Email spoofing is rampant nowadays as it is the most convenient way of gaining access to an Organization’s system without making any noise or attention. There are many cases reported regarding businesses falling victim to this tactic, but there are ways to prevent it from happening at your expense. But first, let us define what Email spoofing is all about.
Email spoofing, defined.
According to Proofpoint, email spoofing is a method used in phishing attacks and spams to deceive users into thinking that a message was sent from a legitimate source that they can trust.
In spoofing attacks, the bad actors forge legitimate business headers and make it appear that such a phishing email seems genuine, whereas, in truth and fact, it is fraudulent. Typically, these are taken at their face value; that’s why many unsuspecting victims fell victim to it. Unless such users inspect the header closely, that is the only time that the user can identify that such header is a fraudulent one.
Spoofing scams thrive because when users recognize the name that has been imitated, they are most likely to trust it outright without inspecting it first. With this, upon instructing to click the attached file, it is highly likely to be followed as instructed. With this, everyone is reminded to be vigilant with emails received before opening them, especially the attached files or links.
Email spoofing statistics
On May 20, 2020, the Singapore Police Force reminded the public and organizations to be vigilant with email spoofing activities imitating legitimate businesses. As reported in the first quarter of 2020 alone, there has been over 100 reports of such scam with a total loss of S$9,200,000. Compared to the same period in 2019, cases have increased by 30%, with S$12,800,000 as damages.
In these cases, the victims had reported a recurring theme in email spoofing, which is impersonating a legitimate organization, or in this case, as the victim’s legitimate business partners. The bad actors, impersonating the business partners of the victims, requested for funds to be transferred to a new bank account.
In other cases, the bad actors request the employees to purchase iTunes or Google Play cards and send them their redemption codes after paying for the stored value cards.
Also Read: What You Need to Know About Singapore’s Data Sharing Arrangements
Email spoofing preventive measures and good cyber hygiene practices
In light of the increasing number of cases of email scams, the Singapore Police Force suggests adopting the following preventive measures to follow:
a) Educate your staff to be mindful of any new or sudden changes in payment instructions and bank accounts. Always verify these instructions by calling the email sender. Always use phone numbers in your record instead of unknown numbers provided in the fraudulent email.
b) If these employees are working from home during the Circuit Breaker period, consider putting additional layers of checks before payments and fund transfers are made. Create awareness in your employees on this scam, especially those responsible for approving payments and making fund transfers such as making purchases or managing HR payroll.
c) Prevent your company’s generic email account from being hacked by using strong passwords, changing them regularly, and enabling Two-Factor Authentication (2FA) where possible.
d) Consider installing email authentication tools such as Domain-based Message Authentication, Reporting, and Conformance, DMARC, which can help detect fraudulent emails.
e) Install anti-virus, anti-spyware/malware, and firewall on your computer, and keep them updated. You may consider installing free Domain Name System (DNS) protection services such as Quad9 (quad9.net) to protect against such attacks. Lastly, update your Operating System (OS) when new patches are made available.
Privacy Ninja can help you.
Email spoofing activities could be a potential threat to the growth of your business. While it is true that there are good cyber hygiene practices that you should always follow to prevent bad actors from having access to your system, there is a way for you to identify if your organization’s email domain could be vulnerable to any phishing attack. This can be done through an email spoofing vulnerability test.
Privacy Ninja offers a free non-obligatory email spoofing vulnerability test that you can request anytime. All you have to do is email us at ([email protected]) and determine if your email can be prone to phishing attacks.
Also Read: Data Protection Officer Singapore | 10 FAQs
0 Comments