Email impersonation scams: What are the types and how to protect your business against them?
For the longest time, employees have been the constant target of bad actors simply because they have the level of access that could penetrate the organisation’s cybersecurity. This could be in the form of hacking for passwords, phishing, and, the most common, email impersonation scams.
Email impersonation, defined.
Email impersonation is a type of phishing in which a fake email address that looks like a real one is used. Attackers use slightly different email addresses and sender names to make users think the message is real. They may pretend to be the target company’s employees, vendors, or business partners to get the user to give them sensitive information like intellectual property or payroll data, transfer money, or enter their login information into a fake website to steal it (credential harvesting).
When there is a breach of personal data due to a successful email impersonation scheme, consequences include:
- A hefty financial penalty from the PDPC, which could range up to S$1,000,000.
- Besmirched reputation
- Loss of client’s trust from customers, both current and potential ones.
This is why it is of a great deal that organisations must not be negligent in setting up security arrangements and cybersecurity policies, as a successful breach could mean a great deal to them. As to extent, a data breach could end an organisation.
Types of email impersonation
1. Root Domain-Based Impersonation
Most businesses have a unique root domain that shows up on all of their emails. Some examples are firstname.lastname@example.org or email@example.com. Microsoft and Capital One are the root domains in these examples. In the case of root domain-based impersonation, cybercriminals use replacement characters to make root domains that look like these real ones. A reader can see a small change if they look closely, like a letter that has been changed to a number.
2. Top-Level Domain-Based Impersonation
The top-level domain is the part of a website or email address that tells you where it’s from or what kind of business it is. Here are a few common top-level domains:
- .au: Australian company
- .com: Business
- .de: German company
- .edu: Educational institution
- .gov: U.S. government agency
- .org: Nonprofit organization
- .uk: UK-based company
Some fake email addresses look like real ones, but the top-level domains are not the same. For example, the email address could end with the domain of a different country or type of institution. Many people won’t notice that the address is wrong because it looks close.
3. Subdomain-Based Impersonation
Most email addresses don’t have a subdomain, so this kind of impersonation happens less often. A cybercriminal can use the subdomain in two main ways to make a fake email address. One way is to change both the domain and subdomain.
For example, instead of writing firstname.lastname@example.org, a cybercriminal might make an address like email@example.com, which may look real but isn’t the real company email or subdomain. “microsoft” is the subdomain in this case, and “mailerinfo” is the domain. The company name can also be split between a subdomain and a domain, as in firstname.lastname@example.org.
4. Display name impersonation
The display name is how an email client shows the name of the sender. When a person sets up an email account, they can choose how they want their display name to look. The name on the account may not always match the username. For example, the username might be email@example.com, but the display name might be “Microsoft Customer Services,” if that’s what the cybercriminal chose when they set up their account.
Some popular email platforms only show the display name to the person who receives the email. If the person who gets the email doesn’t look for it, they won’t see the real email address. This makes it easy for the recipient to know who is contacting them, but it also makes it easy for attackers to use a display name as their own.
5. Username impersonation
Username impersonation is one of the least complicated ways to pretend to be someone else, but it can still fool people who don’t know what’s going on. In this case, the cybercriminal makes an email account that looks like it belongs to someone else. They might make these addresses on Yahoo or another free email service. For example, if an executive at a company has an email address like Jennifer.Thompson@AceManufacturing.com, a bad actor could make one like Jennifer.ThompsonAce@yahoo.com.
Due to the pandemic, businesses have been forced to go digital. Their employees were forced to work from home and finish their deliverables online. While reports had been made regarding the level of comfort that employees experienced, it’s been a nightmare for business owners as email impersonation scams arose, taking advantage of this setup.
Rising cases of business email impersonation scams as scammers take advantage of more working from home
Singapore – Scammers have been pretending to be business partners or supervisors in order to get employees to reply to emails that look like they are from work so they can steal their money.
Most of the time, these email addresses are simple misspellings of real business email addresses, like leaving out a letter or replacing numbers with letters that look similar.
Police said that more than $9.2 million was lost in these kinds of scams in the first three months of this year. This is a 30% rise in the number of reported cases but a 28% drop in the amount of money stolen over the same time period in 2019.
During this time, the scams are pertinent because many companies have employees who work from home and may need them to process payments remotely. The police said that scammers probably take advantage of this situation to try to trick more people since the way people work can make it harder to keep an eye on them.
Police said that people who fell for scams lost a total of $41.3 million in the first quarter of 2020. E-commerce and loan scams were among the most common types of scams. In other cases, the scammers pretended to be the victims’ bosses and asked them to buy iTunes or Google Play cards and send them the redemption codes after paying for the cards.
Protection against email impersonation attacks
Since email is still the main way businesses communicate with each other, it is important to protect against impersonation attacks and reduce the security risks of email. Organizations that want to make sure they have full protection should focus on training their employees to be aware and on machine-intelligent security solutions that stop impersonation emails from getting to employees’ inboxes.
Training for employee awareness
Email attacks can only be stopped if employees know about them. These are getting harder to spot because they are getting more complicated. This problem can be fixed by teaching people about security.
This training should be thorough and made to fit the needs of each organisation. It can help employees spot the obvious signs of email impersonation:
- Using a subdomain to look like a company’s main domain
- Using a fake display name
- Using a fake username
- Changing characters in the root domain
Employees should also learn to look for signs of social engineering in addition to these signs of email impersonation. One common sign is an “urgent” email asking for action right away.
Employing machine-intelligent email security solutions
Using email security solutions with machine intelligence should be a part of any complete security plan. Employees can only be aware of so much. Traditional secure email gateways are a good start, but they are not enough to protect businesses from targeted and sophisticated attacks. Organizations have the best chance of finding and stopping email impersonation attacks when they use machine-intelligent email security tools. These solutions can tell when someone is impersonating you in an email because they understand the local context, communication relationships, and behavior in an organisation.
A DPO can help
An outsourced Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
DPOs complement the efforts of Organizations in making sure that the organisation’s email environment is safe from any threat actor who wanted to infiltrate its servers and system in general. It also ensures that policies are set in place, and employees are well aware of the danger that email impersonation brings.
How Privacy Ninja can help
Email spoofing activities could be a potential threat to the growth of your business. While it is true that there are good cyber hygiene practices that you should always follow to prevent bad actors from having access to your system, there is a way for you to identify if your organization’s email domain could be vulnerable to any phishing attack. This can be done through an email spoofing vulnerability test.
Privacy Ninja offers a free non-obligatory email spoofing vulnerability test that you can request anytime. All you have to do is email us at (firstname.lastname@example.org) and determine if your email can be prone to phishing attacks.
What are you waiting for? Contact Privacy Ninja now!
Also Read: Choosing a penetration testing vendor: Your complete checklist in Singapore