If you're fortunate, you have never been bothered by a spoofing attempt, not to mention a full-scale attack. Yet, due to the increase of domain spoofing attacks on businesses who were forced to switch to remote due to COVID-19, we don't recommend relying on luck alone. As it was stated on the Validity webinar in June, spoofers have no intention of stopping or growing a moral compass. So, organizations and solo entrepreneurs have to brace themselves for even more persistent and elaborate domain spoofing attempts. This is why you're reading this blog post right now.
Here, you'll learn more about the dangers of email spoofing and why you should protect your domain from them.
What is email spoofing?
Let's say you receive an email from the WHO that instructs you to click a link or download a file. After you do what's asked of you (it's the WHO, it's probably important!), you either find your computer infected by ransomware or you see nothing because you downloaded spyware that would stay around and quietly steal your financial data.
Why would the WHO do this? Because it's not the WHO, but spammers, who used their domain name to trick you into following their instructions. This is what spoofing is - an impersonation of a well-known domain to spread malicious content, destroy the recipient's domain with malware, or scam users for money.
The most common type of spoofing is based on using a fake domain name that looks very similar to the name of an existing credible domain (usually the one that belongs to a large company such as Windows, Apple, Visa, etc.), except for a few tiny differences. For example, one letter might be missing (@winows.com), or it would be mentioning a non-existing department (firstname.lastname@example.org).
However, even if the email address is legit, it still doesn't mean that you can relax. Spammers frequently get a hold of actual domain names belonging to existing companies - and that's a new level of trouble.
Actually, that's exactly what was happening in the spring of 2020, when people started receiving donation requests sent by email@example.com - the legitimate WHO email address. The recipients were asked to contribute to the COVID-19 Solidarity Response fund to help WHO become more efficient at monitoring and analyzing COVID-19 cases across the world. However, the organization had nothing to do with those emails. They were sent by a cybercriminal who exploited the available vulnerability to capitalize on the panic. This scammer didn't succeed with his scheme only because they specified that the payments had to be sent in BitCoin.
Other impersonators were even eviler. Some fake WHO emails were spreading malware by offering users to read about the latest cure from COVID-19 by downloading an attachment. Of course, there was no cure, only malware.
Mind that all those scammers used an official who.int domain, knowing that the recipients would have no reasons not to trust such a massive organization during the pandemic!
So, this is what email spoofing is. It's evil, it's dangerous, and it will take away:
- Your deliverability. It takes one case of fraud email to ruin the reputation of the entire company. Even if your recipients know you're not behind the scams, they would still rather not interact with your emails to be safe.
- Your revenue. Email spoofing caused significant financial losses (up to 1.3 billion dollars as mentioned in the 2019 Thales Access Management Index). That's how much money businesses had to spend on investigating the case, compensating the losses of people who got scammed, and investigating the culprits. And we're not even mentioning the costs of employee training!
- Your brand image. Would you trust a brand that can't protect its identity and leaves plenty of loopholes for criminals to capitalize on? Obviously not. So, your target audience would be right not to trust you if they get hit by spoofing emails impersonating your brand name. Ignoring the dangers of spoofing means ignoring the comfort and safety of the clients who submit their personal information to you. Logically, if you don't do what it takes to protect your client's data, they'll do it themselves by burning all the bridges and warning other prospective customers not to deal with you.
How to protect your domain from spoofing attacks?
Is there even a way to save your domain from email spoofing? After all, it seems that even large companies are unable to do it...Well, that assumption is wrong.
Some organizations that processed huge volumes of customer data got hit by spoofing attacks after COVID-19 because they neglected all necessary safety measures. But we're going to make sure that you'll never repeat their mistake.
1. Don't ignore your email authentication protocols
We talk so much about SPF records, DKIM signatures, and DMARC policies not because we have nothing else to talk about but because they're significant when it comes to safeguarding your domain from spoofing attempts. These protocols exist to prove the receiving servers that your email:
- It was sent by a domain that is officially allowed to deliver mail from your behalf (SPF record)
- Has a relevant "From" name that wasn't tampered with (DKIM signature)
- Provides necessary instructions on what to do in case of the authentication failure
To ensure proper protection, you must have all three protocols generated and fine-tuned. Why do you need all three of them? Wouldn't an SPF record be enough?
Well, let's go back to the case of the WHO spoofing. How did these scammers manage to use the official who.int domain? Did they hack their way through? Did some of them work in the WHO and decide to use it for their goals?
No, and no again. It all happened due to a lack of protection.
At the beginning of 2020, the WHO had an SPF record for their who.int domain, but there was no DMARC policy. So, there was nothing to compensate for such SPF weaknesses as display name spoofing (altering the visible address line that isn't considered during an SPF check).
A DMARC policy builds from an SPF record and a DKIM signature. It allows the sender to tell the receiving servers what to do if an email allegedly sent from the sender's domain fails the authentication check. Without a DMARC policy, the recipient servers have no instructions on what to do with such emails, so they may end up letting in some dangerous scammers. Even just one cybercriminal is enough to demolish your domain reputation, so it's not worth the risk. Better get ready and get familiar with outstanding DMARC policies such as:
- (p=none): This policy suggests the receiving servers take no action against an unauthenticated email and let it pass as a normal one.
- (p=quarantine): Instructs the recipient servers to send the suspicious email into the spam or junk folder instead of an inbox.
