How to Prevent and Avoid Falling for Email Spoofing Attacks

Email spoofing – also known as a domain spoof or direct spoof – is a type of phishing attack in which an attacker sends an email that appears to be from a legitimate source. These emails are sent with the intention of tricking the target into following a link, downloading an attachment, or performing some other kind of action that will result in the attacker capturing login details or other sensitive information like their banking or credit card information.

While some spoofed emails may be flagged by inbound security solutions, they’re often mistaken for legitimate emails, which can lead to serious consequences for both individuals and businesses.

This blog explores how and why email spoofing works, how to identify spoofed emails, and what you can do to protect yourself and your organization from such attacks.

What does a spoofed email look like?

While email impersonation attacks often rely on imperceptible misspellings, spoofed emails appear to be sent from the real domain, look genuine to most users, and can bypass spam filters and security tools.

For example, a bad actor might craft an email that appears to be “from” a well-known courier service, which for the purposes of this example doesn’t have DMARC set-up. The email will claim there was a problem with your delivery and that you must follow a link to log in and confirm your details. Savvy people may look for Display Name impersonations, but, because it’s a domain spoof, they won’t notice any inconsistencies.

And, if such an email is sent to many thousands of users (which is one of the techniques hackers use when sending phishing emails) this increases the chance that at least one recipient will be expecting a delivery from the spoofed courier, and, because of that, the target may do what the email instructs.

Incidents of email spoofing

Email spoofing is on the rise.

The FBI’s 2019 Internet Crime Report states that the agency received complaints of spoofing attacks from over 25,000 victims last year alone, making it the fifth most popular form of cybercrime. The total loss reported from these victims was over $300,000,000.

How does email spoofing work?

Email spoofing attacks can be successful simply because people assume that the information in email headers – specifically about where the email comes from – is trustworthy. The reality is that the original protocols that still underpin email, such as the Simple Mail Transfer Protocol (SMTP), were never designed to authenticate the sender information.

In other words, there is no inherent way to confirm that an email comes from the email address specified in the Sender parameter in the email header.

When an email is sent, the initial connection to the receiving mail server contains two parameters, MAIL FROM and RCPT TO, which specify the address the email is sent from and to, respectively. These parameters are commonly known as the “envelope” of the email.

However, there are no default checks on the MAIL FROM parameter to ensure that the connecting mail server is authorized to send emails on behalf of that domain. Therefore, if the RCPT TO parameter is correct, the receiving server indicates it will accept the email and the sending server proceeds with the rest of the email, including the From, Reply to, and Sender header items, which are similarly not checked by default.

Therefore, an attacker with the right tools at their disposal can easily create and send emails as if they were someone else. This is not hard to achieve, and there are many tools available for them to do this. They can also create a legitimate seeming link in the email that, if followed, will take the recipient to a server under the attacker’s control.

Spoofed emails from the attacker’s perspective

The easiest way to explain how an attack might unfold is to explain it from the attacker’s perspective.

Example scenario: An attacker of moderate skill decides to launch a phishing attack on a company. The attack takes the form of an email asking the recipient to read and indicate acceptance of a company security policy update; this will be a document attached to the email. The file itself will contain malicious code, which will give the attacker a foothold on the machine of anyone who opens it.

Target: Copper Duck, a finance company. Copper Duck hasn’t configured DMARC, nor does it have other protections in place.

Objective: The attacker’s aim is to run malicious code on Copper Duck machines, in an attempt to gain information on the company network that will uncover further vulnerabilities and also capture usernames and passwords. The ultimate goal is to gain access to Copper Duck’s sensitive financial and personal data.

Research: The attacker researches Copper Duck, and from publicly available information discovers that it has not registered its domain – @copperduck.com – with DMARC.

They also search for Copper Duck email addresses in public repositories so they can copy the header and footer information. Additionally, they’ll look for any other information, such as employee names and job titles on LinkedIn, which could help them target the attack and create a believable email.

Attack preparation: The attacker can obtain phishing kits and code suited to their purpose on the dark web. There are many such kits, and while it only takes moderate skill for an attacker to launch a phishing attack, these make it even easier.

They compile a list of email addresses to target, sometimes from addresses discovered in the public domain, or by making informed guesses. For example, if the attacker has a number of addresses in the form [email protected], it’s likely that other employee addresses follow the same format.

Once they have the list, the attacker creates the phishing email and the attachment file containing the malicious code. Because Copper Duck has not implemented a method to protect their domain from spoofing, the attacker can easily forge the Sender and other information in the email header.

The attack: The emails are sent early in the morning on a weekday, to arrive shortly before employees begin working their way through their inboxes.

Every employee who clicks the link and opens the document will activate the malicious code it contains. It runs on their machine, and sends any sensitive data it can find back to the attacker.

Even if not every employee clicks through, there is a good chance that at least one will. One is all it takes for an attacker to gain a foothold in the network.

