Email Spoofing Scams
April 26th, 2019
Imagine sending a letter through the Post Office (I know, who does THAT anymore?). You complete the envelope by placing the recipient's address in the center, and your address in the top-left corner. Here's the thing -- No one verifies that the address you claim is yours is actually yours. You could put the following as the sender's address:
1600 Pennsylvania Ave NW
Washington, DC 20500
And when the person you sent the letter to received it, that's who it would appear to have come from.
Would you believe that's exactly how email works?
When you send an email, the recipient only knows that it came from you because your email program (like Outlook) attached your name and email address to the outbound email. And your email program knows your name and email address because when you set it up, you told it. You could have literally put anything in there that you wanted, and it would say that's who it was sent from.
Now here's some bad news. Scammers know this, and they use it to their advantage. They might send you an email making it appear that it came from your boss, or from someone that you know, directing you to take some action. If the scammers are good enough, the email that they send might look like it actually came from the person their spoofing, for instance by copying their email signature. There's a scam going around right now where someone sends you an email as you pretending that they've hacked your account (no such hacking has actually occurred). They claim that they've been collecting deep, dark secrets about you for months, and if you don't send them $1,000 in cryptocurrency, they'll send all of these secrets to everyone in your address book. These emails are absolutely safe to delete, ignore, and think nothing more of them.
Since someone sending an email can enter anything they want as their email address without verification, this also means that someone can pretend to be you or someone else at your company, and there's very little you can do about it, because they can do this without ever actually getting into your email account.
There is a protocol to help mitigate this, though it's not perfect. It's called SPF, or Sender Policy Framework. Essentially, it says that if an email is going to come from your email address, then it's only allowed to come from certain servers. If an email claims to be from you but comes from some other server, then it's spoofed. While a scammer can pretend to be you by sending an email as you, he can't send it through your server without your account credentials. When the receiving server receives the email, it checks to make sure that the server that it's receiving the email from matches one of the servers listed in the SPF records. If not, then it can act accordingly.
While you can setup SPF records with your hosting provider, the downside to this method is that all you're doing is telling the world how email coming from you will be sent. It's up to the companies who receive the email to actually enforce that policy (i.e. by junking the email). So this isn't full proof, but as more companies adopt the enforcement of SPF records, it can be come increasingly difficult for scammers to spoof their emails.
If you already host your email with Hyperion Works and have any questions about SPF records on your account, or if you're hosting elsewhere and would like to learn more about how we can help with protecting your email, please contact us.
Enter your name and email address below, and receive these excellent bit of helpful info on a regular basis.