- (p=reject): Tells the receiving servers to reject any email from your domain but fails the authentication check. In this case, the message will never arrive in the recipient's mailbox. Meanwhile, the sender will receive a report about a delivery failure containing details about why the email was rejected.
Suppose you want to protect your domain and your recipients from spoofing. In that case, you need the "reject" policy because it informs you about authentication failures and allows you to notice when somebody tries to spoof your domain instantly. Also, this DMARC policy provides you with control over the third-party services that are allowed to send mail on your behalf.
2. Install BIMI
When it comes to protecting your brand identity, BIMI is the life-saver. It allows you to make your email more recognizable by marking all messages sent by your domain with a brand logo.
While it works only if the recipient has BIMI enabled on their domain, such a policy is on its way to becoming a new security standard for B2B marketing.
How does BIMI improve email authentication and protect your domain from spoofing?
- It works if your DMARC works. BIMI uses your DMARC as a foundation, so when your clients see your logo in their inbox, they start recognizing your brand and know that you are a verified sender that took care of all security measures.
- It can't be faked or spoofed. A BIMI record is installed into the space that your email service provider controls. Therefore, it's verified from both the sender's and recipient's sides, erasing any chances of fraud or forgery.
- It gives impostors the boot. Not all spammers bother with doing their homework, so they aren't aware of your brand domain being protected by BIMI. However, when your target audience suddenly receives an email without your brand logo, they can instantly tell that this message has nothing to do with you. In fact, you can go ahead and encourage your recipients to delete and report all messages allegedly sent by you but lacking the BIMI logo if they ever happen to land in their inboxes.
Currently, all major email systems are supporting BIMI or on their way to accepting it as another email verification measure. So, you can add a BIMI record starting today and make your and your prospects' mailboxes a much safer place.
3. Educate your employees about email spoofing
Don't wait until the storm hits. Your employees are extremely vulnerable to spoofing because spammers often assume the identity of a C-level executive to trick the workers into transferring company funds to their account (under the guise of an overdue billing from the investors), revealing sensitive information about the clients or even about the company data.
So, as a business owner, a CMO, or a CFO, you must teach every new and veteran team member to recognize impostors and tell them to %^&& off (just kidding, don't interact with phishers in any way, delete the email and send a complaint to your email service provider).
- Spread awareness. Make sure that your employee onboarding materials or training have a spot for email spoofing 101. Your team must be able to distinguish a spoofed email from a real one and analyze each incoming message calmly, without feeling pressured.
- Make it easy to expose the impostor. If you're a C-level executive, you must ensure that your employees have no problems identifying you. Let them know that you will never write to them in the middle of the night asking to complete a transaction. You will never pressure them into sending any private data or secret business information. You will never push your issues with investors or overdue invoices on them - and even if it happens, you will contact them personally. Let them know that it's OK to call you and ask for confirmation if they receive an odd message from you, even if it arrives late in the evening. Way too many spoofing schemes were a success because the employees didn't feel like they could question their CMOs or CFOs due to the lack of communication.
- Teach them to protect their devices. You should take care of your employees' safety both in the workplace and in their houses for good measure. Instruct them on antimalware, the importance of protecting their laptops and devices with passwords, tell them how to make their network more secure and how to treat suspicious mail. Discuss the latest cases of ransomware (such as Petya cyberattacks) to show them how opening just one link can result in opening a Pandora box. This information is as valuable as knowing how to lock your house and use a security system to protect it from break-ins in the digital age.
Human factors play a prominent role in email spoofing attacks. Sometimes, employees are blackmailed with sensitive private information. Sometimes, they're so used to following the authority figure that they won't think twice about the odd request. Sometimes, it's because nobody taught them how to be responsible PC and email users. You can reduce the risk of spammers preying on your team members by offering them knowledge and clarifying that you are always there to help them out.
Email spoofing is a dangerous practice used by immoral people to prey on your emotional vulnerability, the weaknesses in your network security, or the faults in your email authentication protocols. Sadly, it won't go away anytime soon because the changes brought by COVID-19 gave spammers a lot of new opportunities to ruin businesses and destroy reputations. However, it doesn't mean that there is nothing you can do to stand up to them. Collective responsibility and vigilance can go a long way - if everyone applies effort, it will make the scammers work harder and much less rewarding.
- Install all email verification protocols. Ensure that your SPF record and DKIM signature are in place and fortified by a solid "reject" DMARC policy, making it impossible for any illegitimate or fraudulent email to worm its way into your recipients' inboxes.
- Make your brand more recognizable. Add a brand logo to your messages, making them visible from the get-go. BIMI record makes it easier for your target audience to distinguish you from spammers and open only the right emails.
- Accept responsibility and do your part. Modern technology and digital communication are no longer things for new generations or a fashion statement. They're a solid part of your work and lifestyle and their security matters as much as the safety of your household and your belongings. Treat them with care, educate yourself and your team about the new dangers, introduce guides and tutorials, invest in security training, and let all employees alert you about any suspicious activity in their mailbox. The more legitimate senders are willing to learn about spoofing attacks, the harder it will be for scammers to manipulate them.
If you want to make sure that your email authentication protocols work correctly and your BIMI record has been installed successfully, a Folderly deliverability audit can help you with that. Our platform is user-friendly and enables you to keep an eye on your mailboxes 24/7.