Have you ever almost clicked on a link or an attachment – or actually clicked on a link or an attachment, without a second thought – because you thought the email came from someone you knew? Have you ever acted on an email request, for the simple reason that the message was from your CEO? Don’t feel bad: These situations occur more often than you might imagine. And scammers are becoming very clever about how they go about trying to trick employees into wiring money, divulging usernames and passwords, or clicking on links that introduce malware to their networks or compromise data, files, and entire systems.
Spoofed Emails Succeed by Playing on Fear
Spoofed emails, which are often used in phishing attacks, are one of the biggest security risks facing businesses and government organizations of all sizes, and it’s all too common for spoofs to be successful. Unfortunately, spoofed emails succeed because they are designed to play on the fears of email recipients.
An employee in your accounting department may receive an email that looks like it came from the company CEO, stressing the importance of immediately paying a delinquent invoice. Out of fear of reprisal, the employee may wire the money to pay the invoice without delay – and without stopping to consider the legitimacy of the email message.
An executive assistant may receive a message from a nameless or unfamiliar help desk, stating that their email account has been shut down for security reasons and that the assistant’s credentials need to be verified. The fear of not being able to perform their duties may cause the employee to act before they are able to think it through and proceed with caution.
Spoofed Emails Have Become More Sophisticated
Phishing is one of the most prevalent types of cybercrimes with over 500 million phishing attacks reported in 2022. For perspective, that’s over double the number of reported attacks in 2021—and not surprisingly so, as it’s one of the easiest types of scams to fall prey to. – Forbes
Because most consumers and email filters have learned to recognize mass spoofed emails as spam, cyber criminals have refined their methods. Spear phishing – a form of spoofing with which the email targets a specific organization and the email appears to come from someone within the organization who would have logically been one to send the email – has become the most common method of defrauding an organization. According to Verizon’s 2023 Data Breach Investigations Report:
- 83% of breaches involved external actors, with the majority being financially motivated.
- 74% of breaches involved the human element, which includes social engineering attacks, errors, or misuse.
- 50% of all social engineering attacks are pretexting incidents – nearly double last year’s total.
How to Avoid Phishing Scams
To avoid email spoofing and phishing scams, organizations must enhance their training efforts, advising employees on how to best manage their email. Recognizing spoofed emails can’t be something you talk about during onboarding and then never mention again.
- Teach employees how to recognize a faked address and how to expand header information.
- Teach your staff how to hover over links, without clicking on them, to verify the entire URL.
- Encourage employees to double-check with a sender, especially if the request is for money or account information. A quick phone call to a colleague or an executive staff member may save you – and your company – thousands or more.
- Implement policies that require two people to be involved with any payments or wire transfers.
Improve Email Security
There are several measures organizations can take to help prevent being tricked by spoofed emails. Here are some best practices:
Employee Training and Awareness
Conduct regular training sessions to educate employees about phishing threats, including email spoofing. Teach employees how to recognize suspicious emails and verify sender details. As well, emphasize that clicking on unknown links or downloading attachments from unfamiliar sources should be avoided.
Email Authentication Protocols
Implement email authentication protocols, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). These protocols help verify the authenticity of the sender’s domain and reduce the chances of email spoofing.
Use DMARC Policies
Deploy DMARC policies to specify how your organization’s email system should handle unauthenticated emails. Set up reporting mechanisms to receive feedback on emails that fail authentication, allowing you to monitor message traffic and take corrective action when necessary.
Advanced Threat Protection Solutions
Invest in advanced email security solutions that can detect and block suspicious emails and include anti-phishing features. These solutions may use machine learning algorithms and heuristics to identify phishing attempts and prevent them from reaching employees’ inboxes.
Multi-Factor Authentication (MFA)
Enable MFA for email accounts, to add an extra layer of security. Even if credentials are compromised, an additional authentication step can help prevent unauthorized access.
Regular Security Audits
Conduct regular security audits and assessments to identify vulnerabilities in your organization’s email system. Address any weaknesses or gaps in security that could be exploited by attackers.
Confirm URL Links – Hover Over Them
Train employees to hover over links in emails to preview the actual URL before clicking. If the displayed link is different from the expected destination, it may be a sign of a phishing attempt.
Use Email Filtering
Implement robust email filtering solutions that can identify and filter out spam, phishing, and malicious emails before they reach employees’ inboxes.
Reporting Mechanisms
Establish a clear process that guides employees on how to report suspicious emails. Encourage them to report any emails that seem suspicious or that request sensitive information.
Regularly Update and Patch Systems
Keep email servers, security software, and all systems up to date with the latest patches, to minimize vulnerabilities that attackers could exploit.
By combining the measures outlined here, organizations can create a more robust defense against email spoofing and phishing attacks. Regular monitoring, education, and technology solutions play key roles in maintaining a secure email environment.
Email security needs to be prioritized in every organization. Small and large businesses alike – in virtually every industry, including healthcare facilities and government agencies – are targeted. In addition to implementing a hosted email service that prevents the majority of spoofed emails from even landing in your inbox, as well as ensuring compliance with standard security protocols like Sarbanes-Oxley and HIPAA, consider implementing a Sender Policy Framework that makes it less likely for spoofed emails to succeed.
thinkCSC is committed to helping organizations improve cybersecurity and compliance. If you have been the victim of spoofed emails or would like to learn how to protect your organization from email security attacks, contact thinkCSC for more information.