Article updated on 04/16/2024.
Almost all Internet users are familiar with the concept of phishing, but there is another type of very common email attack that we are not as familiar with. Do you know what spoofing is and what it is based on to deceive users? Here we tell you.
In recent years, but especially since the beginning of the pandemic, the digital transformation of society has been accelerating: business, care and education models are increasingly based on the Internet, teleworking is being implemented en masse and, consequently, it is used more cloud tools. But, as companies evolve, so do cybercriminal attacks.
Already in 2021 the antivirus firm Kaspersky warned about a type of attack that is increasing. This is spoofing (‘impersonation’ or ‘imitation’ in English), which consists of the use of a series of malicious methods to falsify the identity of a page, an entity or a person on the network. , with the main objective of obtaining credentials that will give scammers unlimited access to private accounts or privileged information.
Email phishing grows by 51% in 2023
Email spoofing is one of the most classic types of spoofing that exist. It consists of falsifying the email address of a trusted person or entity to request information from the victim.
In recent years, attacks of this type have been seen directed, among others, at human resources personnel: an alleged employee of the company writes to the HR department to notify of a change of bank account. At the beginning of the following month, the actual worker gets in touch because the payroll has not been entered. The company has paid a scammer.
In addition, this technique is used to launch other types of attacks, ranging from phishing to BEC scams (business email compromise or ‘corporate email spoofing’).
In 2021, according to Kaspersky data, between April and May alone, the detected cases of this type of cyber attack went from 4,440 to 8,204.
Between 2022 and 2023, the increase has been 51%, reaching the record number of 1.76 billion fraudulent emails, according to data from the report prepared by Vade Secure (Hornet Security).
The most used spoofing techniques to falsify emails
To make email spoofing or phishing credible, cybercriminals apply the following techniques:
1. Forgery of “From”
The email can be manipulated to show a fake shipping address via the “From:” or “From:” field, masking a fake email with a legitimate name. The fraudulent sender can easily do this by compromising the SMTP protocol, created without any security protection, by modifying the email header fields.
This practice can be difficult to unmask. Brands must implement DMARC to detect these cases, as we will see later.
2. Impersonation of a real sender (phishing)
In this case, the fake email is signed by a “real” colleague, client or department with whom the victim has more or less regular contact. The address, however, is not correct.
Almost all email platforms display the sender name instead of the sending address in the inbox for convenience. The problem is that most users only tend to look at the sender’s name: if they know it, they trust it.
A well-known example is the CEO scam, I manage an employee with the ability to carry out transactions. He receives an email supposedly from the CEO of the company who, under some pretext, requests the completion of an urgent economic transaction, bypassing the usual protocols for these procedures.
Unlike other types of spam emails, this attack has a specific target. It is based on sending messages from an address registered in a valid domain (e.g. spamming@gmail.com or credible sender@outlook.com), but under the name of a known partner or supplier in the organization in question.
Spam filters do not detect these emails because they do not includesuspicious content, just vague phrases requesting information or an action related to an account or invoice.
3. Deceptively similar domains (typosquatting)
When an organization’s domain is protected by authentication, cybercriminals can try to trick the recipient by registering others that look very similar at first glance. These types of fake emails are known as homograph attacks and consist of omitting or adding a letter or word, or introducing a spelling error. Let’s imagine that our domain is noticias.com; we could find variants of this type:
- Spelling mistakes: notisias.com
- Erratas: noricias.com
- Reformulation: noticia.com
- Different extension: news.app
- Addition: Noticias-Actualidad.com
- Use of similar characters: 1 instead of l (paypa1 instead of paypal)
A famous example is the impersonation of the German postal company Deutsche Post using the email deutschepots.de (instead of deutschepost.de). This subtle change can easily go unnoticed by more than one user.
4. Using characters from other alphabets
Attackers can also substitute some letters from the Latin alphabet with characters from another alphabet in the Unicode range. Cyrillic is a very common choice, because email clients transform it in such a way that many letters are visually identical to Latin ones (the Cyrillic letter e, for example, is almost indistinguishable). p>
5. Manipulation of message content
Attackers can create emails with misleading or alarming content, such as fake account problem notifications or fake security warnings, with the goal of prompting the recipient to act impulsively.
6. Social engineering
In addition to manipulating email content, attackers can use psychological manipulation tactics to induce the recipient to perform specific actions, such as clicking on malicious links or downloading infected attachments.
7. Reuse of compromised credentials
In some cases, attackers can gain access to legitimate email accounts through phishing techniques or password attacks, and use them to send spoofed emails to other recipients.
Evolution of email spoofing between 2020 and 2024
The evolution of email spoofing between 2020 and 2024 has been marked by several factors:
- Improved security defenses: Companies and organizations have improved their defenses against email spoofing by implementing more advanced security solutions, such as email filters, domain authentication ( DMARC, SPF, DKIM ), and artificial intelligence solutions for the detection of fraudulent emails.
- Increased sophistication of attacks: Despite improved defenses, attackers have continued to evolve their techniques to bypass security measures and deceive recipients. This includes the use of more sophisticated social engineering tactics, such as personalizing emails for specific targets and using personal information extracted from subject lines or content of previous emails.
- Increased use of automation techniques: Attackers have taken advantage of automation technologies to increase the efficiency of their email spoofing attacks. This includes using bots to generate mass emails with misleading content and using phishing infrastructure services as services to send bulk emails.
