How Can an SMB Mitigate Spoofing Attacks?
Table of Contents
Have you ever received an email that looked like it was from a work colleague or friend but seemed a little "off"? Maybe it had some urgent request for money? Chances are you have experienced spoofing. Spoofing comes in many forms, with email spoofing being the most well-known. Spoofing is a type of cyber-deception used by cybercriminals to trick companies out of large sums of money and sensitive data.
Spoofing may seem harmless, but it is not. Phishing and spoofing often go hand-in-hand and this cybercrime tactic is widespread. In the USA, the FBI's IC3 unit receives almost 300,000 complaints of phishing/spoofing annually.
What is Spoofing?
Cybercriminals understand that trust is a central part of how humans make decisions. By spoofing a trusted person, like a CEO or business partner, a cybercriminal can manipulate trust and trick a victim into performing an action that benefits the attacker. Spoofing has many forms, and all of them exploit trust in some way.
The result of spoofing adversely impacts an SMB; the hackers behind the spoofing attack steal money, login credentials, and sensitive data and/or gain unauthorized access to devices or network areas to install malware (including ransomware). Phishing may use spoofing as part of a targeted spear-phishing attack, where the cybercriminals impersonate a trusted individual to manipulate the target successfully.
Spoofing attacks exploit various channels, including email, SMS texts, other mobile messaging, websites, IP addresses, and phone calls. Cybercriminals are increasingly using deepfakes to spoof employees.
How Does Spoofing Affect an SMB?
Cybercriminals use spoofing to exploit employees, business partners, and other associated non-employees. The end goals of spoofing include the following:
Business Email Compromise (BEC)
BEC scams often begin with a spoofed email. A cybercriminal will spoof the email of a C-level executive, typically a CEO, to manipulate employees into paying an invoice or sending money to a business associate or similar. The spoofed email is often directed at accounts payable staff. The email will have an urgent message like "We must pay this invoice immediately, otherwise we risk losing this customer".
The email will contain an invoice with bank details. If the employee pays the invoice, the money will go to the hacker's bank account. BEC scams have variations on this theme, but they all end in a company losing large sums of money.
Credential Theft and Login Spoofing
Spoofing attacks often focus on credentials. If an attacker can steal login credentials, they have the keys to your network and applications. In this type of spoofing attack, emails or mobile messages will be sent to unsuspecting employees; the hacker having spoofed the identity of a trusted individual. Unless the employee is aware of spoofing, they will click on a link in the message. This link is malicious and will take them to a spoof login page that looks exactly like the login page of a well-used application, like Microsoft 365. If the employee enters their credentials, they will be sent directly to the hacker, who will use them to gain unauthorized access to that employee's account.
Data Theft
Unauthorized account access after a spoofing attack will open the door to other applications, including databases. Even if the spoofed employee cannot access sensitive data, the result is still devastating. In this case, techniques such as lateral movement, where an attacker uses specialist tools and network vulnerabilities to escalate their access privileges, are used to gain admin-level access. Once the right level of privileged access is gained, the attackers can steal data, slowly exfiltrating it to evade detection.
Malware Infection
Spoofed messages that lead to stolen login credentials and privilege escalation can result in malware infection, including ransomware. In some instances, spoofed emails can contain infected attachments. If the recipient of the spoof message opens the attachment, the device can quickly become infected with malware.
Account Takeover (ATO) and Fraud
Spoofed messages that steal credentials can lead to targeted ATOs. In the SMB world, accounts that attract cyber-deception include online banking and business accounts with sensitive data. If a cybercriminal takes control of important business accounts, they can steal money, use accounts to carry out fraudulent transactions and steal a business identity to perform fraud using the company name.
Trick Customers and Clients
Spoofed company brands are used to trick people into believing they are communicating with a legitimate business. The email will look exactly like your company, using your company logos and branding. Cybercriminals may use Generative AI to create highly realistic spoof emails. It will be difficult for customers and potential customers to discern if the email is real or not. The cybercriminals rely on a trusted company brand to trick the customers into providing personal data or even login credentials via a spoofed company web page.
The Cost of Spoofing to an SMB
Spoofing and phishing are highly costly to businesses of all sizes, including small to medium-sized companies. The costs of spoofing cover a range of areas, as mentioned above, and some, like reputation damage, can be hard to calculate. However, the following costs indicate the serious nature of this form of impersonation-based cybercrime:
Business Email Compromise scams have affected over one-quarter (27%) of SMBs. The FBI's IC3 cybercrime unit received 21,489 BEC complaints from companies with over $2.9 billion in losses.
Source: SMBs impacted by BEC scams
Ransomware attacks on SMBs vary, but estimates come in at an average of $139,000 for a small business, according to data from a cyber-insurance company. These costs can be fatally damaging to a company. Recent research showed that 31% of US businesses affected by a ransomware attack were forced to close.
