Mail spoofing, a cyber-threat induced by the victim

Mail spoofing and spear phishing are some of the mostprevalent cyber frauds committed in businesses globally.

Mail spoofing, a cyber-threat induced by the victim


Mail spoofing and spear phishing are some of the most prevalent cyber frauds committed in businesses globally.

This current trend is disastrous to company owners regardless of their size. Companies can procure technology such as anti-viruses and firewalls to secure their networks and while this is a necessity, it is only partially effective if managed and maintained by security specialists.

It will however not prevent a well-orchestrated spoofing or phishing exercise, which is generally perpetrated by skilled fraudsters preying on unsuspecting and inadequately trained employees.

But what happens when you fall victim to cybercrime and the loss occurred isn’t in the form of business interruption or damage to computer systems? I’m sure the average business owner in 2019 has heard of an instance where a friend or fellow business owner has paid an invoice to the wrong bank account? This could have been because they received an e-mail informing them that the banking details of a regular recipient have changed. Perhaps a personal assistant or employee in the accounts department has received an e-mail from their perceived superior or CEO instructing them to immediately make payment to a specified account? However, after payment was made, it is found out that the recipient had fraudulently misguided them into making the transaction.


Spear phishing is almost always a socially engineered scenario orchestrated by skilled operators who through research find out human employee characteristics, traits and weaknesses.

Here is an example of spear phishing: Michelle is the CEO of a business and her email address is is on a conference out of town and her personal assistant Mike receives an email from instructing him to urgently pay an invoice to a new supplier or they’ll risk the possibility of losing business. If you look carefully you’ll notice that these are two different email addresses, but at first glance they look the same.There is also a strong possibility that a personal assistant to the CEO wouldn’t question an urgent request for large monitory payments.

Direct email spoofing happens when the incorrect domain SPF and DMARC records are not in place. In 2003, an engineer discovered a way for mail servers to "verify"that the IP address (the unique number that identifies a computer on the internet) sending a message was authorized to send mail on behalf of a specific domain. It's called the Sender Permitted Form (renamed to "Sender PolicyFramework" in 2004). An explanation on how it works: each time an email message was sent, the receiving email server would compare the IP of origin for the message with the IP address listed in the SPF record for the email address’s host (the “”part). If the two IP addresses match, then the email could pass through to the intended recipient. If the IP addresses did not match, then the email would be flagged as spam or rejected altogether. The burden of deciding the outcome was completely in the hands of the receiving server. Over the years, SPF record shave evolved (the most recent RFC was published in April 2014), and most domains on the internet have SPF records.

What are some preventative measures? If you receive an email resembling the nature that has been described as above, the simple straightforward answer is to call that person and validate the contents of their email.Ways to spot a phishing or spoofed mail is to look at grammar, is it poorly worded? Is there an urgent tone to the mail? Most importantly, would this person usually use this method of communication on the subject matter? In SouthAfrica, consult with your internet service provider to ensure the requisite security records are in place to prevent mail spoofing.


Historically losses such as these were deemed to be a business risk, and were uninsurable. However, some insurers have started including coverage for this under commercial crime. Whilst this is good news for small businesses, it undermines the necessity to have appropriate risk management controls in place. When one considers that fraudulent payments such as these could result in a professional indemnity claim (if the funds transferred are that of a client, and not the business’ own funds), it is imperative that organizations have suitable processes in place to mitigate this risk, which is extremely prevalent. Risk management controls such as two-step verification, whereby instructions are verified in writing and telephonically(using the contact details on file, and not the contact details contained on the fraudulent instruction!); as well as dual authority where there are atleast two individuals who are involved with vetting transactions, will go along way to avoiding what could potentially be a very expensive mistake.

More News Stories

May 20, 2021
The COVID-19 Pandemic: A Black Swan event & Claim trends

The revolutionary idea that defines the boundary between modern times and the past is our ability to understand and manage risk - it converted the unknown future from an enemy into an opportunity (Bernstein Against the Gods – The Remarkable Story of Risk).

Read story
May 20, 2021
The Sound of Silence: Navigating the Darkness of Silent Cyber

With the rise of cyber attacks and imminent implementation of the Protection of Personal Information Act (“POPIA”), it may seem that these days the most important business risk to insure against is cyber attacks.

Read story
May 19, 2021
Mobile devices and Cyber security: WhatsApp’s new policy shouldn’t be your only worry.

Just like many devices that are connected to the internet nowadays, mobile devices present a high risk of being negatively impacted by cyber threats.

Read story