Spoofing

Tell-tale signs of a spoofed email and 3 things you can do to stop them

 By Dr. Guy Bunker

At Clearswift, we use our own products in-house (as you would expect) and I tend to look at things which happen ‘deep in the machine’… because, at heart, I am still an engineer. 

Something caught my eye recently. It was an email in PMM (Personal Message Manager – a component of the Clearswift SECURE Email Gateway) where you can look at what email has not been delivered to your Inbox, as the product has recognized it as being spam or (potentially) newsletters.  There was one particular email that caught my eye as it appeared to have come from ‘quarantine@clearswift.com’. In essence, the email message said that I had a number of emails sitting in quarantine and if I didn’t do something about them, my account would be locked.

So, what drew my eye to this email?  Firstly, it was from an email address that I knew didn’t exist within Clearswift.  However, it looked plausible and no doubt it would catch the attention of some of my colleagues.  Secondly, the emails it appeared to have quarantined were also ‘ok’.  That is to say, they looked like they could be legitimate – it just showed a partially anonymous email address and subject line, both of which seemed reasonable.

It was time for a little more investigation. Under the covers, it was, of course, a spoofed email address and the links in the email to ‘release’ the held emails were actually what the sender wanted me to click on…but I didn’t.  This was a good example of a phishing email with a malicious link all playing on the fact that the address looked legitimate as it had been spoofed.

Now back to the start, as I said, this was something which had turned up in my PMM, it hadn’t made it to my Inbox as our security software had caught it.  In fact, on close inspection, it had been caught in a couple of ways. The software ‘junk detection’ score had exceeded the limit, so that had caused it to go to PMM rather than be delivered. We use SPF (Sender Policy Framework) and this was also triggered by the message.  In addition, we have a ‘soft spoof’ rule in place which looks for external email coming in with the same domain as we have, in this case, clearswift.com and the message was picked up by that one as well. With security, there is no single silver bullet, so you need multiple protection mechanisms, creating rings within rings. The thought being that, if a cyber-attacker gets past one level of defense, the next will catch them. In this case, multiple rules triggered – but it’s better to be caught three times, rather than missed once.

Spoofed email is a growing problem and includes “Business Email Compromise” (or BEC) as well. In a recent survey in the USA, BEC is responsible for more than $650m in losses dwarfing the $2.3m loss from ransomware.

Here are 3 things that you can do to reduce the risk of being hit by a spoof email:

  • Educate your staff about spoof emails, especially if you have received one and it could have gone to others. The cyber-attacker might have sent it to more than one person in the company - they just need to get one person to click the link to compromise a network. You can use standard functionality in the Clearswift SECURE Email Gateway to automatically annotate an email coming in from outside the organization, just to draw attention that it has come in from outside the organization. Staff should be aware as to what the annotation looks like and any other notices they may receive (including from other systems) to help them spot a false one.
  • Ensure that your existing email gateway has all the anti-spoof options switched on and configured correctly. You may want to consider using the SPF/DKIM/DMARC functionality as well to reduce both phishing and spoofed emails.
  • Look at setting up a soft-spoof rule on your own domains and also your various executives’ names. This will also protect against people pretending to be the CxO using their ‘home’ email. The latter is also commonly found in BEC – “Hi XXX, CFO here, at home and unable to send email through company email. Could you please pay the attached invoice immediately. Thanks, Cy Ber Crim”.

Want to learn more? If you are an existing Clearswift customer then we have a knowledge base article (#4770) on our support portal which talks about how to detect message header name spoofing.  

If you’re not a customer or you want to a helping hand, contact us for a discussion today.