A quick head’s up on a pernicious email spoofing scam I’ve seen four times in two weeks: if you get an email from someone you know asking for gift cards or a wire transfer, be suspicious. I saw this first several weeks ago and didn’t make the connection, but now I’ve seen it more frequently in a consistent pattern.
These emails have, from what I’ve seen, routinely come “from” a boss, supervisor, or family member’s name. They usually start with an innocuous “Do you have a moment for a call?” or “Do you have a minute?”
If you reply, the response you get goes into a plea for the purchase of gift cards or a money transfer. As odd as that sounds, it’s easy to get tripped up on these in the flurry of the day.
What services are impacted?
All of them. This isn’t something unique to us or our clients — it’s an Internet-wide campaign impacting email from private employers, Gmail, Outlook, Rackspace, GoDaddy, and others.
How can I spot these emails?
In two of the four cases I’ve seen the “reply to” address is wrong. One came “from” a Gmail address, another came from a Yahoo address that was not accurate.
You can also check the email signature. If you know your friend (or whomever) always signs their emails with “Best” or “Cheers” or “Thanks” and this email ends with “Regards” or something else, it might be a clue.
In some cases I’ve seen this where the email address is actually an alias, meaning it’s masquerading as another address. Meaning you might not even be able to check the “from” address to tell.
What do I do if I get one of these emails?
Just delete it. There’s nothing you can do and there’s likely nothing the person the email is coming “from” can do.
Does this mean I’ve been hacked?
No, and it doesn’t mean your friend or colleague has, either. This is an email spoofing campaign combined with “spear phishing”. It’s frighteningly easy to create an email address and set the “from” name to be whatever a person wants it to be. What makes these campaigns interesting is they seem very well targeted (hence the “spear phishing” for its accuracy). Historically these campaigns will blow through an entire person’s Contacts list. This is targeting people like subordinates or family that are highly likely to respond.
What’s causing this?
My educated guess: the myriad data breaches at Facebook and others have led nearly everyone’s network to be compromised. It’s not hard for a bot to figure out that you are who you are, that you serve on a board, and your board has a President and an email from them to you would get your attention. Or that you work where you work, you have a boss, and an email from them would get your attention.
It’s also not hard to scrape a webpage that shows a board structure or a staff listing and target an email “from” the boss to an entire board or staff directory. The same could go for a webpage that shows clients you’ve worked with.
Is there anything you or we can do?
I’m double-checking domain names we have access to for correct SPF (“sender profile”) records. These are special records that establish authenticity in emails arriving from a domain name. If you have email through your organization from Rackspace, Google Apps, or another provider like Office 365, SPF records already exist. So far, I’ve not come up with any that are configured incorrectly.
We’re also adding new domain-level settings called DMARC. This will send you a report if an email appears to be spoofed and comes from your domain.
If you use a traditional @gmail.com address or some other national provider that isn’t attached to your domain name, just be aware of these tactics. Your best counter is to physically call the person and ask, “Did you send that email?”