I consider myself a pretty tech-savvy individual. I’ve been using a computer since the days of Wordperfect, dial-up and Netscape Navigator. When email scams first went mainstream, they seemed pretty easy to spot, and I’ve honestly never been able to understand how people fall for it. But, they do.
Last week, I became living proof that no end user is immune. I was sitting at my desk when an email popped up from a colleague who works for a different company.
“Hey, can I ask a favour?” it said.
I responded back immediately, “Of course, what can I do for you?”
As soon as I hit send, it dawned on me. My colleague hadn’t addressed me by name in the greeting, and the subject line was out of character for him. I looked at the email signature more closely – it was spot on to the company branding, but his job title was wrong. Then I noticed that I had been blind copied, and when I opened the sender details, I discovered the email hadn’t actually come from my colleague at all. Just then, a follow up response popped up with a sympathetic story that ultimately culminated in an ask for money. “Crap,” I said to myself, “I’ve been duped.”
Thankfully, nothing came of it, and I hadn’t opened an attachment or anything (so I still had some respect for myself), but it got me thinking: This colleague works for a large, sophisticated and reputable company. If a company like this can fall victim to email scams, we have a bigger problem than most of us realize.
What is email spoofing?
Spoofing is a type of email forgery used in phishing and spam campaigns to trick recipients like me into opening an email. Spammers forge the name in “From:” address to make the email look like it’s been sent by a legitimate source or somebody familiar. The goal is to get you to respond so they can solicit you for money or information like account details, passwords or credit card numbers. Generally, if you don’t respond, you’re safe.
Spoofing is shockingly easy. There’s no law that says an email sender has to identify themselves. All the spammer has to do is change a few settings in the outgoing email configuration, and presto. They don’t need to hack anyone’s email account to do it either.
The Government of Canada’s cybercrime statistics estimate that Business Email Compromise (BEC) is responsible for more than $5 billion dollars in thefts worldwide, including the targeting of Canadian businesses. Although specific statistics are lacking, it’s become so common that some Canadian banks are refusing to communicate with their corporate customers via email until they can prove they have sufficient spoofing safeguards in place.
Email authentication protocols
The key to protecting against spoofing is a combination of DNS records known as SPF, DKIM and DMARC. For maximum effect, you need all three. It’s kind of like going through security and boarding a plane at the airport, but less ridiculous.
Sender Policy Framework (SPF)
SPF specifies which service or services are allowed to send email using your organization’s domain. It grants exclusive authorization to the email service in use within your company, such as Google or Outlook, and it shares that information with the receiving email service. The receiving service checks the DNS records, and if the email does not originate from the authorized service, the email is rejected. Think of this like the departure city listed on your plane ticket – you can’t just go to any airport and board any plane to reach your destination.
DomainKeys Identified Mail (DKIM)
DKIM is a way for organizations to transmit email messages that can be verified by other email service providers through cryptographic authentication. The originating server signs the email content and headers cryptographically with a private key (via code that must be solved) and posts a public record that can be used by receivers to decrypt the code. When the private and the public key match, the receiver knows (1) the email did originate from the sender, and (2) the content was not intercepted or modified in transit. This is similar to checking in through customs in a foreign country. Even though someone checked your ID when you left, you can be damn sure the receiving country is going to verify the legitimacy of your passport, travel details and identity before they let you in.
Domain-based Message Authentication, Reporting & Conformance (DMARC)
DMARC sets an additional policy for matching information during SPF and DKIM checks. In order to be accepted and delivered by the receiving email service, the email message must follow the individual SPF and SKIM rules as well as align with the DMARC policy specified for both. DMARC adds an additional layer of control by allowing the sender to instruct email service providers how to handle unauthenticated messages (i.e., monitor and report, quarantine or simply reject). DMARC is the bigger picture, kind of like your country’s policy on citizens traveling abroad along with its international agreements for deportation and extradition.
Don’t try this at home
Email spoofing and other forms of email fraud are no joke, and the email authentication protocols required to protect your business are complex and extremely technical. Ignite Security Solutions Group specializes in all forms of cyber security, including email security. Our expert technicians bring decades of experience working with businesses just like yours to assess, identify and resolve gaps in your current fraud-protection strategy. Contact us today to learn more.