Security D-I-Y: Protect Your Organization from E-Mail Spoofing

Editor's Note: This article is the second in a two-part series about e-mail security. Read Part One

In May, the NBA's Milwaukee Bucks fell victim to an e-mail spoofing attack that compromised the personal financial information of the organization's employees. In the attack, a hacker sent a fake e-mail message that appeared to be from Bucks president Peter Feigin asking for copies of the W-2 statements sent to employees for the 2015 tax year.

A misguided Bucks employee responded to the fake message, causing a significant compromise of sensitive information. This attack underscores the importance of building strong defenses against e-mail spoofing that limit an organization's vulnerability to this classic, yet still effective threat.

E-mail is an inherently insecure mechanism designed decades ago without much attention to security. Fortunately, there are mechanisms available to IT professionals that help strengthen the control around e-mail and reduce the likelihood that employees will receive and respond to illegitimate messages.

These include a variety of administrative and technical mechanisms that seek to improve employee awareness of security issues and prevent unsafe messages from reaching the organization in the first place. IT teams should also take steps that prevent third parties from receiving fake messages that appear to be from their own organizations. Let's take a look at the common measures that every IT team should put in place to protect their organizations.

Awareness and Education are Critical!

Security awareness education is, by far, the single most effective way to combat e-mail spoofing and other social engineering threats. Any savvy organization should take the time to educate its employees about the risk posed by fake e-mails and train them to recognize the signs that an e-mail is illegitimate.

Does the request that they received seem legitimate? Did the request come from someone they routinely work with, or is it out of the blue? If an employee who has never met the CEO suddenly receives a message demanding action from the corner office, that's a very suspicious request.

If there's any doubt about the legitimacy of a message, take a minute to verify its authenticity using a means other than e-mail. Train employees to pick up the telephone, or pop their heads into the sender's office just to confirm that suspicious requests are legitimate.

In addition to viewing strange e-mails with suspicion, users should also watch where they click. Including malicious links in e-mail messages is one of the oldest tricks in the books and it's still widely used today. Why? Because it's effective!

If a hacker can trick an employee into visiting a website, that site can then be used to harvest passwords, distribute malware or perform any number of other malicious actions. The senders of spoofed e-mail messages now use very sophisticated techniques to replicate the look and feel of legitimate messages and fool users into revealing sensitive information.

Organizations can train users to watch the URLs of sites they're asked to visit. Simple rules go a long way here. For example, security awareness efforts might tell employees "Only click on links that end in ourcompany.com." Users should then verify that the URL in their browser address bar matches the URL of the site and that there aren't tricky typos that leave out or substitute letters, such as "ourconpany.com."

The techniques that users learn in the workplace can also protect them at home. Identity thieves are likely to target personal e-mail accounts when they search for victims, recognizing that individual users often lack the technology controls that larger organizations put in place to protect themselves against spoofing attacks.

Content Filtering Helps

While user education can be very effective, it should be the last line of defense against e-mail-borne attacks. Organizations should also put a variety of content filtering mechanisms in place that prevent illegitimate messages from reaching user inboxes and block users from accidentally clicking on malicious links.

Spam filtering technology is now extremely mature and works in a manner that is transparent to most end users. Anti-spam technology detects suspicious messages based upon content, origin and other characteristics and then automatically diverts those messages to a quarantine or strips them of malicious content.

Organizations that operate their own e-mail servers should ensure that they're running modern, updated anti-spam software. Organizations that outsource e-mail to providers including Google and Microsoft benefit from the built-in protections provided by those systems.

Preventing the delivery of spoofed e-mail is only half of the content filtering equation. E-mail attackers are constantly seeking new ways to evade filters and every enterprise should assume that some unwanted messages will land in user mailboxes.

Organizations may choose to deploy secure web gateways that filter user web requests, blocking user attempts to visit sites known to participate in malicious attacks. That's just one more control that keeps users safe from unwanted and unsafe e-mail messages.

Protect Your E-mail Domain

In addition to protecting internal staff from falling victim to e-mail spoofing, organizations should also take steps to prevent others from sending spoofed e-mail to customers and business partners using the organization's domain. The Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) provide the ability to lock down e-mail domains, restricting their use to authorized senders.

The Sender Policy Framework allows domain administrators to designate the authorized sources for e-mail sent from that domain. Administrators simply add DNS records listing the authorized servers and then third party mail servers that support SPF will verify that all inbound messages from the domain come from an authorized sender.

DomainKeys Identified Mail goes a step further and verifies that the content of e-mail messages is authentic and was not tampered with during transit. Domain administrators create a public/private encryption keypair and store the public key in a DNS record. They then configure their mail servers to digitally sign each outbound message using the private key. Recipients may then verify the integrity of the message by using the sender's DKIM public key to validate the digital signature.

Don't get snared

E-mail spoofing is a real threat to enterprise cybersecurity, as illustrated by the successful attack against the Milwaukee Bucks. IT organizations seeking to address this risk should adopt a robust defensive strategy that combines awareness efforts with content filtering and e-mail domain protection.