Blog

The Best Defense Against Email Spoofing & CEO Fraud

Written by Eyal Benishti | Feb 06, 2017

Hackers and cyber criminals have responded to the adoption of employee phishing awareness training, by improving the sophistication and deceptiveness of their attacks.

In recent years, spear-phishing, the positioning of a fraudulent email as coming from a friend, family member or colleague, has exploded; resulting in worldwide financial losses of more than $2.3 billion, according to the FBI.

In addition to spear-phishing threats, email spoofing has been a major catalyst for the rise of CEO fraud and business email compromise (BEC) attacks. According to TechTarget’s SearchSecurity.com, email spoofing is defined as:

“forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation.”

In the United States, a Georgia man was recently arrested for spoofing the email of a CEO from Kansas, stealing $566,000 before being caught. Recent email spoofing campaigns have also targeted Amazon and PayPal customers to much success. Just six months ago a CEO fraud campaign cost one company $40 million.

The Common Cure for Email Spoofing

Unfortunately, email spoofing is easy to enact. According to an article in the Huffington Post, “all a person needs to spoof an email address is a Simple Mail Transfer Protocol (SMTP) server and the appropriate email software.”

To mitigate risk of falling victim to email spoofing, the CERT division at the Software Engineering Institute has issued prevention guidelines. Their recommendations include:

  • Using cryptographic signatures
  • Configure mail delivery to prevent SMTP port connection
  • Configure firewalls as to have a single point of entry for email
  • Educate users

Other advice, such as the recommendations provided by Symantec, suggest that companies should

  • Create a sender policy framework (SPF) record for the IP addresses within your domain and enable authentication via SPF records for your own domain
  • Enable DKIM, publish a DKIM key and DKIM policy, and sign your messages with it.

While these recommendations, and others, have proven to stop some email spoofing attacks, they are imperfect solutions at best.

Machines on the Rise

With any type of phishing event, time is of the essence. That is, the time from identification to enterprise-wide remediation must take seconds to minutes and not hours to days.

With machine learning (ML), algorithms continuously improve in detection of both anomalies and irregular communications patterns based on learned experiences, negating false positives and bolstering proactive defenses. Using a “bottom-up approach,” machines can learn every employee mailbox individually, collecting statistics about the sender, not just based on the volume of emails going through but also based on the actual correspondent and attachment/link interaction. This approach is proven more thorough than gateway/ISP solutions that rely on volume only. With local reputation analysis, users can better spot spear-phishing and email spoofing attempts, which ultimately enables the machine learning algorithm to get smarter in real-time.

In addition, ML can make sure all that all important and smart security related questions are being constantly asked for each and every email landing in an employee mailbox, visualizing the results for non-tech savvy employees. That consistency is important to counter the proliferation of CEO fraud and BEC spoofing and impersonations, since those attacks always appear as coming from high levels within an organization. Most importantly, whenever ML identifies a malicious email, communications between the machine and people or technology solutions can occur in real-time, triggering automatic responses and/or SOC team notification.

Next week at RSA, we will demo, for the first time, our anti-impersonation & spoofing email security solution. Known as IronSights, the plugin for Microsoft Outlook inspects and analyzes all emails at the mailbox level using deep scans and machine learning. Acting as an employees’ virtual security analyst, IronSights automatically validates sender reputation and authenticity, while also assessing behavioral patterns in search of anomalies in communications. All suspicious emails are visually flagged the second the email hits the inbox, and a quick button link inside the Outlook toolbar enables instant notification to SOC teams for further investigation or immediate remediation.

Want to learn more about how machine learning can thwart email spoofing attacks attempting CEO fraud or BEC? Sign up for a demo by clicking here.