Spoofing business emails. Three words to set alarm bells off for every firm

From the

What has amazed me is that in 2019 companies are still falling for this simple scam!

The Headline 2017:

“A finance director of large company loss 50k in five minutes by Email!. The finance director receives an email from his boss, the email looks kosher and the email headers say it from his account. In the email, he says a new supplier needed to paid urgently - £50,000 to secure components for an important contract. He goes on to say that he wanted it done as soon as possible because he was on holiday and doesn’t want to worry about work anymore. This rang true to the finance director because his boss had already posted a photo of his Greek island getaway on Instagram that morning. His email address looked genuine and it has all of the bank wire transfer information with the email. so he proceeded with his assigned task.But, of course, it wasn’t the boss.” His email address had been spoofed!

What is spoofing anyway and how it done?

Well, it’s a simple process of changing the sender’s address in the email header. The email protocol is a set of rules governing the processing of emails, they are based on the conceptual processes of physical postal service. In less technical terms the return address on the back of a letter is the sender’s address. Now for the postal service (physical or electronic) to work only the recipient’s address is required. The return address is provided as an identifier to which return mail can be sent to. Changing the sender’s address will not stop the postal service from delivering the letter/message.

The Email protocol call SMTP (simple mail transport protocol) has no security built in it to validate the sending address its just text. So, if you change this text field it has no effect on the sending process of the message. Also, unlike its physical counterpart email is a point to point service, that is to say, the sending server finds the receiving server from the domain name (this bit after the @ symbol) and connects directly to it. So there is no validation that the sending internet address is linked to the sending domain name. This how a spoofed email looks like it comes from inside the company.

What can you do to protect your business from this?

Well, there is lots of good advice out on the web on how to protect yourself, using tools/services.

But where do you start?

Some basic steps:

1) You should get and use a good “paid for” Antivirus software

2) Pass all emails via a scanning service like “Proofpoint” (there are many others).

This reduces the risk of an attack using embedded malware, but this will not stop a social engineering attack.

What else can we do:

This type of situation could be avoided by implementing some or all of the following suggestions.

1) Using Technology to inform

Have the email system mark all emails that are from outside of the company infrastructure (via the inbound interface), with a header that says it is from a none company source. Like “External Email!” (talk to your email provider / Administrator about doing this). if you have an internal mail server, then block all external messages that have a sender’s address from the company email system. as this should never happen.

2) Education

Provide regular training for staff, on what the dangers of email are and if you have implemented suggestion 1 what new header means and why they should question any authenticity of email that has it. Also, talk to them about cybersecurity and create a simple “do and don’t” list with a contact number for cyber queries

3) Know what upcoming events or issues need to be handled

One way of doing this is to appoint a deputy for all high-level roles and briefed them. So, when any high-level manager is way, someone in the business knows what the current state of play is and also knows how to contact them directly if required. The business should also not allow both the deputy and manager to be away at the same time.

4) Improve your business process

Set out a process for authorising a high-value transaction. Set an upper limit of what can be authorised by any one person or role. This is not the same as a signing limit, but a process limit where transactions over this amount and within the signing limit, must be reviewed and authorised more than one person. the reviewers must feel free to decline the request and state why. By having this in place helps you enforce suggestion 3.

By doing some or all of this suggestion may reduce the risk of this type of social manipulation from working.

As a side note: remember that social media is not your friend when it comes to security, if you use it for business have a public and a private account. You will need to be locked down your private account (see advice on securing your account from the platform provider) so as to only allowing access to known friends and family. Only update your travail and holiday details on your private account. if you must update the public account do it after you have returned.


Back to Blog

World Pay Logo