Bonus: The time of day an email is sent is one of many important factors that attackers may consider; there are several instances where an employee’s ability to make the right cybersecurity decision may be impaired. Read the full report here.

What if there are protections in place? If Copper Duck used DMARC or a mail application that scanned attachments for malicious code, this would make life more difficult for the attacker, but not impossible. As previously mentioned, they could register a domain almost identical to that of Copper Duck (for example, copper-duck.com or coppperduck.com), and prompt the user to follow a link to a server under their control instead.

However, protections like DMARC only stop spoofs of your domain; it won’t protect against all spoofs you might receive (for example, a spoof of one of your suppliers). This means you have to be vigilant both as a consumer and an employee when it comes to protecting yourself from these types of attacks.

What can you do to protect yourself from email spoofing attacks?

Phishing attacks employing spoofed emails are inevitable. So how can you spot them, what should you do when you’re targeted, and how can a business protect itself against the threat they pose?

As a private individual…

Watch for emails that try to instill a sense of urgency in the reader. Attackers often rely on inspiring fear or worry to try to get their targets to act in the way they want
Try to get into the habit of reading emails thoroughly and exercise caution, especially if they contain a call to action, such as following a link, downloading an attachment, or sharing sensitive information
If you have any reason to doubt an email’s legitimacy, such as poor spelling or an unusual tone of voice, check the email address it’s sent from, not just the Sender field or Display Name

Also check any links the email contains for grammatical errors or suspicious URLs
Perhaps most importantly, do not open attachments or follow links that prompt you to log in unless you are absolutely sure they are legitimate. In the case of links, you’re better off searching for the organization and following links directly from their website

As an employee…

In addition to all of the precautions listed above, you should report suspected phishing attacks through the normal channels, such as your system administrators or IT helpdesk
If you suspect you have fallen victim to a phishing attack, again, report it as soon as possible. Everyone makes mistakes, and the better phishing attacks can be hard to spot. The quicker you report it, the better the chances are of remediating the situation. For IT and security teams, oversight is essential

As a business…

Set up proper DMARC records with a quarantine or reject policy, and use other protections such as SPF to help identify spoofed emails before they arrive in your inboxes
Train your employees to spot phishing emails by sharing information with them, such as this article
Actively encourage employees to report the attacks. It is especially important that they feel they can come forward if they’ve fallen victim to one, without fear of blame. This is why creating a positive security culture is paramount.

Unfortunately, though, DMARC, training, and a positive security culture simply aren’t enough. Cybersecurity strategies have to account for the fact that DMARC doesn’t stop bad actors from domain lookalike impersonations, training is ineffective long-term, and people won’t do the right thing 100% of the time.

To combat the threat of email spoofing, security teams should also deploy enterprise-level security applications to identify and block phishing attacks, such as Tessian Defender.

What is Tessian Defender?

Tessian Defender is powered by machine learning (ML).

By learning from historical email data, Tessian’s ML algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of advanced phishing scams, including email spoofing attacks.

To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts.

Detect and Prevent Email Spoofing Attacks

Get a Tessian Defender demo

Maddie Rosenthal

Spear Phishing

Business Email Compromise – What it is & How it Happens

11 October 2019

This question should be standard issue at any cybersecurity pub quiz: What increased by 108% one day in September 2019? It’s not the number of data breaches experienced around the world. It’s not even the proportion of businesses now targeted by cyberattacks. No: it refers to the total amount of money stolen from businesses thanks to Business Email Compromise scams, according to the FBI. The Bureau’s flagship figure of $12.5bn was revised upwards by more than 100% on September 10th, hitting a staggering $26bn. The two figures don’t cover identical timespans. But if anything, comparing the periods of time used to arrive at the totals generates even more alarm. The original $12.5bn figure was derived from business losses over a five-year period between 2013 and 2018. The new figure of $26bn is the product of just three years of criminal activity, covering June 2016 to July 2019. So how are attackers able to extract such large sums of money from enterprises? And what can be done to stop them? Perhaps part of the reason Business Email Compromise (BEC) has been so successful is that everyone has a slightly different definition of what it means, and no clear solution to stop it…

