Today we share some more valuable email security insights from experienced IT pro Steve Havert. In this post Steve looks at email spoofing, the tool often used by spammers to spread phishing campaigns.
E-mail spoofing has been used for a long time as an effective way for spammers to reach their targets. Although there are methods for identifying a spoofed email address, none of them are perfect and they risk the chance that some legitimate emails will be classified as spam. A spoofed e-mail is simply one where the sender address has been forged. When a recipient receives the message they believe it has come from a known source and may be more likely to open it, click on a link in the message or open an attachment. Using this technique, cyber-criminals can achieve any number of objectives including phishing, installation of malware, accessing confidential data, etc. The latest headline-grabber, “Locky”,most commonly spreads through spam email, many mostly disguised as invoices and often using a spoofed email address.
The first time I came across a spoofed email address I was running my own IT consulting business providing IT outsourcing services to small businesses. At the time, the biggest threats from opening malicious email were computer viruses. In this case my client had opened an attachment on an email he received from a business associate (or so he thought) and released a virus which didn’t do much damage but turned his computer into a spambot.
The sender email address is forged
He suspected a problem once he started receiving a large quantity of Non-Deliverable Reports (NDRs) in a short amount of time. His email address book contained quite a few invalid email addresses and the spam his computer was generating was being kicked back by the servers of the invalid addresses. He was surprised that his business associate would send an infected email. He contacted the associate to warn him that his (the associate’s) computer was infected. The associate ran several virus scans and came up with nothing. By the time my client called me he was baffled. As soon as I looked at the offending email’s header I realized what had happened. I explained the concept of email spoofing to my client. He was incredulous that someone was able to forge a sender email address.
How email spoofing has evolved and got riskier
I sometimes look back at those times as the good old days. The types of attacks my clients experienced tended to cause minimal damage. Mostly they would start getting annoying pop-ups or their computer would start to slow down as a spambot engine started churning out emails to everyone in their address book or a background program uploaded browsing history to a server somewhere.
An expensive disaster
Occasionally there would be an expensive disaster – as when a client’s computer was infected with the ILOVEYOU virus (attached to a spoofed email) which overwrote several hundred files before he realized there was a problem. If he had been backing up his computer on a regular basis (like I had instructed him), there would have been no disaster. (As the saying goes, “You can lead a horse to water, but you can’t make him drink.”)
No business is immune from data loss.
The risks from spoofed and malicious emails are much greater today. Individuals can lose financial security due to identity theft. Organizations’ databases can be mined for social security numbers, credit card information, health records, bank account numbers, etc. leading to billions of dollars in damages to, not only the organization, but also the people whose information has been stolen. Small businesses are often the victim of significant financial damage caused by malicious emails. We usually don’t hear as much about these as we do the large Targets, Sonys and Homebases of this world.
I had one client lose several hundred files to a virus which came through as a spoofed email attachment. These were current files which were critical to a project that the company was working on but which had not been backed up yet. They had no choice but to recreate the documents from scratch or older versions costing them thousands of dollars in overtime. No business is immune from data loss and small businesses often suffer the worst pain.
Staying protected from phishing attempts using spoofed emails
Despite the fact that it’s relatively easy to protect against spoofed emails it’s still a common technique used by spammers and cyber-criminals. It does take some effort, and therefore money, to combat email spoofing. I suspect that is why many small companies do not take the necessary precautions. My recommendation to my clients is pretty straightforward:
- Subscribe to a highly effective spam filter service and re-evaluate its effectiveness annually.
- Assign someone (if not an employee, hire an IT outsourcing firm) to monitor and administer the email system including the spam filtering service. This is not a trivial task as email functionality changes, new threats evolve constantly and email addresses are in frequent flux due to personnel changes.
- Educate employees about email spoofing and other techniques used by spammers and cyber-criminals. Train them on what to look for when scanning their inbox so they can quickly identify potential malicious emails. Provide them with a resource who can help them decide if they are not sure if an email is bogus.
Email is a necessary and extremely useful business communication tool. Unfortunately, because it's used so much it makes an easy target for cyber-criminals. For an average email user it’s a difficult task at best to spot a malicious email among the hundreds or thousands that pour into their inbox. That is why it's so important for organizations to allocate the resources and funds to protect their personnel and their organization from all the threats that may arrive as an innocent looking message from a friend.
Want to learn how to block phishing threats before they reach your customers? Check out our spam filtering essentials checklist.
About Steve Havert - Steve Havert is an independent IT professional based in Seattle, WA. He has spent his thirty-six year IT career working in every facet of IT for large corporations as well as his own IT consulting business in Orange County, CA. He continues to work as a freelance consultant while pursuing a second career in photography."