Widely used in the past few years, spoofing is the act of usurping someone’s identity (by using a false email address for instance) with malicious intent. This type of scam is increasingly used by cybercrime experts to target corporations. So are phishing or ransomware, as attempts to gain unauthorized access to sensitive information – or for direct financial gain.
Regardless of the hackers’ motive, spoofing has disastrous consequences for any organization. From financial loss to reputational damage, it is one of the online threats that need to be taken seriously. In fact, 83% of organizations reported being victims of phishing attacks in 2021, with an expected 6 billion expected in 2022.
In this article, we cover what exactly spoofing is and what are the best practices to implement to prevent yourself from falling victim to it.
Trustpair is a SaaS solution that helps you protect yourself from the financial effects of frauds like spoofing. Our solution automatically and systematically checks your third-party information against our worldwide financial databases. Furthermore, it raises the alert in case of fraudulent payment attempts. Contact one of our experts today!
How does email spoofing work?
Spoofing – or pretending to be someone else, mainly carried out via email messages – is increasingly used by hackers.
It’s a scamming technique that aims to mislead the recipient of an email. Indeed, the fraudster uses an email address that looks very similar to the one of a known sender (like firstname.lastname@example.org instead of email@example.com).
Contrary to other well-known hacking techniques like phishing or ransomware, spoofing targets a specific person as part of a social-engineering attack. Indeed, scammers have to know the email address they impersonate and also their roles within the company, as they’ll have more leverage impersonating a C-suite executive than a low-level employee.
Those cyberattacks are more and more common in companies. 83% of organizations reported being victims of phishing attacks in 2021, with an expected 6 billion expected in 2022. In fact, a majority of employees have been targeted more than once by a phishing scam.
This a typical spoofing example.
In a classic spoofing scenario, the victim receives an email from firstname.lastname@example.org instead of email@example.com. The victim doesn’t know yet, but they’re the target of email spoofing.
Quickly skimming through the email, they might not realize that this is a fraudulent email (in this case, there is only a letter inversion in the address). Simply opening up the email can install malware or spyware on their device. Unfortunately, these devices can steal personal data (like their passwords) and send them to the attackers.
Hackers can also compromise domain names. For instance, they’ll create a fake email address ending with “trustpair.ca” (instead of trustpair.com), leading the recipients to believe they are indeed communicating with Trustpair employees.
When done correctly, this hacking is difficult to detect as the email address or domain really looks legitimate. The average employee has to deal with a big amount of emails every day and doesn’t have the time to double-check the identity of each email’s sender.
Spoofing can still happen when harsher security protocols are in place. Indeed, IP spoofing for instance is when a scammer uses the unique IP address of another device. Masquerading as a trusted source gets them access to otherwise unauthorized information.
While most companies have email solutions, antivirus, and even firewalls that are meant to protect their employees from spam, those aren’t failproof, especially if not updated regularly.
Cybercriminals make the most of this kind of security breach to attack a company in order to steal sensitive information, leaving the company compromised.
Spoofing is a doorway to corporate fraud.
As we’ve seen, spoofing is a hacking technique that is used to impersonate an email address, an IP address, a domain name, or even a caller ID.
In addition, a spoofer can usurp the identity of one of your suppliers, sending emails to your collaborators asking for a bank transfer to their account.
They can ask for payment for a real unpaid invoice, using a real supplier you have. They then change the financial information so the money is transferred to their own illegitimate bank account. That’s what we call fake supplier fraud, among the many B2B payment frauds.
With the rise of bots and AI, it is also easier for fraudsters to use social engineering to create fake supplier profiles. This makes the need for efficient countermeasures even greater for corporations.
Another spoofing-related fraud is CEO fraud (learn more here).
In this case, one of your employees receives an email from someone pretending to be your CEO asking for an “urgent” transfer to a third party. It can be under the false pretense of a payment delay, a debt to pay, etc. Generally, the person impersonates the CEO or any other high-level executive. This leads to the employee carrying out the request without too many questions. CEO fraud – a type of Business Email Compromise (BEC) – is one of the most widespread scams around.
