The prevalence of firewalls and anti-virus software has closed many of the common attack vectors that cyber criminals use to gain unauthorised access to networks and to bypass online security. For this reason, attacks increasingly rely on fooling users into allowing access to systems: legitimate-looking emails that easily clear the common-sense hurdle can hide malware and well-planned hacking attacks.
Even with the necessary protections in place it is surprisingly easy to “spoof” an address, with a from field that looks correct in every way; except for the fact that the sender is not who it appears to be. Most users will think twice about opening an attachment sent by an unknown sender, but if the attachment appears to be from a colleague the usual caution is sometimes left by the wayside.
Get your email server and DNS configuration right
Correctly configuring your company’s email service is essential. Sender Policy Framework is an important first step – SPF DNS records assist receiving mail servers in checking that the source of an email is authorised to send the message. DKIM steps up internet security by adding a cryptographic key to emails which can be checked against a public key in DNS, but it does not prevent attackers from abusing the “header-from” address.
DMARC is built on top of SPF and DKIM, using even more advanced techniques to check the validity of emails. Setting up all three of these anti-spoofing elements makes life more difficult for hackers trying to masquerade as staff members. Yet even a combination of these techniques won’t provide cast-iron protection, they are merely an important hurdle that trips up automated spoofing attempts and which could encourage hackers to look elsewhere.
Automated tools can still make a difference
Your first line of defence against email spoofing remains automated tools. Advanced email threat protection software uses sophisticated techniques to flag suspicious emails. Scanning email and attachments for malware is essential, but an advanced defensive system will flag email sent from known suspect IP addresses while also hunting for signs of spoofing and phishing – quarantining emails which score as highly suspect for further investigation.
End-user, client-based email security solutions are still useful. A local anti-virus program on the PCs of staff members can help foil a successful spoofing attempt by preventing malicious software from successfully installing. Avoid giving users administrator access to their PCs if you can as it is very easy for a user to accidentally install malware that is delivered by a spoofing attack if they are logged in with administrative privileges.
User education is crucial, too
Automated defences can fail, and a determined attacker can bypass even the most sophisticated email threat protection efforts. For this reason, educating your users is extremely important. Always double checking an e-mail address is crucial – lazy spoofing can often easily by spotted thanks to a similar, but misspelled domain name or a first and last name which does not match the from email address.
Users should also understand that emails that do not match expected behaviour or language should be treated with suspicion. Requests to pay an invoice or to refresh password details will come from predictable sources and usually follows an action from the user – impress on your users that unexpected emails should raise a red flag. Train employees to refer suspect emails to an expert for verification – or to pick up the phone and call a co-worker if they are unsure about an email.
In fact, it could be argued that user vigilance is the last and most important line of defence in the battle against e-mail spoofing. The FBI warned earlier this year that losses due to what they call business email compromise have mounted to billions of dollars. US-based cases are in the tens of thousands per annum; and they are very sophisticated too. Cases have surfaced where senior financial staff have transferred vast sums on request of the CEO – only to later find out they were the victims of a successful email spoofing attempt. The only layer of protection you can deploy against a very sophisticated email spoofing attempt is the user layer.
Getting the basics right when it comes to using email
Clearly it is a blend of technology efforts and user education which is going to protect your business against cyber security crimes committed by means of electronic mail. Whether it is email spoofing or phishing attempts, your technology staff should take a wide-ranging and holistic approach to achieving a solid level of protection. Keep in mind that staff turnover can undermine education levels, so institute education on good email practice as a key step in onboarding new employees. Most importantly, IT staff should stay on top of the latest threats so that they can keep their users informed of methods of attack that are growing in prevalence.