In this blog, we’re going to tell you a story about a company we know. They lost just under £20K to hackers through an email spoofing attack. The hackers impersonated one of the company’s senior figures and tricked one of their employees into transferring them the money. Most of the hackers’ plan were carried out using information on the company that’s publicly available, and by exploiting human error. They didn’t need lots of technical knowledge. And that’s scary.
We couldn’t help the company get their money back or stop the hackers. But we were able to help them greatly reduce the chances of an email spoofing attack from happening again. Just as the hackers took a mostly non-digital approach with their attack, many of the improvements we suggested didn’t require everyone in the company to be tech-savvy; they were about strengthening peoples’ education and introducing effective offline procedures.
By reading this post and hearing the company’s story, we hope you’ll be inspired to review how you’d face a similar attack. Not every cybercriminal is a technical whizz. They can hurt your business without using complicated techniques. At the same time, not everyone in your company has to be a tech genius to help protect it.
What is Email Spoofing?
A spoofing attack is when a malicious party impersonates a network user or device to launch attacks against your network. This could be through stealing data or money, or spreading malware. There are several kinds of spoofing methods. The most common include using imposter IP addresses and DNS servers, and ARP spoofing.
In every case, the hacker is recreating the appearance of something, or someone, trustworthy. They then attempt to fool users into carrying out out the actions they want.
Email spoofing, more specifically, is when a hacker hides the origin of their email by disguising it as a legitimate address. This could be someone or a company that you know well. Email spoofing is how the hackers tricked a user in this company’s network into sending them almost £20K, and walked away without a trace.
Targeting the Company
The hackers didn’t go after this particular company. They didn’t have a personal score to settle with it, or find its existence to be a stain on humanity that needed wiping out. The more likely scenario is the hackers had a list of companies which they hoped they could fool. One day, they decided to try their luck by researching and getting in touch with them all.
Thanks to the internet and the amount of information that’s freely available on it, it’s pretty easy to find an organisation’s contact details. If they aren’t published on a company’s website or social media profiles, they’ll be just as easy to find on a service like Companies House. Using these sources, the hackers found the information they needed to call the companies.
They then started contacting as many as they could and waited for one of them to slip up, which is exactly what happened to the company we know. The hackers called, asking who was responsible for finance within the company. And the answerer gave them this information. The hackers could’ve lied about who they were or why they wanted this information, or they might not have. But the answerer thought their request seemed innocent enough, so they shared the details.
Stealing an Identity
With the name and job title of the person who’s identity they were going to impersonate, the hackers’ next move was to do just that. This is where their plan gets a little bit technical, but not by much. They set up a fake URL which appeared uncannily similar to the company’s actual URL. All they changed was one character; a small detail which most people wouldn’t think to look out for. Since the URL appears genuine, it can’t be easily removed from the web.
For their plan to work, the hackers also had to replicate the company’s email address format. They started by guessing with several patterns, using the names of employees (something else that, thanks to social media, is easy to find). Once they got one email pattern right, it didn’t take them long to work out what the rest of them were.
They now had everything they needed to send a spoof email. The assumed the identity of the company’s finance director, created an email template for them using their near-perfect URL and email address, and had the names and emails of the company’s employees. So they sent everyone in the finance department an email asking for the money to be transferred to one of the company’s suppliers. And one of the employees did it. The company didn’t realised what had happened until much later.
A Non-technical Problem With Non-technical Solutions
As you can see from this story, the hackers didn’t need much digital knowhow in order to penetrate and steal from the company. Using information that’s easily available online, and by exploiting employees’ lack of education on cyber security, the hackers got away with all that cash.
Like we said at the start of this post, there was nothing we could do to help them get their money back or track down the hackers. As their fake URL and email appeared genuine, these couldn’t be taken down either. But we blocked access to both of these. And after completing a review of their cyber security practices, we recommended several solutions that needed little to no technical knowledge on the part of workers, which you can use too. These are:
- Streamlining public information. Keep the contact details you post online broad and non-specific. A line for general enquiries, plus one or two others you feel are absolutely necessary, should do it. Many of your employees will have social media profiles affiliated with your business. While you can’t ask them to take these down, you can encourage them to tighten their security settings, and only share contact details with people they trust.
- Improving employee education. Think back to the person who answered the phone to the hacker and revealed who the company’s finance director was. They probably hadn’t received any training on what to do in a situation like this. By making your frontline staff aware that cyber criminals can breach your organisation this way, and providing them with procedures to follow, they can help block out potential scammers.
- Spotting spoof emails and URLs. Most people wouldn’t know to look for an incorrect character in a URL or email. So you’ve got to be careful with every communication you receive. Look at how the genuine version - the version you deal with the most - appears. Now compare this to the email you just opened. If they don’t match, it’s probably a spoof.
- Mixing up email address formats. If hackers can correctly guess the format of one email address, they can easily work out what the rest of them are. So don’t give everyone in your business a ‘firstname.lastname@example.org’ email; mix this up a bit. Use just first names for some, and the first initial of the first name and full last name for others. Use middle initials too, as not many people give these out. You can even use false initials here. Even if a hacker guessed a few emails right, you’ve drastically lowered the number of people they can reach.
- Not transferring money over email. Always go through legitimate payment channels. Tell your employees what these are, and have them flag anyone who refuses to use these. For extra safety, you should call and verify with the person who’s asking you to send a payment. If they don’t know what you’re talking about, you’ve got a spoof.
Keep Safe Without Tech Smarts
Not all cyber attacks are carried out in an entirely technical way. Using public information and exploiting flaws in your business’s offline processes, hackers can do great damage. It’s terrifying. But not all of your safeguards have to technically complex either. By educating your staff on key signs to be aware of, they can help you to keep your company safe.
For more advice that's easy to apply to your business, grab a copy of our Quick Guide to Cyber Security. You'll be smarter about cyber security in minutes.