Unfortunately, impersonating trusted people, especially those occupying a position of seniority, is a common method attackers will use to lull people into a state of fear and prompt swift action.

How can this happen?

One way this can happen is via a common cyber-attack known as “spoofing”, which is when the identity of the sender is altered via the FROM and REPLY-TO fields within an email message header. 

If you think of this using the analogy of postal mail, spoofing is the equivalent of someone writing the name of your friend on the envelope as the sender and then posting it to your address. You’re probably inclined to open the envelope and trust it comes from the person whose name is on the outside as sender, believing therefore that the contents of the letter are the wishes and directions of the person you know. 

What can you do to stop spoofing of your business’ domain name?

Organisations can implement some controls that work together to uplift email integrity.

1) Sender Policy Framework (SPF) – these records stipulate which email servers are allowed to send on behalf of your organisation’s domain name – so if an email is sent using a domain it isn’t authorised to, it can be detected. 

2) DomainKeys Identified Mail (DKIM) – this uses a pair of cryptographic keys to authenticate and validate each email sent using your domain. One of the keys is stored on the email server and another is used to create a DKIM signature that is included in every email sent from your organisation. In this way, the recipient can then check the DKIM signature on the email against the sender’s key in order to validate the email. 

SPF

DKIM

Provides a list of approved servers who are allowed to send from your domain Signs each email with an encrypted digital signature
Lets receiving servers know the sending source was permitted Tells receiving servers that incoming messages must have a digital signature that matches the key stored on your server


3) Domain-based Message Authentication, Reporting & Conformance (DMARC) – This is a standard security protocol that builds on SPF and DKIM by verifying that the visible address (what we see as the FROM field) matches the “return-path” used by SPF and the DKIM signature. DMARC also instructs servers on what to do with emails when they pass or fail this authentication check. So in the diagram below, a company can choose to implement the strictest policy of “reject” if authentication fails, or it might choose to implement a “quarantine” policy instead or the most permissive “none” where even if authentication fails, the email still gets delivered to the intended recipient.

How can these controls be implemented?

Some large cloud providers may have already set up SPF for you as part of your service – to find out if this is the case and how to layer on additional controls, you should contact your email service provider. 

If this is not the case and you are unfamiliar with IP addressing, your first port of call will generally be the internet domain registrar with whom you registered your organisation’s domain name. You will need to ask for assistance with DNS configuration of SPF and other email authentication methods. 

Once you have set up SPF, DKIM and DMARC then, should you wish, you can request a security assessment from either your provider or a managed service provider which can help to validate the controls are working as you expect them to.

Help protect your business with more cyber security articles

Visit Signals

Things you should know

This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. As this information has been prepared without considering your objectives, financial situation or needs. You should, before acting on this, consider the appropriateness to your circumstances.