Understanding Email Spoofing Threats

The sender's email address in a message you receive might not be from the person you think! Spoofing email addresses is easy with current email systems, and it's a common way attackers trick users into downloading malware or opening a malicious web page. Although it's easy for cyber-criminals to spoof sender email addresses, corporations have options to stop these malicious messages from reaching user inboxes.

 

What is Email Spoofing?

Most users are aware of the sender's information in an email message. Setting a sender is required before an email can be sent, but a user-friendly email application fills in the sender address for a user so that it doesn't need to be manually entered. Email applications fill in the sender's information, but the sender can be set to any value.

Servers around the internet can be configured to support email protocols, but email protocols do not require any authentication or verification for the sender. An email sender could say they are anyone including a real person or a fictional person. Many scammers use real names of executives at well-known corporations. Using real people makes the scammer look more legitimate even if a user researches the sender's information.

Email spoofing is used mainly in phishing but can also be used with social engineering in more sophisticated attacks. Sophisticated attacks target specific high-privilege users with extensive permissions to sensitive data, including executives, HR staff, network administrators, developers, or accounting people. Phishing with spoofed email addresses is successful when several high-privilege users are targeted, and only one person falls for the attack. 

A sender address can also be a minor misspelling in a domain name or user account name. Threat actors will register domain names similar to an official one and use the name of a well-known staff member as the sender address. If users do not notice the misspelling in the domain name, they could trust an embedded link or malicious attachment. 

 

How Email Spoofing Works

An attacker might use a well-known name at a large enterprise as the sender address, or the attacker might use a random fictional name. How an attacker approaches the scam depends on their sophistication in phishing strategies and goals. For example, suppose the goal is to trick users into clicking a malicious link and submitting their network credentials. In that case, it might be more believable with a known email address from an internal staff member or a group name from a legitimate business (e.g., customer_support@business.com). 

With an email address chosen, the attacker creates an email. The email could be a simple text message, or a more sophisticated phishing attack could use formatting, logos, and images from an official site. If the attack is meant to trick internal users into divulging their network credentials on a malicious website, the attacker might use formatting and images from the user's employer.

Email spoofing is possible because Simple Mail Transfer Protocol (SMTP) is configured to work. SMTP is an older protocol created in the early days of the internet when authentication was not necessary. It allows anyone to send a message to anyone on the internet with any sender address without validation. The only way a user would know that their email account is being used is if they receive a response from the email message recipient or the recipient's email address does not exist, and the recipient's email sender sends a notification that the address doesn't exist.

The malicious sender can specify anything in the email message, including a link to an attacker-controlled server or a malware attachment. Both methods trick users into divulging sensitive information, but most users do not know the warning signs of a spoofed message. Every email message has headers that explain the path a message took as it traveled across the internet to the recipient's server, but users do not view headers even if they did see warning signs for phishing.

If the attacker uses a malicious link and a user clicks it, the attacker's landing page tries to convince the user to enter their credentials to authenticate. Instead of authenticating into a legitimate application, the user's credentials are sent to an attacker. The attacker collects credentials and either compiles a list to sell on darknet markets or uses the credentials to authenticate into the user's account. Both scenarios are dangerous for enterprise security and could result in a critical data breach.

Malicious attachments are also standard in email spoofing strategies. An attachment could be a Word document, an Excel spreadsheet, or an executable script. Any Microsoft Office 365 document can contain macros, and these macros can be scripted to connect to an attacker-controlled server, download malware, and install it on a local machine. The entire process runs in the background of the user's computer so they are unaware of malicious activity. 

After the user opens a malicious file and a script runs, malware is downloaded and installed on their local machine. Currently, it's common for attackers to download malware that silently steals data or gives an attacker remote control of a user's computer. The other common threat is ransomware, which scans the network for critical files and encrypts them with an irreversible encryption key. The only way to recover ransomware-encrypted files is to pay the ransom, but paying the ransom does not guarantee that files will be recovered.

An attacker aims to extort an organization out of money with encrypted files. If the attacker steals data from malware or compromised credentials, it's more common for the attacker to sell the data on darknet markets. With enough stolen identities, credentials, or data, an attacker can make a seven-figure payout from only one successful phishing email. 

 

Why Organizations need to Know About Email Spoofing?

Email spoofing and phishing are the second most expensive cause of a data breach. According to an IBM report, data breaches caused by phishing costs businesses an average of $4.65 million. The number one expensive cyber-attack that costs organizations an average of $5.01 million per breach is Business Email Compromise (BEC), when attackers spoof a high-level executive account to trick users into sending sensitive information or transfer money from a business bank account to an attacker-controlled account.

 BEC is quickly becoming a typical sophisticated phishing attack with much more difficult research necessary for success, but an attacker could gain millions in return for their efforts. For example, in a BEC strategy, an attacker might spend weeks researching the organization and collecting data on essential staff members. The attacker then targets employees that could have access to bank accounts, sensitive information about employees or customers (e.g., HR staff has access to social security numbers or accounting has access to financial information), or access to critical infrastructure such as databases or web servers.

Spoofed email addresses are the primary strategy in many of these expensive attacks, so businesses must be aware of the red flags, and users should be trained to identify them. Unfortunately, even highly technical savvy users can be tricked into divulging sensitive data, especially if the attacker successfully conveys a sense of urgency. The sense of urgency makes users forget their training and avoid overthinking what is happening. For example, an accounting user might receive a message from a spoofed executive telling them to transfer money quickly to avoid losing access to a financial account.

In significant data breaches, the reason behind the breach often comes to light, and falling for BEC and phishing can damage the brand's reputation. Training employees to recognize malicious email messages is critical to protect your brand, but more is needed. Human error is one of the most common reasons for a data breach, so you need simulation exercises to help employees recognize phishing scams as they evolve.

Attackers change their methods as more security tools detect and stop email messages with spoofed sender addresses. SafeTitan simulation exercises contain thousands of templates to choose from, which are continually upgraded and changed to account for the latest attacker methods. Simulation techniques are proven to train employees better to identify phishing attacks, but they also give administrators analytics on employee activity when they receive a malicious email. SafeTitan reporting provides:

• Information on user accounts.
• Number of clicks on a malicious link.
• The number of employees that deleted the phishing email.
• The users who divulged credentials on the simulator's malicious phishing web page.

SafeTitan is essential for security awareness training, compliance, and an advanced security layer for your organization. It empowers employees to detect phishing better, so your organization does not fall victim to BEC, phishing, ransomware, credential theft, data exfiltration, and system compromise. In addition, the real-time intervention training SafeTitan offers gives users a better cybersecurity educational experience. It provides administrators with detailed insights so that they can find opportunities to help users better.

To protect your whole organization from phishing, BEC, and malware threats, find out what SafeTitan can do for you.