What’s safe to click on in emails? Spotting Spoofing

This is a plain language explanation of what spoofing is, and how to protect yourself.

What is spoofing?

Spoofing is what it’s called when someone sends you an email that is designed to impersonate a legitimate sender or offer. Since email sending is essentially free, spoofers harvest or guess email addresses and send thousands of deceptive emails, looking for a small number of targets who take the bait.

What is the end game for spoofers?

Spoofers want to do one of several types of crime:

1. Infect your computer with ransomware. Ransomware is a program that encrypts (scrambles) the data on your device, and then extorts money from you to obtain the key to unscramble it.
2. Trick you into sending them money. Spoofers that impersonate a company you do business with, for example, will try to trick you into paying a false bill.
3. Trick you into giving them your password. Spoofers will try to trick you into clicking on a link that goes to a site that is faking being a site you already have an account with, and then collect your username and password when you attempt to log in. Once they have that information, they can use the password and login on that service and, because people often reuse passwords, they can often use that information on other sites. They may sell your user login and password on the dark web to other criminals who might use it to hack your accounts or extort you.
4. Infect your computer with a virus that turns it into a tool to spread it’s email and fraud attempts to others.

What are the usual tells that an email is not authentic?

1. Check the email address it comes from. How? This varies by program or method you are using to see you email. Here’s where to look: Usually, if you hover over, click on or right click on

   

   the email address or name you will see the email address or more information about the sender (see image at right). Pay special attention to the reply-to address if you can find that. If the visible email address is from the domain you expect, but the reply-to address is from a different domain, that’s usually a problem.

2. It assumes you have an account that you do not have – e.g.: If it is sending you a bill from a cell phone company you don’t have an account with.
3. It tries to scare you into quick action: MUST reply today or we will close your account! This big charge just went through on your credit card, was it you?
4. They don’t have information the real company would definitely have: Like your full name, or your address, or your account number.
5. One very sneaky thing is to have domains that look very similar to the real ones – like with one letter different, or plural, or a different ending, or even with greek letters that look like the letters you are expecting. For example: paypal.com is real. pαypal.com is not. (Check out the different looking ‘A’)
6. Sent from a friend who would definitely not send you this email – for example a common scam is to get an email from an address that looks like a work colleague or casual aquaintance, asking for emergency assistance. If you think they probably would not send this email, they probably didn’t, or perhaps they hacked into someone’s email to send it. You can delete this type of email or check it out via a phone call or text to the person.

What to do if I am not sure? Don’t  or Validate

1. Don’t click on any links in emails. Go to google and search the name of the company, and then log in directly from their site. For example, if the email says you have an overdue amount owing, but when you log into the account directly (without clicking on their link) and it shows you don’t, then you don’t.
2. Don’t open any attached files. If the email comes with an attachment, do not open the attachment, unless you can validate it in another way. If your friend calls or texts you and says – can I send you my resume to look over and then you get sent a word document in an email from them, it’s almost certainly fine. But if the attachment is unexpected, its usually not fine.
3. Check all links before clicking on them unless you are certain the sender is legitimate. Hover over the link with your mouse and on most programs it will show you the link down below. If the link doesn’t have the domain you’d expect, don’t click on it.
4. Protect – install an antivirus and antiransomware software so that if you make a mistake, your computer stands a better change of being protected.

How do I prevent my own domain from being used in a spoofing attack?

If you have your own business domain such as mycompanyname.com  and have email you send from that address, criminals could pretend to send email from your domain pretty easily.

To prevent this, ask whomever sets up and maintains your email accounts to set up SPF, DKIM, and DMARC on your email hosting. These are settings that allow the receiving server to verify that any emails that pretend to come from your domain actually came from servers that are allowed to send them. This set up can be tricky, as every single server that sends your email has to be included in the ‘allow’ list, including the server that sends your newsletter, your web hosting that might send out email notifications or replies from your website, or if you use a service like gmail personal to send your domain email by proxy.

Pro Tip: To verify that you are the correct sender of your email, you can also set your email to be digitally signed. This attaches a small file to each email that allows the receiver’s email software to verify it is actually from you, and that the email contents haven’t been changed in transit. Encryption can also be used between parties who both have encryption installed on their email sending software or platform, which not only verifies who is sending the email but also hides the content from anyone other than the verified intended recipient. In most cases this feature is not common, so a signature is the best thing possible normally.

Want to learn more about practical cyber security? Check out my self-led courses, read about my practical cyber security training or contact me using the form below for live instruction for your team.