Anonymity Email Security: Identifying Phishing and Spoofing.

[Fixxx]

​

Cybercriminals often use email as a vector for their attacks. By employing social engineering techniques, they can convince the recipient to click on a phishing link, download a malicious file, transfer money to the fraudster's account, steal confidential data, and much more. To avoid falling for the attacker’s tricks, it is essential to remain vigilant and verify the authenticity of emails. In this article we will discuss the signs of a fake email and how to check an email address.

Attacks and Their Consequences​

To deceive their victims, cybercriminals may disguise emails as communications from well-known companies: banks, marketplaces, service providers, etc. For example, in early 2024, DHL warned users about a rise in phishing emails purporting to be from DHL and other carriers. Users can always see who the email is from and can check that the characters used in the domain name are correct, ensuring there is no substitution relative to the original domain. If a user is unsure about the spelling of the domain, they can always find the legitimate website of the entity the sender claims to represent and compare the name. Cybercriminals often play on our emotions and they are professionals at it. They use tactics of urgency and obligation (fines, penalties), as well as various prizes and bonuses (if you might not believe in a large gift, a bonus of 300 rubles from a telecom operator seems plausible), essentially exploiting societal vices and the weaknesses of specific individuals.

Significant financial losses and damage to a company's reputation can result from whale phishing or whaling, which targets high-ranking individuals within a company. One notable case is the attack on Ubiquiti Networks in 2015, where attackers spoofed the emails of the company's CEO and lawyer, sending messages to the chief accountant requesting a funds transfer. The company lost approximately $46.7 million.

Cybercriminals have many ways to create the impression that an email has come from a trusted address:

• Sending an email from a domain like ".biz" instead of ".com" or "company-info.com" instead of "company.com".
• Using typosquatting - addresses with misspellings (e.g, "inf0" instead of "info").
• Employing Unicode spoofing, where Latin characters are replaced with Unicode symbols, for example, using a Cyrillic "o" in "info".
• Indicating that the email was sent from another user by inserting their address in the "From" header.

Another example is the BEC attack on the Pathé cinema chain in 2018, where the company lost €19.2 million ($22 million) due to a scam involving the CEO. Cybercriminals impersonated the company's CEO and sent emails with instructions to transfer money, supposedly for acquiring a cinema in Dubai. These examples illustrate how destructive phishing attacks using fake email addresses can be and highlight the importance of taking measures to protect against such threats.

Signs of Fake Emails​

Fraudsters rely on the recipient's ignorance and inattention. Not every user will check the sender's address. Here are some points to pay attention to:

• Public Domain: Typically, companies and government organizations send emails from corporate addresses. If the email address includes a public domain, such as "@gmail.com," while the email claims to be from the tax office, it should raise suspicion.
• Incorrect Address: Cybercriminals often disguise fake addresses by changing letters or adding extra characters in both the name and the domain. For example, "@gooogle.com" or replacing the letter "o" with a zero.
• Errors and Typos: Spelling mistakes, strange and inappropriate word usage, inconsistent font sizes and unclear text may indicate that an online translator was used for the email.
• Request for Action: If the email asks you to provide confidential information, download a file, click a link or transfer money, don't rush to comply with the demands.
• Urgency and Threats: Cybercriminals know how to exploit human emotions. They often play on people's fear and greed, trying to intimidate and create a sense of urgency. For example, such emails may state that your account will be blocked if you don't update your information within a certain timeframe or that you have won a prize and need to click a link to claim it.

Ordinary users can only rely on their attentiveness. Typically, domain names don't use dots and other symbols. The presence of such symbols in the domain part of the email address (i.e, the part of the email address after the "@") clearly indicates a fake domain. Another red flag is if the email is from a sender you have never received correspondence from before, especially if it contains unclear content or attachments. In such emails, fraudsters usually urge recipients to take some action (open and download a file or archive or click a link). If you recognize the sender but are unsure whether the email is legitimate, try contacting them through other communication channels, such as phone or messaging apps.

How to Protect Against Emails from Fake Addresses​

There are several ways to identify a fake email, but none provide a 100% guarantee. Therefore, a combination of methods is necessary. Technical means of verification can include authentication indicators that confirm the email came from the correct domain. The main types of indicators include SPF, DKIM and DMARC.

• SPF (Sender Policy Framework): This email authentication method helps identify mail servers authorized to send emails for a given domain. By using SPF, internet service providers can identify emails from spoofers, fraudsters, and phishers when they attempt to send malicious emails from a domain owned by a company.
• DKIM (DomainKeys Identified Mail): This protocol allows an organization to take responsibility for transmitting a message by signing it in such a way that mailbox providers can verify it. DKIM verification is possible through cryptographic authentication.
• DMARC (Domain-based Message Authentication, Reporting & Conformance): This email authentication protocol is designed to give email domain owners the ability to protect their domain from unauthorized use. The goal and primary outcome of implementing DMARC is to protect the domain from being used in business email compromise attacks, phishing emails, email fraud and other types of cyber threats.

The most reliable method is to use anti-spam systems. Additionally, it's advisable to check emails that have passed anti-spam checks but were not flagged as suspicious. Numerous online services can verify the legitimacy of domain names. For example, the popular WhoIs service provides information about the domain owner, registration and renewal dates, geographical location and the domain registrar. One common verification method is checking DKIM (DomainKeys Identified Mail), which is also used by anti-spam systems to verify email messages. To protect email, it's recommended to:

• Use DMARC, SPF, or DKIM and configure them correctly.
• Check the mail server settings for processing incoming messages.
• Implement protective solutions that support modern authentication mechanisms.

A vast array of technologies is used to authenticate addresses at the mail server level. In corporate environments, specialized software-hardware complexes filter all email traffic entering the infrastructure. There are many technologies for detection and they primarily do not rely on the return address but instead check the path from which the email message originated. Various reputation lists of mail servers, sender verification, header analysis, content analysis and more are employed. Today, artificial intelligence is also being actively integrated. The comprehensive application of all these technologies yields excellent results.

Conclusion​

By implementing described methods and approaches, you can significantly reduce the risk of successful attacks and ensure the security of your communications. However, it's essential to remember that cybercriminals are always looking for ways to bypass security systems. Even if effective technical measures are taken, fraudsters may employ other types of cyberattacks. Fake email addresses can serve as a loophole for criminals seeking to conduct phishing attacks, spoofing and other types of fraud. To enhance the security of their communications and protect against fake emails, organizations and users should adhere to best practices, including using specialized tools to verify email addresses, regularly updating SPF, DKIM and DMARC settings.

Remember: cybersecurity is an ongoing process that requires constant attention!