When you get an email from a big name brand or a trusted vendor, how often do you question the authenticity of it? Thanks to threats like email spoofing, you can’t afford to be as trusting of others as you might like. When all it takes is clicking the wrong link or opening the wrong attachment to set something terrible in motion, you need to be very cautious.
A Swedish cybersecurity firm, Detectify, has found that major online domains are now being used to spoof email addresses. Email spoofing is when a hacker makes it look like a message is coming from a certain organization, when in reality it’s not. It’s just a hacker that has made his email domain look like it’s from someone of repute within or outside of your organization. The reason: misconfigured server settings. Since email servers don’t automatically authenticate whether or not email addresses are legitimate, this is something that needs to be set up by your email provider or IT administrator.
There are numerous ways to make sure your email server is configured properly, but you should only do so if you’re a skilled technician. You don’t want to accidentally make a mistake and change settings that could put your business at risk. To understand how these email spoofing attacks work, let’s start by looking at the details.
Sender Policy Framework (SPF)
The SPF is a record that is checked when your DNS record is examined. This determines if the server is allowed to send and receive email from the domain. SPF uses three specific modifiers for its messages:
- Softfail: The message is accepted and marked as spam.
- Hardfail: The message is rejected entirely.
- Neutral: The message is let through without incident.
DomainKeys Identified Mail (DKIM)
The header and body of the email are hashed separately with DKIM; furthermore, a private key is made and sent along with the message. When the message is opened by the receiving party, the key will perform a DNS request to identify where the email came from. If things seem legitimate, the message is received.
Domain-based Message Authentication Reporting and Conformance (DMARC)
DMARC uses both SPF and DKIM to authenticate an email. DMARC splits its functions into three parts:
- Reject: The user never sees the message because it was fully rejected by the mail server.
- Quarantine: The message is stored for review at a later date.
- None: The message is allowed through with no difficulty.
Basically, what DMARC wants to accomplish is identifying messages as fakes, but also allow administrators to check and make sure that flagged messages aren’t accidentally being marked as spam.
Even if you don’t know the exact details of how email spoofing works, here’s a statistic that speaks for itself. Out of the top 500 sites on the Internet, 276 of them can be spoofed. According to Detectify, this includes servers that don’t have SPF or DMARC set up properly. Also included are servers that don’t have any SPF at all, those that use SPF with softfail only, and DMARC with only action “none.”
In other words, these email servers would be doing literally nothing to keep threatening messages from arriving in your employees’ inboxes. Therefore, it’s your responsibility that you’re proactively managing what gets received and processed by your own email server. Additionally, you’ll want to make sure your email server is configured to not allow your email domain to get spoofed.
The most direct way to keep your employees from falling for email spoofing is to prevent them from receiving spam messages in the first place. Reduce their exposure to threats and you’ll be in a much better position. Make sure that you teach them about phishing scams and other security threats so as to minimize the chances that they will act foolishly in the face of one.
To make sure that your business keeps security top-of-mind, look no further than Sagacent. You can contact us at (408) 248-9800.