Email spoofing, where emails arrive in someone’s mailbox, appearing to have come from you is almost always out of your control, here’s why…
People nowadays are well taught to not open emails from people they don’t recognise, as they might contain a virus or trick you into visiting a web site that will steal your information. It’s for this reason that scammers will trick people into opening emails by making them appear to have come from someone they trust, i.e. you. This is called spoofing.
There are a few bits of information that you use when deciding if an email is from a known recipient. You will look at the name, and the email address to see if it’s someone you know. It is surprisingly easy for anyone to send a fake email, and make it appear to have come from your own email address. There is a system in place on the internet called SPF, or the Sender Policy Framework. In simple terms, this is an attempt to make sure that email from your email address can only come from your email system, and nobody else. However it’s up the RECIPIENT of the email, (or specifically, the people that provide their email servers) whether or not their email system takes any notice of the SPF system. We still see a lot of privately-managed, corporate email systems that don’t take advantage of SPF.
Unfortunately this means that whilst your IT people have done everything possible to minimise the chance of fake email coming from your email address, or your domain name, there is still an opportunity or stuff to slip through the gap.
However, whilst SPF, and more recently DMARC have helped crack down on emails appearing to come from your business domain name (the bit after the @ sign), spoofing still happens.
These days, scammers are lazy, and often will not even bother trying to spoof your email address, however, they will spoof your name. If you are Joe Bloggs, there is literally nothing that can be done to stop a person sending email that appears to come from Joe Bloggs, as the name is not a “protected” value on an email. This lazy method of spoofing relies on the recipient being equally lazy, and not taking notice of the sender email address. It’s for this reason you should always be on your guard, and make sure the email you are opening has actually from the email address you expect to see.
Bear in mind also, hackers who are actively targeting your organisation in order to get information or trick you into entering a password on a web page, will often go to the lengths of registering a domain that is similar to one you are expecting to see. Suppose that you regularly deal with sue@widgets.co.uk. If a hacker has already identified that you deal with Widgets Ltd, which is very easy to do (a phone call to your accounts department is enough for a hacker to confirm this), then they might very well go and set up an email address for sue@widgets.co, or maybe sue@widgets.eu. Unless you’re paying close attention you may not notice the difference.
One observation that often confuses people, is that we will often see cases whereby real people who you regularly deal with, your suppliers and customers for example, are in receipt of fake email from you, and guess what, so are their colleagues in the same business, and so are other people they know at another business, so it must be coming from you! There is a simple explanation for this…
Consider a mutual contact, lets call him Dave, who you deal with in business. Dave has your email address in his address book. If you’re in the same industry, Dave will also have all the email addresses of lots of the other people who also deal with you, or know you on some level. Now let’s suppose Dave gets as a virus or malware infection on his computer. That virus is going to harvest all the email addresses and contact names in his address book and send them to the scammer. The scammer will then send out thousands upon thousands of fake emails, appearing to come from any or all of the individuals they found on Dave’s computer, and being sent to any or all of the same people, in the hope that one person will mistake their email for a legitimate email from Dave, and act on it. All it takes is for one person to open Dave’s fake email, and accidentally type in their password into a fake Microsoft, Amazon or Banking login screen, and the whole process was worth it.
