Wikipedia defines email spoofing as the creation of email messages with a forged sender address.

 

Spammers and phishers use spoofing to trick recipients in to believing an email is coming from a known, legitimate source.  Because the messages appear to be legitimate, end users often succumb to these attempts to gather personal information.

 

I recently spoke with one customer who had an end user that received an email from, what appeared to be, the company’s CIO.  The email requested the banking transfer of a large sum of money.  Believing the email to be legitimate, the user initiated the transfer.  When the bank called to confirm the transfer, after reviewing the email, the customer was also convinced the email was legitimate and was ready to authorize the transaction when he received a call from the CIO asking about an email confirmation he had received from the bank.  Thankfully, in this case, the realization that the email was not legitimate occurred in time for the transaction to be cancelled.  Sadly, that is not always the case.

 

Now the real question: How do I protect myself and my organization from spoofed email attacks?

 

There is no hard and fast rule on how to protect against these types of attacks, but there are steps that can be taken to help minimize the risk.  For SaaS Email Protection customers, we recommend the following:

 

Lock down your server

Your server should be locked down so it will only accept SMTP traffic from SaaS Email Protection IP addresses.  This will prevent spammers/phishers from bypassing our service and delivering spoofed mail (or any mail) directly to your server.  The current, up to date IP addresses can always be found on the MX Record page of your SaaS Control Console account.

 

Allow/Deny lists

Many organizations add their own domains to their inbound policy sender allow list which bypasses many of the SaaS filtering layers and can allow spoofed emails easy access in to your organization.  To alleviate this risk, we recommend adding the IP address of any legitimate server that may send email from your domain(s) to your sender allow list, while also adding your own domain(s) to the sender deny list.  This essentially tells the system, if the email comes from an address on your domain(s) but is not from one of the listed IP addresses, it should be denied.

 

Email Authentication

Establishing an SPF record for all of your organization’s domains is a simple way to identify hosts that are authorized to send mail on behalf of your organization.  We also recommend adding all of your domains to the Enforce SPF option of your inbound policy as an added layer of security. While this is not a guarantee, it is one step in alleviating the risk of spoof attacks.

 

Educate your users

While we would all like to stop spoofed emails from reaching our end users, the reality is, that is not always possible.  Educating users on good email practices is the first line of defense in keeping information safe in cases where a spoofed email makes it to the user’s inbox.