What is spoofing and how can you protect your business from it?
Phishing campaigns are incredibly detrimental to businesses and have been for a long time. The problem is that there are many different types of phishing attacks for organisations and their staff to be aware of. Businesses need to understand as many of the common signs and risks, to avoid becoming the next victims.
Spoofing is one of the more popular forms of attack for cyber criminals. It usually takes the form of a falsified communication from a trusted source, that takes the form of an ‘urgent action’. This could be anything from asking to share some account credentials or even some kind of purchase. The harmful side of this is that the cyber criminals operating the scheme often have access to the account they are purporting to be. This means the hack has already taken place, exposing not only the recipient of the email to the scam, but the entire business, plus any customers, suppliers or anyone else on the account’s contact list.
With these types of attacks becoming rampant as of late, we at Neuways have enlisted the help of our cyber security experts to find some real, working examples from which we can all learn a lesson or two.
Email spoofing
The first example is the most typical: email spoofing. This usually sees a cyber criminal play the role of a senior authority within a business, before issuing communications to staff within a business, that demand money being spent, or login details to be supplied. In a recent example we have seen, it all begins with a simple email from a boss to their employee.
The employee in question received an email that was sent from their manager’s email account. The email requested the purchase of gift cards from an online shop to be made in order to “treat their staff” – in the run up to the festive period, that is increasingly normal for many businesses.
The employee was asked to use their own credit card for speed/ease of purchase, while the company would reimburse them in the future. The employee purchased the desired amount of gift cards and let their manager know, as well as sending images of the voucher codes on all of the cards over email.
Of course, this was all a ruse. What followed was the fake boss asking for even more gift cards to be purchased – which the employee also did, until they had maxed out their credit card spend limit. It was only at this point that the employee called the boss to confirm the next steps and they discovered they had both been the victims of a hoax, after the original email had said not to ring him as he was in important meetings all day.
At the end of it all, the employee had spent a large amount of money on their own credit account, before sending cyber criminals the codes, for them to benefit from. That was not the only issue, though. As the boss had been spoofed, that meant that the business had been compromised by cyber criminals, who presumably had gained access at some point. This was now a prominent issue that needed to be cleared up, with an investigation required to discover how it happened and how they could shore up their cyber defences once again.
Man-in-the-middle (MitM) attack
The MitM attack is typically seen as a result of free, unsecured WiFi, the likes of which can be used at a local coffee shop or airport. These free WiFi zones are regularly used by hundreds, if not thousands of people daily. However, while they work well for convenience, they are easy for cyber criminals to hack and set up their own fraudulent WiFi network at the same location.
This is where the man-in-middle-name derives from, as cyber criminals can intercept web traffic between the network and user. The spoof begins when the criminals alter the traffic to re-route funds from transactions, or steal sensitive personal details, such as a financial information or account credentials.
The description of this attack should make it clear to every business that has its staff on the move, that such breaches can occur no matter where they are operating from.
How to avoid it?
To avoid becoming a victim of a spoofing email – always question an email from a member of staff asking you to spend your own money, or company money in a way that is out of the ordinary. If you are unsure, then question the transaction via phone call BEFORE proceeding. Only proceed with the action once you have verbal confirmation you should proceed. By speaking to someone first, even if the email states to not call the sender, you are ensuring the request is legitimate, and ultimately denying the cyber criminals their goal – to extort you or your business out of a lot of money.
By being vigilant and not being afraid of questioning transactions requested via email, you are doing the right thing. A key moment in the act of spoofing is when employees carry out requests made by cyber criminals without double-checking. Your boss would much rather you bother them with a quick check via a call than the alternative of losing money and opening up your company systems to these cyber criminals.
Help your employees and fellow colleagues understand the difference between legitimate and bogus requests, by looking into Phishing Awareness Training. The training sends your staff real-life examples of phishing campaigns, so they can be tested to notice the tell-tale signs of erroneous communications. It’s all done on-the-job and can help create a real culture of safe cyber activity among your staff.
