by Rob Lekowski
With cybercrimes appearing in the headlines almost every day, corporations and law firms are being more vigilant than ever in fortifying their data. From enhanced firewalls, software and hardware that block malware and spyware to multi-factor authentication and biometric access, companies of all sizes and types are dedicating resources to protecting their sensitive information.
So, don’t let something like a spoof email be what brings you down.
A spoof email, or “spear phishing,” looks like a real email and seems to request legitimate information. But in fact, it is a targeted attack on your firm or corporation. Usually aimed at C-level executives, spear phishing works because it appears to come from a trusted source, it contains information that supports its validity and the request within the email seems reasonable and sound.
The attacks are typically not random, but actually happen after research into the company to understand how to mask the email and what to request. Requests can include confidential data, money transfers, human resources records and tax information.
Here is an example of how a spoof email works:
- The thief gets contact information from the company – either from the Internet or from an initial phishing campaign that asks a company executive to update personal information on an imitation website that the hacker controls.
- The perpetrator creates a look-alike domain name, varying only one or two letters making it hard to distinguish the difference, such as switching out a 1 for a lowercase L, like examp1e.com instead of example.com.
- A message is crafted that seems authentic, incorporating available details, and that appears to come from someone within the company who might logically request confidential information.
- The spear phishing email may display the valid “from” email address of the person within the company when viewed, but replies actually go to the spoofed domain.
- The spear phishing email is sent to multiple people at a company, usually in positions of authority.
- The email requests an urgent wire transfer or other sensitive company data. And it may contain a link that, when clicked, will download spyware, ransomware or other malware onto the targeted users’ devices.
If even one employee falls for the trick, the entire organization can be affected. And that, in turn, can affect other companies that you do business with.
- Configure your email rules to take advantage of Sender Policy Framework (SPF), which compares the IP of the domain with the IP listed in the SPF record. Basically, that’s saying that the recipient server would see that an email appears to come from @example.com and it would confirm with example.com’s server that the IP address of 100.000.000.000 is correct. If the response is that the IP is incorrect and it should be 100.100.100.100, the email would not be delivered.
- Verify emails before any action is taken. Don’t click on links directly from the email, especially if it’s unexpected or unfamiliar. When sensitive information is requested, have a phone call to validate the request.
- Consult with a cyber security expert to ensure you have solid protocols set up and policies that support and enforce them.
- Follow best practices for passwords: Make sure they are strong, mixing uppercase and lowercase letters with numbers and symbols. Plus, passwords should be unique, private and changed routinely.
- Educate your company on your policies, identifying potential risks and making sound judgments. Help your employees understand the value of protecting company and client information and what their role is to help keep it safe.