Undoubtedly, you’ve seen news reports about scams where someone cold calls phone numbers, claiming to be from Microsoft or the IRS, and dupes their victims out of money or their identity. What most people don’t realize, however, is that it’s just as easy for scammers to pretend to be someone else over email.
Using compromised or poorly secured email servers anywhere in the world, scammers can make an email appear as if it came from a recognized contact or company VIP. In many cases, these emails will take the form of a request for a wire transfer.
In the example below, someone pretending to be Bennett/Porter's President is requesting contact in regard to a wire transfer. I know this is a fake because there’s no way I would be contacted for this, and I’m sure that, if I called the scammer, I would realize pretty quickly that it wasn’t actually our President. However, if a similar message went to someone in your company's Accounting group, and it had an account number to initiate the transfer to, would they think twice? If it was a Word document with embedded malicious code, like those mentioned in a previous article, would they have opened and launched whatever was within it?
In some cases, if the employee replies to the message, the 'To' field in the reply message will be auto-populated with a different address than the spoofed President’s address, meaning that the scammer will get the reply and be able to craft a response in order to coax the employee to initiate the transfer.
In the example I sent to myself, you can see that the domain - BENP0R.COM - isn’t exactly our domain name. The sender used a zero instead of the letter 'O', with capital letters surrounding it to obfuscate the replacement. The spam-filtering solution we use for hosted clients, Proofpoint, has anti-spoofing features in place that check the originating server of messages for an exact domain name. Given that this particular message didn’t come from our servers, it would have been blocked. Without manually blocking every possible character replacement permutation of our domain name, it still leaves a small gap for close-but-not-quite phony email addresses to get through. However, other spam filtering solutions don’t have anti-spoofing features, so an exact duplicate of a company VIP’s address may be allowed through.
This is all part of a relatively new type of scamming: spear phishing. You may have heard of phishing - an attempt to get information or credentials out of someone by posing as a legitimate company or site - but spear phishing is a newer method that has rapidly become more and more popular over the past couple of years.
Usually after receiving one of these emails, the client asks, “How could the scammer have known who to send it to and who to send it as?” On most company websites, there is either a company directory or at least a list of company executives and VIPs. Most companies’ email addresses follow a uniform format. If someone knows one person’s email address and a second person’s name, s/he can probably figure out the second person’s email address. This makes it very easy for a scammer to identify a target company, find their website, and pick a person to impersonate and a person to target in order to maximize potential returns.
The spear phishing attack could take the form of a request for money to be wired somewhere, for a copy of employee W-2’s, or for a set of confidential credentials. It could be an attachment, or - as in the above illustration - it could be a hyperlink with one address listed that actually points to another. The best way to combat this technique is to use a good spam filtering solution that can prevent most spoofed addresses and, equally as important, train users to verify with the sender - through a different channel like a phone call or physically going to their office - if something seems 'phishy'.
This is the second post in our three-part series on how end-user awareness and behavior can contribute to network security. Don't miss the final installment! By subscribing to B/P Impressions, you'll receive these and other upcoming blog updates in your email inbox.