Is Email Spoofing Damaging Your Reputation?
The landscape for cyber-crime is ever changing and in the game of cat and mouse, where the legitimate user or business is definitely the mouse, it’s imperative that every angle of attack from a would-be hacker is closed off.
Proactive, sensible users of emails and other corporate systems have already lined up their defensive posture to the hackers with good firewall rules and policies, multifactor authentication, and Zero Trust Architecture (ZTA), which provides a strong, robust set of defences against the different ways hackers try to access networks and computers.
Not familiar with any of the above? A great introduction to Zero Trust can be found on the NCSC (National Cyber Security Centre) website here:
Zero trust architecture design principles – NCSC.GOV.UK
But even when these defences are in place, we still have to communicate, do business with known and unknown people and companies that we’ve only ever met online in an email or a Teams or Zoom call – How do we protect ourselves and ensure secure email communication then?
We can’t seal off our email system
As the sophistication of the bad actors increase, the tactics used become ever more complex in an attempt to conceal their identity, and they recognise that email is the easiest way in. The negative result in being cautious of this form of attack is that it slows down our ability to respond to emails, as our guard is up on the messages we receive even when security products are in place helping to scan and reject obvious attacks. If the hacker is spoofing your email domain, the result can be even more disruptive. It can damage personal and businesses reputation when your email has been used to deliver a string of emails to a customer or supplier from your legitimate email domain and address laden with links and other payloads ready to wreak havoc on the first unsuspecting user to open one.
Let’s put it in a non-IT context, think of your house and the front door. If you have a good level of security in place, it’s unlikely that a bad actor is going to waste a lot of time trying to break in. It’s like having a five-point mortis lock on your front door when the burglar walks down your street.
But with email you have left the fan light open on a downstairs window as you need some air in the house – and there’s the “opportunity” to gain entry to your house, and if the burglar has the right tools with them, they’re in.
The fan light is your email system, your business needs to breath too, right? But you can’t hermetically seal off your business to everything in and outbound.
Why email is a target?
As suggested earlier, we can’t hermetically seal off our businesses from threats, we have to communicate with others over email, and so email is an obvious target for hackers. Early attacks tricked the user into clicking a link provided in the email which had passed the spam filter, bypassing that pesky security.
We all became aware of the unwanted and unsolicited mail being dangerous, as well as a nuisance, and set up junk and spam folders, whitelists of approved users, and blacklists of the ones we never wanted to hear from again as a way to secure email communication.
The bad actors moved the goalposts again, this time impersonating email addresses and asking unsuspecting users to do things like buy gift cards or vouchers, or transfer money somewhere. Savvy users realised by hovering over the email address it would reveal the real senders address, exposing the impersonation of the real users email address. But unsuspecting users were and, unfortunately despite lots of information on how to protect yourself, still are being caught. Spear phishing is still a very effective tool in the bad actor’s toolbox.
Lately, security products such as Microsoft Defender, Webroot, Norton etc. have enhanced the capability to spot these attacks. They actively search out the rogue emails being sent, and ensure they never come near our inboxes, or are quarantined off so we can inspect them from afar in our own time. But the game of cat and mouse continues with the bad actors essentially shape shifting as soon as the tools catch up with the latest attack vector.
In the next level of the hackers’ iteration, they have realised they can impersonate one of the records used within the SMTP (Simple Mail Transfer Protocols), the core protocol behind your email platform. The record in question is the SPF (Sender Policy Framework) record, which defines the process for your @company.com domain to identify its IP addresses and any domains to be used as the sender of legitimate emails. By changing some of these records, including the SPF record, bad actors can create the ability to send an email that looks from your email address and domain to an unsuspecting user who is on the recipient’s safe sender or whitelist and, therefore, is passed to their inbox with minimal scrutiny.
SPF forms one of a “holy trinity” of controlling records in your SMTP and domain setup that, working together, can tighten email security significantly. The two remaining records, DKIM and DMARC (along with SPF), are present in every email address and domain and contain “identifiers” that, in unison, can provide an increased level of email authentication that is difficult for the hackers to impersonate.
Why is this such a problem?
We’re lulled into a false sense of security that our systems are doing the job. We rarely question “how” the system works or what risks are being mitigated, which means the email defences that a vast majority of users have in place are still vulnerable to this level of spoofing. Without specific action to ensure the email records are genuine, the anti-spam, anti-phishing software will treat the incoming email as a trusted sender, and hey presto, the defences have been overcome again.
Don’t become complacent or despondent.
If you have got to the end of this blog and thought “what’s the point?” – then don’t be despondent. The fight against cyber-crime is a long game and not a one-time fix, it’s evolving constantly which is why a proactive approach to IT systems and cyber security is always the best policy. The email records that are mentioned in the blog are easily identified and, with the right knowledge, can be changed to provide a new layer of defence in the fight against email spoofing quickly, and with no user involvement, to aid secure email communication.
It’s part of an arc of security and defensive measures that should always be considered and, even if you’re not looking to implement today, understanding how the security products market fits together is really important and is why larger organisations employ CISOs (Chief Information Security Officers). Many businesses incorrectly rely on “one tool or piece of software” to provide their security posture, and it’s important to note that data security and privacy (including the information of your clients and staff) has legal implications if nothing is being done to protect from unauthorised access.
For SME’s, the ICO has a set of information that is helpful about mitigating phishing attacks that can be found here:
Vissensa are always on hand to provide impartial advice and guidance on the best way to secure our business and create secure email communication, and have a number of free easy step guides that discuss the main topics. They can be found on the Vissensa website here:
In the follow up blog, the discussion will dive a bit deeper, technically, on how to set up the defensive posture for email spoofing and how the holy trinity of email records SPF, DKIM and DMARC can be used to tight up your email traffic.