I’ve seen a major uptick lately in e-mail spoofing attempts among my clients – mostly in which only the name is spoofed and not the actual e-mail address (example: from “Bill Gates” while sent from SillyPickelz@us34.net), but also some solid full spoofing attempts (in which both the name and e-mail look entirely legitimate to the organization – e.g. Bill.Gates@microsoft.com).
Why would there be a major uptick? Probably just because spoofing works – so hackers do more of it. “You dance with the one who brung ya“, as legendary college football coach Darrell Royal used to say. I recently witnessed a situation unfold in which a successful spoofing attempt cost a client over 10 grand. If the money is there, the hackers will dare.
Here’s the unfortunate truth: There’s nothing you can do to control spoofed accounts. A phishing attempt which spoofs both name AND e-mail address takes a bit more work to leverage, but an e-mail account which just spoofs the name is quick and easy with a high potential for payoff. Just make a free e-mail address with the spoof name attached and spam away. We can’t control what goes on outside of our own enterprise security environment.
We do, however, have a LOT of control over what goes on inside the enterprise security environment. So what can we do to deal with spoofing attempts? Consider the following three tips:
1. Utilize a Properly Configured Spam Filter.
Basic, but effective: a properly configured spam filter will do wonders to filter out spoofing attempts. For instance, a spam filter configured to validate SPF compliance on messages will ensure that the message complies with the alleged sender’s SPF record – helping the filter figure out if the message is legitimate or not.
Honestly, most spam filters used at the enterprise level are set to optimal levels by default – strict enough to catch crooked messages and lax enough to not snag too many false alarms, but with an overall bias on the strict side – and shouldn’t be modified without good reason and specific plan in place. So really, this tip could almost be better titled “Don’t Mess With Your Spam Filter” – keep those stricter settings in place and get yourself in the habit of checking your spam folder once in a while, just to be safe.
I say this because I’ve worked with clients in the past who decided they didn’t want to risk ANY accidental spam false-alarms and demanded that the spam filter be configured to lower security settings – a very bad idea in almost every case that should be strongly pushed back against. Never sacrifice security for convenience.
2. Leverage External Sender / Recipient Warnings.
This is one of the most effective yet simple things you can do to protect users from engaging with spoof attempts when the e-mail address doesn’t match the organization. With External Sender warnings, e-mails will come flagged with a warning when messages arrive from outside the organization:
…so even if the name matches that of the CEO, the message will still be flagged because the e-mail address was sent using a domain separate from the organization’s domain. Even if the spam filters don’t catch this message, the External Sender warning will help alert the user to the fraudulent message.
External Sender warnings are available in Office 365 – far and away the most popular enterprise e-mail solution – but are NOT available in Google’s G-Suite, another increasingly popular choice. However, G-Suite does offer External Recipient warnings – which are more or less the opposite: When a user goes to reply to an external email, they’ll be shown a warning indicating that the recipient is outside the organization – alerting any users who may think they’re replying to an e-mail from the CEO.
Click here for more info on managing these alerts in Office 365. Click here for managing the External Recipient alert in G-Suite. None of this helps if the hacker is spoofing the domain too – but for the much easier-to-send spoofed name-only messages, this will help.
3. Train. Your. Users.
You knew this one was coming. Recommending user training is a truism which should hardly need to be said… but it does need to be said, because your users are your weakest link. If they don’t know what to look for and how to respond, then no amount of proper spam filtering and external e-mail alerting will save you – someone will eventually get through and cost you a lot of money. A consistent, ongoing training program to remind users of popular phishing techniques will do wonders to keep them vigilant.
In my opinion, one of the best and most simple things you can do to help users sniff out fraudulent e-mail spoofing of other users within the company is to have an open-door policy regarding the verification of e-mail legitimacy. If the CEO appears to have sent HR an e-mail asking for a list of personnel and their SSNs for an audit, the HR rep should feel absolutely free to reach out to the CEO – or at least their Executive Admin – and verify the legitimacy of the message without fear of being ostracized for annoying people. This needs to be a part of company culture: Never punish anyone for practicing cybersecurity awareness within reason.
In addition, a clear expectation should be set with the whole organization on various practices – like, “Never Send Money via E-mail”. Define a clear way by which funds are transferred within the organization or in the course of business and stick to it – this way, users can get sufficiently suspicious when a spoofed version of their CEO asks them to send Amazon gift cards attached to an e-mail.
Spoofing is a very real and very effective threat. Don’t wait until it’s too late – put the above tips into action and keep the organization vigilant!