Email Spoofing – What Is It & How to Protect Yourself

Within days of being hired, a new employee in our accounting department received an email from our CEO asking them to place an order for much needed equipment. Excited to be part of the team and show responsiveness our new champion almost fell victim to a growing type of cyberattacks.

The email seemed appropriate and looked legitimate – we were just a few clicks away from being hacked and compromised by a spoofed email. This wasn’t the first time we received a suspicious message. In fact, cybersecurity experts say attacks are up 300% in this past year.

What is email spoofing?

Email spoofing is a technique used by hackers to trick you into thinking a message came from a person or organization you know or trust – most commonly your CEO or colleague, though often vendors or brands.

Can you tell the difference between paypal.com and paypaI.com?

Spoofed emails look legitimate – often creating a sense of urgency or need for action. If pretending to be from someone in your organization, commonly from a person of authority but could be a peer. If from an external source, even clicking links in them take you to landing pages that look just like the real vendors landing page (branding, logos, layout, etc.) – put next to the real site, they look nearly identical.

Email spoofing statistics

• Over 3 billion domain spoofing emails are sent each day

• More than 90% of cyberattacks start with an email message

• 43% of cyber attacks target small and medium sized businesses

• 69% of hackers say they were never detected by a company’s security measures

• It takes over 6-months on average to detect a breach (they’re in your business for a long time)

How to prevent from being spoofed

During a recent Cybersecurity Insurance webinar, local experts discussed steps to drastically reduce the risk of being compromised and shared recommended actions to take if you receive a suspicious email. As Steve Szubinski, president of PCA Technology Group shared, it’s all about layers of protection.

1. Enable Multi-Factor authentication (MFA). Microsoft 365 includes MFA with the service; however, it is turned off by default. If you are not sure it has been enabled for your company, contact your trusted IT provider. According to Microsoft, MFA can block over 99.9 percent of account compromise attacks. While MFA won’t prevent you from receiving a disguised malicious email, any compromised accounts will be difficult to use.

2. Enable External Email Notification. When this service is enabled with your Microsoft 365 subscription, a notification banner will appear across the top of any email that originated outside your company. In the case of our new employee in the accounting department, it would have been obvious that the email did not come from our CEO.

3. Cybersecurity User Awareness Training. 1 out of every 3 people would fall for a spoofing email without regular training. Effective programs require at minimum annual training. PCA offers complimentary sessions each month - check our Events page for dates & times. Tools such as KnowBe4 have proven to reduce the risk to less than 5%.

4. Confirm Requests. Our attorney partners recommend that you always confirm requests via phone prior to taking any action asked in an email. Do not follow the instructions in the message, rather use the phone numbers and web address you know for your colleagues, vendors, and customers.

If you think an email is suspicious

Contact your IT team or your IT service provider, even if the email is urgent or time sensitive. They will verify if it is legitimate and can even move the email to a “sandbox” where it will not be able to impact your organization. Fear you already clicked something potentially harmful, turn off your computer and contact IT support.

Cyber insurance providers like Lawley Insurance require organizations to have proper protocols in place so employees know what to do if they suspect an attack. Organizations should have a physical copy of their insurance policy handy along with a physical copy of their incident response plan. The plans should clearly identify who is responsible for managing an incident and who is responsible for communications – both internal and external communications. There are legal reasons your company should call a potential threat an incident until it has been verified truly as an attack.

Take these straightforward steps to significantly reduce your risk

Proactive measures will protect you from costs of business interruptions, data or financial loss, and reputation threats.

• Talk with your IT provider and ensure your layers of cyber security are working for you,

• Ensure all staff at your company attend regular cybersecurity user awareness trainings (consider a service like KnowBe4 for added protection),

• Review your cyber insurance policy with your provider, plus

• Update your Incident Response Plan and prepare your team to follow it when needed.

Unsure of your organization’s overall cybersecurity posture, use a Free Cybersecurity Self-Assessment Tool like the one available on PCA's Cybersecurity page or contact our experienced team at info@pcatg.com (by phone at 716.632.5881).