Even if you’ve never seen (or heard of) the 1979 horror classic, When a Stranger Calls, you likely have heard the iconic line, “the call is coming from inside the house”. This line evokes instant fear in the recipient and is the same fear used in a classic email scam.
Fake emails have been around for at least three decades. Even today, it is easy to spoof someone’s email address for sending spam or phishing emails. The trouble stems from how trusting the whole Simple Mail Transport Protocol (SMTP) is. You can essentially set your email address in your email client to be whatever you like and it will tell all your recipients that it came from that email address. Additionally, you can tell the recipient to reply to any other email address and the recipient’s client program will trust that, too.
Here are just a couple of the ways that this simple email spoofing can be used for fraud:
CEO fraud preys on an employee’s desire to feel important. It typically appears as an email from the CEO of your company. Often it is an innocent request at first, such as, “Are you still at the office?” to see if you’ll respond. The response always goes to the hacker’s email address, which may or may not appear like the sender’s email. Often, no one notices that the reply is going to a different email address than the sender. Technically, this is accomplished by spoofing the “Mail from:” address and hiding the “Reply to:” address. If the Reply to: address appears similar to the Mail from: address, the fraud is less likely to be detected.
If you reply to the original innocent request, the hacker will then usually ask for a monetary favour with some sense of urgency to prompt a quick response. It could be as complicated and expensive as a wire transfer request, or as low budget as some iTunes gift cards. It can be embarrassing for the recipient and very costly for the company.
For more information on CEO Fraud, check out: https://www.knowbe4.com/ceo-fraud
Bitcoin Extortion Fraud
The bitcoin extortion fraud preys on its victim’s concern about being publicly exposed. This simple email scam involves sending a note to a recipient, using the recipient’s own address as the sender. The body of the email then goes on to say that you’ve been hacked and the hacker has complete access to your computer and all your contacts.
It continues that he has been recording you watching adult content on your PC. The only way to prevent the hacker from sending this recording to all of your contacts is for you to pay a certain amount of bitcoin to the hacker’s private wallet.
A variation of this scam is that the hacker includes a password of yours as “proof” that they’ve compromised your account. This password is invariably a real one that you recognize and is particularly dangerous if you happen to use the same password on many sites. The source of the password is almost always from a breach of a popular web service, such as LinkedIn or Yahoo. There have been dozens more over the last few years alone.
How can you protect you and your company from these attacks? The simple answer is training. While there are technical solutions that attempt to spot and prevent these types of emails from coming in, the reality is that the tactics are changing all the time and rely on unsuspecting users to fall victim. Proper training can harden you and your users to these attacks and help you spot future creative social engineering exploits. If something looks suspicious, it definitely warrants a closer inspection and a pause for thought.
Please call me if you’d like further information or would like to discuss training. It is much less expensive than you think.