criminals use in order to get people to open emails which they think is from a legitimate source and/or someone they know. The emails will often contain links to an infected website, or will ask them to hand over sensitive information.

In the past, cyber criminals used to get contact list from PCs which had been hit by malware, and then they would send emails at random, hoping one would stick.

Today the attacks are much more targeted, and they spend quite of bit of time researching their intended recipient (and the person they are impersonating) in order to get them to believe the email is from that person.

The aim is to get the recipient to act in the same way they normally would. Whether that’s clicking on a link to an infected website, or, in the worse case scenario, sending over financial information or even making a payment.

We’ve seen it done. And there is no way back from it as the account is a temporary one which is closed just as soon as the payment is made.

The thing about email spoofing is that it’s relatively easy to do, and that’s part of the reason why phishing attacks are so prevalent. It comes down to the relatively insecure way emails are handled. There are no central servers (unlike instant messaging and social media) which control and govern the sending of email.

For quite a few years it’s been possible for someone to send an email to a company and make it appear (on face value) to look like it’s come from a Managing Director, when in fact they have no access to the MD’s account.

This technique only becomes flawed at the point when the user replies to the email and glances towards the “To” field which will show a completely different email address, if this technique has worked correctly.

In the 15 recent spoofing attacks that I have seen, there is one key link: the website of the company who is being attacked.

One of the most important pages of a website is the ‘About Us’ section, and this will often include a list of senior people in the business and their job role.

Some companies will also list their email addresses. Unfortunately the name, job role, and most important of all the email address, is a great starting point for spoofers to begin their attack.

Traditionally a spoofing scam will have three parts:

  1. The scam normally starts off with the farming of information from the website to identify who the key people are.
  2. The next stage is usually a basic email to start the process with a question like, “Hi Carl, can you email me when you get in the office please.” If the spoofer gets a response they can be fairly confident the recipient hasn’t picked up the fact that this isn’t the MD emailing, which increases their chance of getting money out of the victim if that is the intent of the scam (which it normally is).
  3. The final stage will normally be a pretty direct request to the recipient to transfer a figure of money to an account either via BACS, Western Union or some other transfer type – if they don’t get a response to this email they will normally apply pressure by chasing the recipient and explaining how urgent it is. I’ve seen this technique succeed.

A few weeks ago I know someone who had been targeted in an attempt to steal £15,000 via a spoofed email, and it took me around 30 seconds to replicate what the Spoofer did. Thankfully the recipient glanced up at the reply address, and realised it wasn’t actually the MD. And so raised the alert.

And this is key – so many cyber attacks rely on employees not being aware of security policies. Employees (your first line of defence when it comes to IT Security) are being specifically targeted, and encouraged by the hackers (who have done their research) to act in a way they normally would.

Therefore it’s so important to make everyone in your organisation aware of these techniques, and be able to spot small inaccuracies or suspicious circumstances.

To help you understand the current threats, our National Technical Director Paul Burns has put together a really informative podcast which you can watch here: