Mail spoofing, a cyber-threat induced by the victim
Mail spoofing and spear phishing are some of the most prevalent cyber frauds committed in businesses globally.
This current trend is disastrous to company owners regardless of their size. Companies can procure technology such as anti-viruses and firewalls to secure their networks and while this is a necessity, it is only partially effective if managed and maintained by security specialists.
It will however not prevent a well-orchestrated spoofing or phishing exercise, which is generally perpetrated by skilled fraudsters preying on unsuspecting and inadequately trained employees.
But what happens when you fall victim to cybercrime and the loss occurred isn’t in the form of business interruption or damage to computer systems? I’m sure the average business owner in 2019 has heard of an instance where a friend or fellow business owner has paid an invoice to the wrong bank account? This could have been because they received an e-mail informing them that the banking details of a regular recipient have changed. Perhaps a personal assistant or employee in the accounts department has received an e-mail from their perceived superior or CEO instructing them to immediately make payment to a specified account? However, after payment was made, it is found out that the recipient had fraudulently misguided them into making the transaction.
Spear phishing is almost always a socially engineered scenario orchestrated by skilled operators who through research find out human employee characteristics, traits and weaknesses.
Here is an example of spear phishing: Michelle is the CEO of a business and her email address is firstname.lastname@example.org.Michelle is on a conference out of town and her personal assistant Mike receives an email from email@example.com instructing him to urgently pay an invoice to a new supplier or they’ll risk the possibility of losing business. If you look carefully you’ll notice that these are two different email addresses, but at first glance they look the same.There is also a strong possibility that a personal assistant to the CEO wouldn’t question an urgent request for large monitory payments.
Direct email spoofing happens when the incorrect domain SPF and DMARC records are not in place. In 2003, an engineer discovered a way for mail servers to "verify"that the IP address (the unique number that identifies a computer on the internet) sending a message was authorized to send mail on behalf of a specific domain. It's called the Sender Permitted Form (renamed to "Sender PolicyFramework" in 2004). An explanation on how it works: each time an email message was sent, the receiving email server would compare the IP of origin for the message with the IP address listed in the SPF record for the email address’s host (the “@example.com”part). If the two IP addresses match, then the email could pass through to the intended recipient. If the IP addresses did not match, then the email would be flagged as spam or rejected altogether. The burden of deciding the outcome was completely in the hands of the receiving server. Over the years, SPF record shave evolved (the most recent RFC was published in April 2014), and most domains on the internet have SPF records.
What are some preventative measures? If you receive an email resembling the nature that has been described as above, the simple straightforward answer is to call that person and validate the contents of their email.Ways to spot a phishing or spoofed mail is to look at grammar, is it poorly worded? Is there an urgent tone to the mail? Most importantly, would this person usually use this method of communication on the subject matter? In SouthAfrica, consult with your internet service provider to ensure the requisite security records are in place to prevent mail spoofing.
Historically losses such as these were deemed to be a business risk, and were uninsurable. However, some insurers have started including coverage for this under commercial crime. Whilst this is good news for small businesses, it undermines the necessity to have appropriate risk management controls in place. When one considers that fraudulent payments such as these could result in a professional indemnity claim (if the funds transferred are that of a client, and not the business’ own funds), it is imperative that organizations have suitable processes in place to mitigate this risk, which is extremely prevalent. Risk management controls such as two-step verification, whereby instructions are verified in writing and telephonically(using the contact details on file, and not the contact details contained on the fraudulent instruction!); as well as dual authority where there are atleast two individuals who are involved with vetting transactions, will go along way to avoiding what could potentially be a very expensive mistake.