by Randall CraigFiled in: Blog, Make It Happen Tipsheet, Risk, TechnologyTagged as: Identity Theft, Risk Management
Think your identity is secure? Think again – it isn’t.
Consider this email that a colleague recently received from “me”:
Hello Monty,
How are u doing? I will like you to handle an International bank transfers for me with some other few transactions today but first, let me know the required information needed to process an international bank transfer.
I will appreciate a quick response from you.
Thanks,
Randall Craig.
Of course this email did not come from me, but how would the recipient know? And more importantly, how might you protect yourself (and the unwitting recipients) when you also have your identity purloined with this type of attack? The answer is surprisingly easy, and surprisingly disturbing: you can’t do a single thing.
The nature of the internet, and email in particular, makes email spoofing surprisingly easy to do. The perpetrator need only programmatically insert your name and from email address into the visible part of the email header (which is the part that your email system displays)… and that’s it. Welcome to the world of email identity spoofing.
That being said, there are clues that you can use when you receive an email that appears suspicious, and you want to see who really sent the email. Beyond clues such as bad grammar and spelling mistakes, uncovering this type of fraud requires exposing the (usually hidden) email header, which displays all of the routing information from the sender to you. Each email program is different: In some versions of Outlook, right-clicking on an email message will give you an option to “view source”. In other versions of Outlook, open a message and click “options” or “tags”. In Gmail, click the three dots in the top right corner of the message, and choose the option “show original”.
The header shows a lot of technical information, but it boils down to providing some key information:
Looking for an unexpected Reply-To email address (vs the Reply-to name, which can also be spoofed), is the easiest clue to identify.
Delivered-To: monty@108ideaspace.com <--- This is where the email was delivered to Received: by 10.37.224.140 with SMTP id x134csp1228756ybg; Mon, 9 Nov 2015 08:29:34 -0800 (PST) X-Received: by 10.60.135.68 with SMTP id pq4mr13445696oeb.7.1447086574553; Mon, 09 Nov 2015 08:29:34 -0800 (PST) Return-Path: <info@thedogpsychiatrist.com> Received: from sg2plwbeout19-6.prod.sin2.secureserver.net (sg2plwbeout19-6.prod.sin2.secureserver.net. [182.50.144.44]) by mx.google.com with ESMTPS id ij5si6643142obb.76.2015.11.09.08.29.33 for <monty@108ideaspace.com> (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 09 Nov 2015 08:29:34 -0800 (PST) Received-SPF: neutral (google.com: 182.50.144.44 is neither permitted nor denied by best guess record for domain of info@thedogpsychiatrist.com) client-ip=182.50.144.44;<--- A clue: why would the email not be sent via the same server domain as the "From" domain, eg 108ideaspace.com? Authentication-Results: mx.google.com; spf=neutral (google.com: 182.50.144.44 is neither permitted nor denied by best guess record for domain of info@thedogpsychiatrist.com) smtp.mailfrom=info@thedogpsychiatrist.com <--- Because the results are neutral, our server allows the mail to be received. Received: from localhost ([182.50.144.112]) by sg2plwbeout19-6.prod.sin2.secureserver.net with bizsmtp id fUVZ1r0012Rj2se01UVZTY; Mon, 09 Nov 2015 09:29:33 -0700 X-SID: fUVZ1r0012Rj2se01 Received: (qmail 6860 invoked by uid 99); 9 Nov 2015 16:29:33 -0000 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8" X-Originating-IP: 197.242.110.12 User-Agent: Workspace Webmail 5.15.9 Message-Id: <20151109092930.13ac8cbe5fa510f7235a9d8e14b19446.582b2e701a.wbe@email19.asia.secureserver.net>
Delivered-To: monty@108ideaspace.com <--- This is where the email was delivered to
Received: by 10.37.224.140 with SMTP id x134csp1228756ybg;
Mon, 9 Nov 2015 08:29:34 -0800 (PST)
X-Received: by 10.60.135.68 with SMTP id pq4mr13445696oeb.7.1447086574553;
Mon, 09 Nov 2015 08:29:34 -0800 (PST)
Return-Path: <info@thedogpsychiatrist.com>
Received: from sg2plwbeout19-6.prod.sin2.secureserver.net (sg2plwbeout19-6.prod.sin2.secureserver.net. [182.50.144.44])
by mx.google.com with ESMTPS id ij5si6643142obb.76.2015.11.09.08.29.33
for <monty@108ideaspace.com>
(version=TLS1_2 cipher=AES128-SHA bits=128/128);
Received-SPF: neutral (google.com: 182.50.144.44 is neither permitted nor denied by best guess record for domain of info@thedogpsychiatrist.com) client-ip=182.50.144.44;<--- A clue: why would the email not be sent via the same server domain as the "From" domain, eg 108ideaspace.com?
