Buying Apples with a Spoofed Email Address

I just got off the phone with a client who was almost a victim of one of the more popular IT-based scams going around. Here’s how it went down…

An attorney at a law firm was sent an e-mail from the managing partner asking her to go to the Apple Store and buy $800 worth of Gift Cards, scratch off the codes and reply to the email with a picture of the codes.

The attorney went to the Apple Store and bought the cards but fortunately, she did not hit “Reply.” The email address of the managing partner was a fake -“spoofed” – in other words, the e-mail address showed the correct name of the managing partner but, it actually originated from a “throwaway” G-mail address. This is a common ploy used by cyber-criminals to exploit the unsuspecting user.

She was tricked.

This company has protections in place so that username@lawfirm.com can only be sent by a specific server. Any emails from username@lawfirm.com coming from any other servers are blocked. In this case, the email address was sent by Google because the spoof only changed the proper name so it ended up in the user’s Inbox looking like this: Managing Partner lawfirmpartner@gmail.com She fell for it.

There are a few things an IT administrator can do to protect against spoofed emails and, in this case, we’ve already put those protections in place. So why did this email come through? Because it was a sophisticated socially-engineered attack: The attacker wanted to trick the e-mail recipient into believing that the email came from the managing partner even though the e-mail address wasn’t even close to the partner’s address.

The proper protections were in place so how can you protect against this? Sometimes the best security isn’t a piece of hardware or software, it is simply old-fashioned staff training; giving your staff security training on a regular basis.

Cyber-criminals are always changing their attack methods so it’s important to schedule security training on a regular basis. Though this is one of the services we provide for our clients, I am rarely asked to give security training even though it is probably the best return for your investment in IT security.

Leave a Reply

Your email address will not be published. Required fields are marked *