- Increased focus on targeted attacks (Spear Phishing): Instead of targeting large audiences broadly, attackers have placed a greater emphasis on targeted attacks, known as spear phishing. These attacks involve personalizing emails for specific targets, such as company employees or high-ranking individuals, in order to maximize the chances of success.
How to prevent email phishing
Companies can take several security measures and precautions to try to prevent these attacks, including leveraging their intellectual property rights to act quickly on often overlooked cases of online phishing.
Let’s see what resources are available to prevent email spoofing fraud:
Domain Monitoring
The domain monitoring is part of the group of proactive detection services of online violations. These types of services detect and prevent these types of cyber attacks prematurely, even before the domain spreads among victims, instead of acting after the attack has already occurred. The “prevention is better than cure” of all life. However, it does not mean that it is not useful once an attack has taken place: if this has happened and we have not realized it, this service will detect it.
What does it consist of?
Domain monitoring scans your company’s brand (for example, “ubilibet”) and detects registered or expired domains (that is, they were registered but after expiration they were not renewed, so they are available for anyone to use). activate again) that mention it in the domain name (for example, “ubilibetonline.com” or “ubilibet-support.com).
How to use it correctly
So that domain monitoring is a tool for preventing online fraud useful, it should not fall into the bad practice of using it retroactively, that is, “let’s see what is registered.” But to detect in real time when a domain with your brand has just been registered. That is, it was just registered today. Only in this way can we get ahead of the cyberattack and stop it before they can carry out a phishing campaign that causes victims.
In addition, we must ensure that our provider offers us a tool that includes the maximum possible variants in the construction of the domain name: that includes characters from other alphabets, hyphens, that automatically detects typos (deliberate use of errors, such as ” ubilibt” or “ubiliebt”), confusing use of characters (such as a capital “i” instead of “l”). Likewise, other advanced functionalities, such as unlimited results, are relevant to ensure the greatest possible coverage.
Content and metadata monitoring
Different from domain monitoring, content and metadata monitoring It allows us to identify web pages that have cloned our official page or make fraudulent use of our brand, through scanning the contents and metadata of the home page. This allows us to identify domains that do not mention the brand in the domain name, but do make fraudulent use of our brand in their content.
Therefore, it is a service that complements and increases the coverage of the domain monitoring service. Ideally, you should have both.
Suspicious domain monitoring
What happens if someone has registered a domain that mentions your brand, but has left it parked or undeveloped (“there is nothing” in it)? In these cases, there is nothing to report yet, since you have not committed any infringement or fraudulent use. However, the mention of our brand in the domain name is suspicion enough that it may have been registered to commit a phishing attack, right?
In these cases, a surveillance service is used with the that the activity of that “empty” domain is monitored. In this way, when it is detected that a web page with content has been developed, a mail server has been activated or there has been a change in the DNS, an alert is received indicating that it must be reviewed again. Now we will be able to take measures if there is any real risk.
How to detect email spoofing attacks in progress
Let’s imagine that all of the above fails or we don’t have it implemented yet. How could we detect when an email phishing attack has been carried out with our brand? We give you some keys:
Security protocols: SPF, DKIM and DMARC
Email security protocols aim to guarantee the deliverability of the emails you send to your contact databases and, to users, that you are a safe, trusted sender. Therefore, it is extremely important to haven them. Especially now that the large email clients like Gmail or Yahoo have gotten tough with the requirements for senders massive.
SPF is a txt record in your DNS that indicates which senders and which IPs have permission to send emails on your behalf. For a sender to pass this authentication, they must be included in this record. If not, the email client will mark that it has not passed SPF and will probably end up in the spam folder.
DKIM works as an email signature that guarantees that it has not been altered by a third party between sending and delivery.
DMARC is a protocol that allows us to have visibility over the traffic on your domain and define 3 policies that determine what to do if an irregularity is detected: do nothing , send the email to spam or block it. DMARC is the maximum exponent of email security for senders and one of the requirements demanded by large email clients today.
How does DMARC help us detect email spoofing fraud?
One of the keys to DMARC are the reports it sends with the irregularities it detects in traffic. For example, when it detects that there is a peak of emails that have not passed the SPF and/or DKIM security protocols it sends us an alert. These spikes mean that emails have been sent with our domain to large numbers of mailboxes that have marked it as spam and, if it does not fit with our company’s communication and marketing activities or our usual deliverability levels, It would be an indication that someone has used our domain to carry out a phishing attack through email spoofing.
If you want to know more about DMARC, we recommend you read our Complete guide to DMARC implementation.
Bounced emails
Although somewhat more rudimentary, it is another technique that we can use to detect these cases. When cybercriminals use large contact databases to conduct email phishing attacks, they will often find many mailboxes that no longer exist, generating lots of “mail delivery failure” emails from our email client.
If we are alert to these system emails, we will be able to detect shipments that we have not made.
Has your brand been a victim of email sproofing scam?
If our brand is in the position of having been used in a cyber attack, we can carry out different legal actions that allow us deactivate domains that use our brand or the content they display.
Contact our legal team, we will analyze your case and advise you on the mechanisms to stop any illegal activity in progress. Likewise, we will study what solutions are appropriate to avoid future attacks with your brand.
Contact our legal team. Fill out this form and we will contact you to advise you.