Email spoofing is one of the go-to tools today's attackers use when executing social engineering attacks on unsuspecting victims. It's a very effective tactic as often, by the time the victim realizes what's going on, it's too late and they've been compromised.
Email spoofing isn't just damaging for the victims of the attack however. Your businesses reputation can take a big hit if hackers are abusing your email addresses or domain to execute their attack. This can cause your legitimate emails to be blacklisted and thrown into junk or blocked entirely. So what exactly is email spoofing?
Email spoofing explained
The easiest way to explain email spoofing is to compare it to traditional snail mail. If I send you a letter I put your mailing address on the front along with my return address. When you receive it, you'll see the letter is addressed to you as well as who it's from (via my return address). Email works in much the same way. When you receive an email message it shows who it's to (you) and who the return address references (me).
But what if I didn't want you to know the letter was from me? What if I wanted you to think the letter was from somebody else, like a friend or perhaps a vendor of yours? On a real letter I could change the return address to reflect said friend or vendor. With email, I could do the same thing by making the message look like it's from someone else who you trust. This is called "spoofing". I'm putting a fake "return address" on the email so that it looks like it's coming from someone else besides me.
Two types of spoofing
With email, there are realistically two main types of spoofing which attackers will try to exploit: Name spoofing and email address spoofing.
Name spoofing is easier to spot. Most every email client has a "Vanity Name" field for an email account which you would put your name in. So instead of your email recipients just seeing "email@example.com" they'd see "John Doe (firstname.lastname@example.org)". Obviously you're not limited to putting in your name. You can put almost anything. Attackers will often put the name of a real person at their target company or a real person who works at a different company that may be a vendor or contact with their target.
The plus side for the attackers is that this is very easy to do and, if you're not paying attention, is often easy to overlook. If you're watchful however, you can easily spot the spoof because if you look at the actual email address, instead of coming from "John Doe (email@example.com)" you will see something like "John Doe (firstname.lastname@example.org)". To draw back to the snail mail comparison, this is equivalent to changing the name on the return address without changing the actual address.
Email spoofing on the other hand is a bit different. It is the equivalent to changing the entire return address and is much harder to catch because, on the surface, the email appears to be 100% legitimate. The only way to catch the con, is the fact that the attacker still needs to send the email from his own email system, which will show up in the header of the message (a message header is a hidden part of every email message which shows exactly where the message came from). Most people don't know how to find, much less decipher a message header however and will usually look at the message as legitimate.
How to prevent spoofing
Obviously an attacker spoofing your company email is bad news as they could be sending malware laden messages to your clients, vendors or even random people and making it look like you're sending them bad messages which, at best, will end up being an unnecessary headache and, at worst could result in severe reputational damage to your company. So can this damage be stopped? The answer is: sort of.
Email address spoofing
The good news is, you can largely deal with full email spoofing by implementing anti-spam policies on your companies domain name (the yourcompany.com name). First, you will want to make sure you have an "SPF Record" on your domain name. This record stands for "anti-spoof" and basically advertises to email servers around the world what IP addresses or email systems legitimate email with your domain name comes from. Email coming from other IPs or domains are spoofed. This record alone can help but is really only one half of the equation.
Next, you will want to implement "DKIM Signing". This process allows your email system to put a digital signature on every legitimate message you send from your organization. The idea being spoofed emails won't have this signature and, as a result, will be marked as spoofed. DKIM does this by using a public/private key system where only legitimate email systems will have one half of the key with the other being publicly available as a record on your domain name.
Lastly, with the SPF and DKIM systems set up, we can implement a DMARC policy. DMARC (short for "Domain-based Message Authentication, Reporting and Conformance") is yet another domain name record which tells other email systems around the globe what to do with emails bearing your domain name which are spoofed. While this record is only a suggestion to those other email systems, most prominent systems and services will do what the record tells them which can range from "do nothing" to "send to junk" or even "block entirely".
So to quickly recap: SPF and DKIM are records which define what emails are or aren't spoofs, and DMARC tells what to do with those spoofed emails. The exact details on how to implement these systems is a bit beyond the scope of this article (there's a lot of variables) but we may address it in a future set of articles. In the meantime, consult with your email or domain name provider (or your website host) as they may be able to help.
While email address spoofing is arguably the more important of the two types to address, there is still name spoofing. Unfortunately, there's not really any way to prevent someone from putting your name or your companies name into an email client and sending messages with your name plastered on top of their email address. It's up to the people receiving the emails to exercise vigilance and pay attention to the address the message is being sent from, not just the name on the "from" label.
As it pertains to your own company however, you can help protect yourself and your employees from these sorts of messages by implementing a robust anti-phishing system. Most anti-phishing systems worth their salt today are able to detect a message with a familiar name but unfamiliar email address and either quarantine the message for analysis or, at minimum, display a warning message to the person opening the message that it's not from who it says it is.
Hopefully you now know a little bit more about email spoofing and a couple of ways to fight it. While this is a fairly broad subject which could warrant a much longer article, you should at least now know the basics. If you'd like to learn more, or find out other ways to keep your email, file and other IT systems secure, give us a shout by checking out our contact page.