Help, someone has hacked by email!

The number of attempts to phish someone by good old fashioned email continues to rise. Why? Because more often than not there is little or no cost in sending emails to an acquired distribution list and you only need one or two people hooked to make a profit.

Phishing attempts come in various forms – ranging from the “Deposed prince who needs your help to move millions out of his country” to “the opportunity to queue-jump the COVID-19 vaccination priority list”. Many will be undone by poor spelling and grammar, whilst others will be professionally designed and look genuine.

But often the giveaway is the senders address. Whilst the sender may appear genuine in your email client, the actual sending address often reveals, very quickly, that it is a scam. For instance, the sender may appear as “HMRC”, “NHS” or “First Direct” but when you click on the name it appears as coming from a gmail or yahoo email account, a sure giveaway that it isn’t genuine.

Wearing my hat as Chairman of Lewes FC, my contact details appear on a number of publicly accessible website and directories. That means I get a lot of spam and contacts from all sorts of organisations. But I also get phishing emails, also known as Business Continuity Email fraud, regularly sent from myself to myself asking for money “for a transfer” or the more popular one these days, Amazon gift cards for sponsors. I know I shouldn’t but I often keep a conversation going with them, asking why they need them now, why in dollars and who the sponsors are, all the while sending the emails from an account that clearly states who I am. To the fraudsters they don’t care – they think they have hooked me and just want their ill-gotten gains.

Whilst we need to all be vigilant in not being fooled by these attacks, what happens if the sending address does appear to be genuine? This is the danger of spoofed email addresses. Email spoofing is creation of an email header that appears to be from one party but has actually been sent by a third party. Because core email protocols do not have a built-in method of authenticating that the sender is who they say they are, it is commonplace for spam and phishing emails to use spoofing to trick the recipient into believing it is genuine.

Even if domain names are registered and in use by brand holders, they can be spoofed because of the way most email systems are set up. To stop their intellectual property being used in such a way, brand holders can take measures to prevent their domain names being spoofed. Barracuda Networks are one of the experts in this field and have provided the following advice:

Since the email protocol SMTP (Simple Mail Transfer Protocol) lacks authentication, it has historically been easy to spoof a sender address. As a result, most email providers have become experts at detecting and alerting users to spam, rather than rejecting it altogether. But several frameworks have been developed to allow authentication of incoming messages:

SPF (Sender Policy Framework): This checks whether a certain IP is authorized to send mail from a given domain. SPF may lead to false positives, and still requires the receiving server to do the work of checking an SPF record, and validating the email sender.

DKIM (Domain Key Identified Mail): This method uses a pair of cryptographic keys that are used to sign outgoing messages, and validate incoming messages. However, because DKIM is only used to sign specific pieces of a message, the message can be forwarded without breaking the validity of the signature. This is technique is referred to as a “replay attack”.

DMARC (Domain-Based Message Authentication, Reporting, and Conformance): This method gives a sender the option to let the receiver know whether its email is protected by SPF or DKIM, and what actions to take when dealing with mail that fails authentication. DMARC is not yet widely used.

Even if brands have defensively registered a domain name it should be protected against spoofing as these are often used by fraudsters in the knowledge that it may be less likely to be detected by the firm itself.

Most corporate-focused registrars offer these email security measures. With revenues and reputations at stake, why wouldn’t any brand want to take as many preventative measures as possible to protect both?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s