The Cyber Guys: Never Again – Stop Being Fooled by Email Spoofing 

Every two or three months I get the same email from my “boss.”  It goes something like this.  “Dan,  I need a favor and I need it done by the end of the day.  Can you please purchase six $100 Amazon gift cards for the company? It’s for an upcoming event to celebrate our employees.  Just email me the gift card numbers.  Please don’t let anyone know.  It’s a surprise. I’m super busy so don’t call, just reply to this email.”   Since I had a company credit card, I went online and made the purchase.   Wait…. Just kidding.   

What I really did was I checked the Display Name of the sender.  It was the name of my boss, but not the usual way he displayed it.  When I looked at the return email address, I noticed that it was not from a company address, but instead it came from a random Gmail account.  This is one type of email spoofing called “Display Name Spoofing.”  It is the easiest type of email spoofing.  The hacker went to the company website and got the name of the founder.   From there the hacker just updated his email display name to match.   

There were several things about the email that got my hacker spider senses tingling.  Did you catch them?  One of the most common social engineering tricks is to push a sense of urgency.  I need it by the end of the day.  Another giveaway was that it was a secret so if I believed it, I would not tell anyone.  Gift cards are a common tactic for scammers.  Did you notice how the hacker did not want me to validate by an alternate means of communication?  Don’t call.    For me, the biggest hint was the fact that I really don’t have a company credit card and could not have done what was asked.   

This time, they did not fool anyone, but understand they are putting out hundreds of these emails a day.  All they needed was for one to hit and it was a successful day at the office.  I’ve heard of other spoofs locally where they pretended to be the boss and asked the accountant to transfer large amounts of money to a partner to close a deal.  Don’t think that all hacks are from around the world.  In that case, they knew the boss had been traveling and was unavailable.  The key to avoid falling prey to that is to have a policy where any use of company money requires “out of band” verification.  If the request comes via email, the accountant must call the boss to get verbal verification.   

Diligence is key not to get duped by this scheme.   There have been cases where instead of a supervisor, the hacker pretended to be a vendor.  The hacker sent an invoice supposedly from the vendor but with a different account to send the funds.   I’ve heard of this happening several times in this little town.  Pay attention.  Call and ask about it, stating that you noticed the account information changed.   That would stop the scam in its tracks.   

Another technique for hackers to spoof email is to create fake display names and email addresses using Simple Mail Transfer Protocol (SMTP). SMTP is a protocol used for sending messages.  This is called “Legitimate Domain Spoofing.”  A third type of spoofing is called “Look-Alike Domain Spoofing.”  An example would be (zero instead of o) or  Hackers get real domains that can easily be mistaken for the legitimate company.  

There are several technical ways to spot spoofing which I’ll provide below.  Check to see if the Sender Policy Framework (SPF) passes the test.   The SPF checks to see if the sender’s address is associated with the email domain it was sent from. DomainKeys Identified Mail (DKIM) works to verify that the email has not been altered between the sender’s and recipient’s servers.  Businesses can also set up Domain-based Message Authentication, Reporting and Conformance (DMARC) for the email which lets the recipient know that the email is protected by SPF and DKIM. 

How to check SPF, DKIM, and DMARC status on Gmail: 

    1. View the email in question. 

    2. Click the three-dot icon in the top right corner of the email. 

    3. Select “Show original.” 

    4. Check and see if the email is marked “pass” or “fail” for each section. 

How to check SPF, DKIM, and DMARC status on Outlook: 

    1. View the email in question. 

    2. Click the three-dot icon in the top right corner of the email. 

    3. Hover over “View” and then select “View message details.” 

    4. Scroll through the details and view “Authentication-Results” to see if the email is marked “pass” or “fail” for each section. 

Now that you know the social engineering queues and you have the technical skills to verify the email, in the words of the 70s rock band, The Who, you “Won’t Get Fooled Again.”   

Original article written for the Sierra Vista Herald here.