The other day I received an email from my boss. That is completely normal. The email was asking me to send her payroll information for all of our employees. That was NOT normal.
First off, I work in marketing, so why would I have payroll information? Secondly, it's just not the type of thing she would ever ask me for, so I was suspicious. I looked closer at the "from" information, and while it was her name that the email came from, the email address was not her company email.
I decided to send her a text and ask her if she sent me something about payroll. Lo and behold, my suspicions were confirmed - she hadn't sent me the email.
Emails like the one I describe above is an example of spoofing. Spoofing is a general term used to describe a cybercriminal pretending to be someone you would know and trust in order to scam you out of something. It could be information, it could be money, but rest assured, if you fall for spoofing, it will not be good for you.
Spoofing is a type of social engineering. Cyber bad guys use manipulation methods in order to get the information they need to cause harm. Essentially, spoofing relies on two things - manipulating you by impersonating someone you trust and then preying on that trust by asking you to take some form of action for them.
The spoofer in this type of attack forges the header of the email to appear that is coming from a trusted person. They are relying on the fact that you will see the name and won't look further into the email.
The email will likely ask for something - think a money transfer or access to company data. Because the email appears to come from a trusted person, the hacker hopes you just follow the instructions of the email without further investigation. This can lead to disastrous consequences including data breaches, theft of money or property and malicious malware.
Spoofing is becoming more prevalent every day. Brand impersonation, meaning someone pretending to represent a specific company, including your own, is up more than 360% in the last two years. So what can you do to counteract spoofing and falling victim to a cyberattack? There are several red flags to look for.
Five Spoofing Clues To Look For In Your Emails
- A strange or unprofessional greeting. You know the tone and professionalism of your supervisor, manager and colleagues. If you get an email that has an odd or out-of-character greeting, beware.
- A message from a different domain than your company domain. Does an email seem strange, but you're not sure if it is legit or not? Check the sender's domain by looking at the email address of the sender. If your company's domain is xyz.com and the email comes from xyz.net, you can clearly see the domain is different. This is likely a spoof.
- Unusual spelling mistakes and emojis. Again, you know your colleagues, and you receive hundreds of regular emails from them in a year. If someone never sends out an email with a spelling or grammar mistake, an email that all of a sudden contains various misspellings is something to look twice at. Emojis are another thing that spoofers try to use to create rapport with their email recipients. If you get an email from someone that includes emojis and they've never used them before, this is a big red flag.
- Weird links. The goal of most spoofing or phishing attempts is to get you to click on a link or download a file. The link is the cybercriminal's way into your doors and how many of them spread malware. If someone sends you an email that includes a link to somewhere unfamiliar, don't click it unless you are absolutely sure it is legit.
- The offer is too good to be true. Many times, spoof messages include offers for money that may seem customized for you. Remember that banks, credit card companies and the government don't send emails asking you for credentials or personally identifiable information. If you get an email that asks for these items, take heed.
You can equip your employees to protect themselves and your business against spoofing with simple security and compliance awareness training. This type of training empowers your employees with information on the latest cybersecurity tricks that hackers are using and how to spot them before they become a problem. Training reduces the chance of a company falling victim to a cybersecurity incident by up to 70%
With Watchkeep's security awareness training, employees receive consistent and critical training on all aspects of cybersecurity threats. They learn how to spot the red flags before they become an incident for your business and protect your most valuable assets. You can easily deploy new training modules automatically and create spoofing simulations that test their knowledge to know where you may need more focus in your efforts. New materials are added all the time, so your employees stay on top of the latest threats.
To learn more about our security awareness training, click the orange button below and get more information.