Account Takeover and fraud costs an SMB over $16,000. Worryingly, over half (54%) never recover their losses.
One of the most consequential impacts of spoofing is losing customer trust. Many aspects of this cybercrime can affect customer loyalty. Research shows that 80% of customers will take their business elsewhere if an online retailer falls victim to a cyberattack.
How Can an SMB Prevent Spoofing Attacks?
SMBs must take a layered approach to all cybersecurity threats, including spoofing. The following are recommended measures and tools. If an SMB does not have the bandwidth or in-house knowledge to apply these recommendations, a managed service provider (MSP) can offer cost-effective options.
Security Awareness Training
All staff must be trained to spot spoofing and phishing. The training should consist of regular education programs, including quizzes, interactive videos, and phishing simulation exercises. Other topics to focus on include safe internet and mobile device use and password hygiene. Companies can also extend security awareness training to customers by providing blog posts and other advice on spoofing.
Use Robust Identity Authentication
Implement identity management that uses strong login authentication that allows access based on least privilege needs, i.e., a need-to-know basis. Use multi-factor authentication (MFA) to add a layer of security to app and device login.
Reporting
Employees should be encouraged to report any suspicious email or other form of spoofing to their line manager or via an incident reporting portal. IT teams or an MSP can then triage the incident and respond appropriately.
Apply DMARC Domain-based Message Authentication, Reporting, and Conformance
DMARC is a set of protocols that protect domains from being used by phishing and spoofing. Use robust authentication
Cross-Check Processes
Put business processes in place that cross-check any known activity that could cause loss of data or money. For example, create a process to check any payment over a certain amount.
Deploy Advanced Anti-Phishing and Anti-Spam Tools
Advanced solutions use machine learning and other AI-assisted techniques to identify suspicious emails and prevent them from reaching an employee's inbox.
Types of Spoofing
Spoofing takes many forms. The following are some of the most common that can affect a small, to medium-sized company.
Email Spoofing
Cybercriminals spoof the email address of a trusted person, like a CEO, to trick an employee into performing a task on their behalf. This task may simply be to get an email exchange going so the hacker can create a trusted relationship with the targeted employee. Email spoofing is also used to steal login credentials and other data and to initiate BEC scams.
Website Spoofing
Email spoofing is often associated with a fake website. The Spoofed email will contain a link to this spoofed website. The website is made to look exactly like a popular app or other site, like PayPal, a bank login page, or Microsoft 365. The hackers use the website to gather login credentials and other sensitive data.
IP Address Spoofing
Hackers spoof the real IP address of trusted systems to evade network security. IP address spoofing is sometimes used in Distributed Denial of Service (DDoS) attacks.
SMS Spoofing
SMS spoofing is similar to email spoofing. The attackers send text messages to a target pretending to be from trusted organizations or individuals. Like the email counterparts, SMS spoofing is used to trick victims into navigating to spoof websites or to install malware on the device.
Caller ID Spoofing
Cybercriminals spoof caller ID to make a phone call look like it is from a trusted source such as a bank. The recipient of the spoof call, believing it is that company, will be asked to provide sensitive data and often login credentials.
AI-Assisted Spoofing
Deep Fakes are increasingly used to spoof companies. A recent example was a deepfake video conference that resulted in a $25 million payout to cyber criminals who scammed an employee into thinking he was talking with the CFO.
How Does Email Spoofing Work?
Email spoofing is a form of impersonation. To carry out this impersonation attack, a cybercriminal will change the email header display name to that of a known trusted person or company name. For example, an email sent by "Cybercrim_John" via their email account imahacker@fraudrus.com, will be made to look like it has come from Bridget.Smith@mycompany.com by simply changing the header before sending.
Changing an email header is usually simple. For example, you can change the M365 Outlook email name by following these instructions from Microsoft.
Note that only a global administrator can perform the above action. However, hackers make themselves the admin.
The fraudster will often gather intelligence on a target to more successfully manipulate that person. Generative AI is making intelligence gathering and email spoofing quicker to create and more difficult for victims to identify.
Some Real World Examples of Spoofing
Two examples of spoofing-initiated cyberattacks are as follows:
FTC Spoof Emails
Cybercriminals took advantage of small businesses impacted by the COVID-19 pandemic. Spoof emails purportedly from the Federal Trade Commission (FTC) were sent to businesses with the title "Global Empowerment Fund". The email contained text stating that companies could apply for funding under this initiative, saying something like", All you need to do is respond with your bank account information, and we can transfer the funds".
SMBs Impacted By BEC Scams
Hacking group TA4903 used email spoofing as part of a sophisticated Business Email Compromise. The group has targeted US government agencies and SMB organizations across multiple sectors. The hacking group spoofed company websites and employee emails, manipulating trust. The group targeted thousands of companies to carry out the BEC attacks.