Recently, we wrote an article about how you can identify a dangerous email. In this piece, we touched briefly on the subject of email spoofing, but within the context of many other types of malware.
Email spoofing, however, has become such a prevalent threat that we felt it appropriate to dedicate more time to the topic. In the past few months we’ve seen multiple attempts across our client-base (fortunately none successful), and the frequency and sophistication of these malicious emails will only increase as time passes.
So what exactly is email spoofing, and how can you best protect your business from falling prey to this frightening trend? We’ll walk through it all below.
What is email spoofing?
Email spoofing is essentially forgery; it’s a message that is sent by one address, but that appears to come from another.
What we’re seeing a lot of today are fraudulent requests for wire transfers. The email request will appear to come from the organization’s CEO (sometimes with a slightly altered email address, sometimes not), and will be directed to the CFO or Controller. The CEO will request a wire transfer for any number of reasons, and provide instructions for where the payment should be directed.
We’ve even seen cases where the recipient is supposedly brought into the tail end of an email chain where top executives have already discussed and approved the transfer amongst themselves.
The emails are all phony, and they’re all coming from a hacker who has taken the time to do their homework on the organization they’re targeting. In many cases the emails are so convincing that the well-intentioned recipient will wire the money without hesitation.
This, of course, ends up making the actual email sender very rich.
How can you protect your business from email spoofing?
Unfortunately, there is no reliable method of “blocking” these emails from reaching your Inbox; while your IT team can retroactively blacklist the original sender and their IP address, most spoofed emails have none of the red flags that a spam filter would catch.
That’s partly because many email clients—Gmail especially—make it unsettlingly easy for users to mask their email with another. The good news here is that Google is finally making attempts to fix this vulnerability, despite originally dismissing it as a non-issue.
While this is forward progress, we all know by now that hackers are relentless, and will devise ways to skirt most security protocols. The single best method of protection, then, is in the hands of you and your staff: be highly suspicious of any emails asking for money or personal information.
Before ever sending out sensitive information or completing any wire transfers, either:
1. Call the supposed sender to verify that the email is legitimate; or
2. Start a separate email chain with the sender asking if they did in fact request that information.
It is an extra step for very busy people, but it could literally save your organization thousands in bogus transfers.
Trust your gut when it comes to these kinds of messages, and don’t hesitate to reach out to your IT if you ever receive a questionable email—they’ll be happy to investigate for you.
When it comes to your organization’s security, after all, you really are better safe than sorry.