Technology does not help much on phishing frauds, if company business processes are leaky.

Email systems try to handle various wrongdoings by verifying the email addresses and the servers and domains used the process. DKIM signs and verifies the message so that it can't be altered during transmission from the sender to the recipient. SPF verifies that the mail was originated from a trusted IP-address. DMARC policy tells the receiving server that the message should be rejected and deleted if those are not right.

Truth is that while that is all and fine, it does not help much.

Current stock of email client software shows the senders name as the sender of the post. Not the technical details, like email adress!

Consider this:

Company: Example Inc.
CEO: Roger More
Email: [email protected]

Now. All we need to do for a phishing attack is to get an account from some some freemail provider, and set up something like a Mozilla Thunderbird for sending mail via it. That's all it takes.

  • Create account "[email protected]" for example
  • In Thunderbird account settings set your name "Roger More"
  • Send mail.

What happens is that the company mail server receives mail with following technical details:

MAIL FROM: [email protected]
RCPT TO: [email protected]
From: Roger More <[email protected]>
To: Michael Accountant <[email protected]>

Michael Accountant does not see the "[email protected]" part anywhere! Just that an email seemed to be come from Roger More. Mail was sent from GMail and technology is happy with it, as it is valid in all parts. Example Inc mail system was not used in sending the message, and checks enforced on that do not activate.

Social engineering. We see this daily, usually claimed to be sent by a bank or PayPal. Accounts sending such messages en masse will probably be closed pretty soon, and additional tools like anti spam filters do help some, but the really dangerous tailored hits are very hard or outright impossible to detect!

Business processes should verify at least money transfers and other important requests somehow better than just seeing a familiar name in email.


jarif's picture

It is quite trivial to write custom rules for the mail system. We just verify that Roger More's email address is what it is supposed to be, and score accordingly.