According to the FBI’s Internet Crime Report for 2021, BEC scams were responsible for more than a third of all cybercrime losses this year, with a 33% increase from 2021.
All companies are targeted, regardless of their size or industry. Between 2013 and 2019, CEO fraud cost the US economy 26 billion dollars.
For hackers, there is a double incentive to carry it out:
- It’s quite easy to set up (you only need to set up a fake email address).
- It looks legitimate, which means it works very well.
Even though it seems spoofing attacks might be obvious from a theoretical standpoint (and therefore easily foiled) the reality is different. In a recent report, 42% of employees admitted to taking a dangerous action (like clicking a link in a suspicious email, downloading malware, or revealing personal information) in 2021.
Emails exchanges with suppliers and third parties are a daily occurrence, so employees don’t really have any reason to be suspicious about any email they receive. That’s why spoofing is so efficient, and dangerous.
Do you want to learn more about B2B payment fraud? Check out our white paper and discover trends, insights and advice to fight efficiently against fraud!
What are the best practices to protect yourself from spoofing?
Monitor and promote awareness amongst your employees to block spoofing.
The first step to take is to carefully monitor your IT security as well as raise awareness around spoofing and fraudulent emails – as well as other Internet threats. They’re essential and efficient steps to start protecting yourself from attacks against your company by cyber-criminals.
Moreover, they can be easily implemented, thanks to a lot of resources available online. Learning to spot those potentially malicious emails must become a reflex for everyone. It can protect against numerous disasters.
In your company, if that’s not already done, you can set up a spam filter on all emails. Even though it won’t be enough to fully protect your company fully from being spoofed, it’s a great first barrier against it.
Don’t underestimate internal communication between teams.
The more your teams communicate amongst themselves, the better they’ll be able to react and protect your company against spoofing attacks or phishing attempts.
Secure email addresses as well as IP addresses to prevent spoofing
By hiding your email and IP addresses from any external organization, you’ll be able to limit the risk of spoofing. You can install a proxy server, which will do that as well as limit access to suspicious-looking websites and track online activity across your organization.
Install a double check in case of financial transactions.
This best practice can be integrated in your anti-spoofing strategy. For instance, you can set up a systematic check between the emails received and the identity of the sender. This will make sure both information matches. Ideally, this check will be automated.
Set up an ongoing check for third parties’ financial data.
Each request to change a third party’s bank account details should be controlled in order to make sure it’s not an attempt at spoofing. That might seem like a lot of extra work for your accounting team. However, it doesn’t have to be this way.
This is something that we offer at Trustpair. Our solution makes automated checks between the financial information and the name of your suppliers (and other third parties). As such, it ensures you are indeed paying the right person and bank account.
Our solution helps increase your control processes. It also raises the security awareness across your company, which leads to fewer fraud risks without burdening your teams. Contact one of our experts today!
Spoofing is a hacking technique that usurps someone’s identity by creating fake email addresses, domain names, or IP addresses. Malicious hackers target a specific person within the company. This isn’t like other scams like phishing or ransomware which target a wider audience.
This type of email scam is an open door to fraud in your company. Victims can then fall prey to fake supplier fraud, or CEO fraud.
To protect yourself from spoofing, the first thing to do is raise awareness of those hacking techniques within your organization. You can also set up security protocols like securing your IP addresses or setting up a firewall.
Another way to protect against financial fraud is to set up automatic double-checks when emails are about financial transactions. You can also ensure the financial data shared in the email received matches those of your third party.
The automated control of your suppliers’ financial information can be done effortlessly through dedicated software like Trustpair. We work with financial departments of large corporations to help them digitize their processes in a safe and effective way. We secure their payments and ensuring money is always transferred to the right bank accounts.