What is Business Email Compromise? Business Email Compromise (BEC) is when a trusted relationship – between colleagues or counterparties – is hijacked through email. BEC can be accomplished in two ways: email impersonation (i.e. spear phishing attacks) email account hacking Conveniently for attackers, account takeover is often achieved after a successful spear phishing attack. BEC is a catch-all term often conflated with other kinds of email attacks, like phishing, spear phishing and account takeover. Account takeover (ATO) attacks, for instance, are often described as identical to Business Email Compromise. However, ATO attacks see the attacker literally gain access to an individual’s genuine account, potentially by using brute force “credential stuffing” hacking techniques. BEC attacks, meanwhile, are geared around impersonation. An attacker “compromises” an email account by convincingly impersonating a trusted counterparty of the target. What is being “compromised” in a BEC attack is the trust between the target and the impersonated counterparty. Because BEC scams rely on people making mistakes and being tricked, attacks can be relatively simple or extremely complex. The initial step involves fraudsters identifying a company they intend to target. Once this is done, before executing the attack itself, the attackers must first impersonate an employee or one of the company’s external counterparties. (Attackers might choose to impersonate a display name or a domain in order to fool their target. To understand more about the different types of email spoofing and impersonation exploited by cybercriminals, head to the this Tessian blog.) To execute a BEC attack, attackers will send spear phishing emails to targets within the company. Building trust over time comes down to communicating authentically. Although you might have read about spear phishing campaigns convincing people to click on malicious links or attachments, this is no longer a necessity. “Zero-payload” attacks, a growing phenomenon, build trust with targets over time using entirely innocuous communications. The request, when it comes, may be made in writing without the suspicious links or attachments that are easier for traditional security programs to flag. This example shows an attacker impersonating a CEO, Thomas Edison, asking an employee to change invoicing details. There is no link or attachment required, only text:

It’s clear that subtle and hard-to-detect techniques can have a potentially damaging effect on enterprises. So what are the main methods by which attackers compromise this trust in BEC attacks? What are common BEC techniques? Supplier / vendor fraud The dangers of external impersonation are becoming better understood, but there is still a learning curve for security leaders within enterprises. Every business has a finite number of employees, which makes it easier for security products to keep on top of potentially suspicious activity on “employee” email accounts. But all businesses have networks of suppliers and vendors, which dramatically increases the number of people attackers might choose to impersonate. (Download Tessian’s guide to email impersonation to see this effect in action.) CEO fraud CEO fraud is a type of spear phishing attack where attackers impersonate a CEO, CFO or another high-level executive. Attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk. As with other BEC scams, the usual aim is to extract money from the targeted business by coercing an employee into making illicit wire transfers. Whaling Whaling is related to CEO fraud, with a key difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Because they tend to be very busy, and because of their access to key systems, senior executives can be especially profitable targets for attackers. Account takeover As covered above, ATO describes the unauthorized takeover of someone’s actual email account, using brute force hacking to harvest credentials before sending a fraudulent email from the target’s own account. ATO attacks are understandably extremely hard for traditional technologies to identify as the “genuine” email account is in use. Institutional impersonation Some of the most impersonated parties around the world are not necessarily businesses at all but institutions. Emails from entities like the IRS (HMRC in the UK), or a communication from a court, have the potential to worry people and cause them to react instinctively, rather than rationally. (It’s worth pointing out that the big tech companies, such as Microsoft and Netflix, are invariably among the most impersonated brands in the world, despite both companies employing DMARC to defend against spoofing.) The consequences of BEC As we’ve seen, the main motivation behind BEC attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences cybersecurity leaders should be wary of. Data breach / credential harvesting Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses. Financial losses Of course, a principal aim of BEC attacks is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. When second-order financial penalties like fines are taken into account too, BEC can prove extremely damaging to organizations’ balance sheets. Fines Nowadays it’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. Currently, for instance, Yahoo is tackling an enormous class action suit with estimated damages of more than $100m. And legislation designed to make fines more than a slap on the wrist is now ramping up all over the world. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183m after a 2018 data breach. Reputational damage It’s harder to quantify on a balance sheet, but after a BEC-triggered data breach, hard-won brand reputations could be put at serious risk. An email security failure can cause share prices to fall and affect organizations’ relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult. There are a wide range of reasons for businesses to protect themselves against Business Email Compromise, which raises the question: why are most business unprepared to defend against this threat?

Why rule-based technology does not stop BEC Simply put, security products have not moved as quickly as cyberattackers in predicting and preventing new and emerging threats. Secure Email Gateways do a great job of preventing run-of-the-mill spam and “bulk” phishing attacks, but they do this with static lists of rules that can only stop attacks the software has already seen. They simply aren’t cut out to defend against increasingly sophisticated attackers deploying social engineering techniques and exploiting human frailties in order to trigger dangerous actions. (Read our CTO Ed Bishop’s thoughts on Secure Email Gateways and other legacy technologies here.) BEC attacks are highly targeted towards particular individuals within organizations. Even the most vigilant employees can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by employees. That’s why organizations must invest in technology that explicitly protects theirpeople. And that’s where Tessian’s software, trained on over 1 billion emails, comes in. Our stateful machine learning engine learns what “normal” email communications look like within complex organizations. Using historical patterns and behavioral signifiers to understand relationships between internal and external parties, Tessian Defender identifies malicious impersonations before they have the chance to deceive employees. If you’re interested in learning more about Defender or our other Human Layer Security products, sign up for a demo here.