Anatomy of a Spoof Email: Don’t Get Tricked

One of the most insidious forms of hacking is one of that requires the least amount of technical expertise. It is the spoof email. A hacker doesn’t even need to compromise someone’s email account to send an email that looks like it is from someone you trust. They create a dummy account that “spoofs” someone you know and send out emails asking for something (usually money or something of monetary value.)

The trouble with this type of attack is that there is no way to stop it from happening. However, there is a way to keep from falling for the scam. Let’s take a look at an example that recently hit many of our inboxes in the Rio Texas Conference office.

On first view. This looks like a legitimate email.

spoof_email_1

In my office, if the bishop sends you an email, you open it right away. So, let’s take a closer look.

spoof_email_sender

If we are paying attention, we can stop right here and delete this email. This is someone I work with and I know that his email address is not “directoratpresido@gmail.com.” First clue.

But what if my boss, my friend, my colleague, or my family member is sending me this email from another account. Maybe they are. But, you have to ask yourself, “why?” If you think that might be the case, you need to, at least, tread carefully at this point.

Now many hackers find ways to spoof the actual return address as well so, even if that does look correct, you still need to pay attention. The next question to ask is, “does this sound like the person I think it is?” In this case, the hacker got lucky and did a pretty good job of matching the tone of this individual who happens to prefer short emails without a lot of context. However, I happen to remember that he always signs his emails the same way and that is missing here. Another clue.

So, let’s say it worked. Well, fortunately, we can see what that would look like because I decided to reply so I would have an example for this article.

spoof_my_reply

And, our scammer didn’t waste any time getting back to me. If I was thinking this was a legitimate email, there are no three clues that should set off some alarm bells.

spoof_email_warning_signs.jpg

Let’s look at those clues:

  1. Again, the return email address is wrong.
  2. Grammer. People often mess up on capitalization in emails, especially when sending from a mobile device. So, this alone doesn’t prove it is a fraud. But, just like with any good mystery, the clues start adding up.
  3. Does this person have a track record of reimbursing me for things? Some people do, so there is a chance it could be real. But it is another clue.
  4. PayPal funds? I use PayPal all the time and I trust the service. And, there are actually people who send birthday gifts this way. However, this should be starting to look suspicious.

At this point, if I actually thought it was real, it is odd enough that I would want to confirm. There are a bunch of ways to do this. I could call the sender, text the sender, or even email back asking him to call or text me to confirm. If it is someone who knows me well enough to ask me to spend money on his behalf, he should already have my phone number. But I really wanted to have a good illustration, so I just hit reply.

spoof_email_another_reply_from_me

And, within minutes, our hacker had replied. At some point, these scams should start to seem obvious. Once the clues really add up, getting scammed is not something you can blame on technology.

spoof_email_falls_apart

There are four major clues here that should tip you off:

  1. This scammer was obviously working two marks at once because he has slipped up. Now when you look at the return address, it is no longer even the same person.
  2. There are some people who call me “Rev. Will” but not the bishop.
  3. What? This nephew is apparently very particular about his birthday gifts. Except, there is no mention of where they are supposed to be from.
  4. Scratch off the covering on the security codes on the back and send them by email? There is nothing at all suspicious about that.

I was now curious as to what type of gift cards this mysterious nephew would prefer to receive. Three different places, right? So I asked.

spoof_email_yet_another_reply_from_me

And that was apparently a little annoying to our hacker because he quickly got back to me to accuse me of not paying attention.

spoof_email_not_paying_attention

Well, there is nothing odd about that. Of course, he is confused about which mark he is corresponding with. Other than that, who doesn’t want 3 different iTunes gift cards from three different places? Do people really give $300 worth of iTunes gift cards for birthdays? My uncle used to give me a dollar.

At this point, I had enough for this blog post, so I just started messing with our criminal.

spoof_itunes_really

I just pulled “Ethan” out of the sky. I am wasting his time but it won’t make much of a difference. He is running an untold number of these at the same time all day long, and he has an army of colleagues all doing the same thing. It is a low-tech, labor-intensive scam and it works just often enough to make it profitable.

Unfortunately. there is currently no IT solution to avoid emails like this all together. This is a very non-technical hack that does not involve compromising email accounts. It is a simple confidence scam that attempts to prey on our trust of others.

The really short advice is this: If an email sounds odd. It likely is. It is very simple to reach out to someone by another means before committing organizational or personal funds or divulging passwords and other personal information. Until software engineers find a way to mitigate this type of attack, diligence is the only cure.

The most important thing is to know that this sort of scam is out there. In the workplace, it is best to set up protocols for how other staff members can request money, passwords, or sensitive data. Email is not usually the best way. Personally, have a policy of your own about how you accept requests for help – even from family. Tell them about it. That way, when you get an email you are unsure about, you can respond with, “You know this isn’t how we do this.”

If this post saves even one person from getting scammed, it will be worth the time it took to write. Scams like this are not only costly, they are humiliating. Even the smartest among us can get taken when we aren’t paying attention. Stay safe out there!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.