Authentication-Results: mx.google.com;
spf=neutral (google.com: 182.50.144.44 is neither permitted nor denied by best guess record for domain of info@thedogpsychiatrist.com) smtp.mailfrom=info@thedogpsychiatrist.com <--- Because the results are neutral, our server allows the mail to be received.
Received: from localhost ([182.50.144.112])
by sg2plwbeout19-6.prod.sin2.secureserver.net with bizsmtp
id fUVZ1r0012Rj2se01UVZTY; Mon, 09 Nov 2015 09:29:33 -0700
X-SID: fUVZ1r0012Rj2se01
Received: (qmail 6860 invoked by uid 99); 9 Nov 2015 16:29:33 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 197.242.110.12
User-Agent: Workspace Webmail 5.15.9
Message-Id: <20151109092930.13ac8cbe5fa510f7235a9d8e14b19446.582b2e701a.wbe@email19.asia.secureserver.net>
From: "Randall Craig" <randall@108ideaspace.com> <--- This is the spoofed email address X-Sender: info@thedogpsychiatrist.com <--- The email was sent via this insecure server Reply-To: "Randall Craig" <ceoboardofdirectors@gmail.com> <---- This is the email address of the perp To: monty@108ideaspace.com Cc: monty@108ideaspace.com Subject: Request Date: Mon, 09 Nov 2015 09:29:30 -0700 Mime-Version: 1.0
From: "Randall Craig" <randall@108ideaspace.com> <--- This is the spoofed email address
X-Sender: info@thedogpsychiatrist.com <--- The email was sent via this insecure server
Reply-To: "Randall Craig" <ceoboardofdirectors@gmail.com> <---- This is the email address of the perp
To: monty@108ideaspace.com
Cc: monty@108ideaspace.com
Subject: Request
Date: Mon, 09 Nov 2015 09:29:30 -0700
Mime-Version: 1.0
As I mentioned earlier, another clue that this was a spoofed email was the text itself. Typographical errors, non-standard abbreviations, and strange grammar all make the email suspect. And the request for international banking transfer information is icing on the cake.
The biggest risk in email fraud isn’t clumsy emails of this nature, but when a hacker gets access to your email account, and actually sends their requests directly from the account itself. This week, make sure that your passwords are strong enough that they can’t be easily guessed, and that they contain enough non-alphabetical characters so that brute-force attacks are also less likely to work.
This week’s tech action plan: Ask your IT group to ensure your email servers have SenderID and DKIM configured appropriately, and that only authorized users can use the sending server. While this won’t prevent all types of spoofing, it will absolutely help.
Does this topic resonate? Reach out to Randall: he can present it to your group. (More presentation topics) Download Randall’s professional credentials: Speaker credentials one-sheet or Management Advisory credentials.
Content Authenticity Statement: 100% original content: no AI was used in creating this content.
@RandallCraig (Follow me for daily insights) www.RandallCraig.com: Professional credentials site.
Each week, get Randall’s 60-second action-oriented insights on building your business. Curious? Read 600+ past articles.
If you are interested in receiving these each week (there is no cost), fill in your name and address below.
Δ
Contact us for more on Randall’s topics, availability, and audience fit.