Email spoofing involves the creation of fake emails that seem legitimate to trick users into taking action that will benefit the attacker. This can be downloading malware, providing access to systems or data, offering up personal details, or transferring money. Often times, these “spoofed” emails appear to come from reputable organisations, putting not only the targets at risk but the reputations of those corporations whose domain was abused. What’s more, spoofed emails can be part of larger, multi-stage attacks, such as those to dox corporations. And these attacks are on the rise.
From April to May 2021, the total number of email spoofing attacks nearly doubled from 4,440 to 8,204. These types of attacks can be done in multiple ways. The easiest is what’s called “legitimate domain spoofing”. This is where someone inserts the domain of the organisation being spoofed into the “From” header, making it incredibly difficult to distinguish a fake email from a real one. However, if a company has implemented one of the newer mail authentication methods, then attackers must resort to another method. This can be in the form “display name spoofing”, whereby attackers spoof the individual sending the email, i.e. making it look as if it’s been sent by a real employee of the company.
More sophisticated spoofing attacks involve lookalike domains: the attackers use specific registered domains that look similar to those of legitimate organisations.
Example of a message from a lookalike domain
In the example above, attackers sent out an email that appeared to be from the German mail company Deutsche Post (deutschepost.de). The message claims you need to pay for the delivery of a package, but, if you click on the link to do so, not only will you lose 3 euros but you’ll hand your card details to fraudsters. Upon closer examination, users could note the spelling error in the domain name – and thus realise the email was a fake. However, this is not possible with Unicode spoofing.
Unicode is a standard used to code domains, but, when domain names use non-Latin elements, these elements are converted from Unicode to another encoding system. The result is that, at a code level, two domain names may look different – say kaspersky.com and kaspersky.com with a Cyrillic y – but when the emails are sent, they’ll both appear as “kaspersky.com” in the “From” header.
“Spoofing may seem primitive when compared to some of other techniques used by cybercriminals, but it can be very effective. It can also just be the first stage of a more complex business email compromise (BEC) attack – attacks that can lead to identity theft and business downtime, as well as significant monetary losses. The good news is that there are a range of anti-spoofing protection solutions available and new authentication standards that can keep your business email secure,” comments Roman Dedenok, security expert at Kaspersky.
To reduce the risk of your corporation falling victim to spoofing, Kaspersky experts recommend the following:
- Adopt an email authentication method, such as SPF, DKIM or DMARC, for your corporate email.
- Implement a security awareness training course that covers the email security topic. It helps to educate your employees to always check the sender’s address when they receive emails from unfamiliar person and learn other basic rules.
- If using Microsoft 365 cloud service, don’t forget to protect it. Kaspersky Security for Microsoft Office 365 has a dedicated anti-spoofing feature for secure business communications.