In recent weeks, we have detected a significant increase in the number of email spoofing scams from Cyber criminals targeting University staff with the aim of stealing your money.
Never respond to suspicious emails and report any suspected or confirmed spoofing to email@example.com
Here’s how spoofing works and our guidance on how to spot one.
How it works
Email spoofing occurs when the perpetrator uses an email message to trick a recipient into thinking it came from a known and/or trusted source by impersonating an individual, or legitimate group or business.
Spoofing can be exploited for malicious purposes and is generally achieved in one of two ways.
Display Name spoofing
Most email services allow mailbox owners to set their display name freely. This can be exploited easily as you’ll find out below.
Sender address spoofing
This slightly more complicated method actively masks the true sender’s email address, replacing it with the legitimate address of the entity being impersonated. This type of spoofing is more effective if delivered, but easier for anti-phishing tools to detect.
Anatomy of the scam
Most of the spoofing attacks against the University use Display Name spoofing. This makes it very difficult to detect using automated tools, which is why user awareness is critical. Here’s how it’s done.
- The perpetrator creates a free email account using Gmail or similar.
- The display name is set as the name of staff member at the University.
- The impersonated staff members are generally Senior Management and Director/Head of school level. This is a deliberate social engineering tactic designed to force recipients to act quickly.
- Emails impersonating the senior staff member are sent to other staff members’ University addresses.
- The recipient list tends to be well researched, usually containing recipients likely to report directly to the impersonated sender.
- The premise of the initial message is typically a simple question such as “Are you busy” or “Can you do me a favour?”, and they often contain signatures and footer disclaimers in an attempt to make them appear more authentic.
- If this initial message is replied to, the sender will then attempt to execute the scam. For example:
- They will state that they can only communicate via email due to attending a conference but need you to do something for them.
- They will then attempt to convince you to purchase vouchers for online services such as Amazon and to forward on the redemption codes.
- They state the vouchers are gifts for conference guests and you will be reimbursed.
- In other variations of the scam, the sender may impersonate law firms or third party suppliers/contractors who are likely to have a relationship with the University. Once contact is established, the sender will attempt to gather information or request that fake invoice payments are processed.
How to spot a spoof
You can spot a spoof by ensuring the sender address is legitimate.
Display Name Spoofing
If using the full Outlook desktop client, the sender address will appear to the right of the display name for external emails, e.g. Joe Bloggs
On mobile, click the display name to see the full sender address.
If the email is purporting to be from a staff member, but the address is a free service like Gmail, Yahoo etc., this is likely a spoof.
Sender address Spoofing
The true sender of an email can be verified by checking the email headers.
In Outlook desktop client, open the email in a new window, then go to File > Properties and look in the Internet headers box. Scroll down until you see the From: address. If the address listed does not match the true address of the claimed sender, then the sender has been spoofed.
You can find out more about Cyber Security in our Toolkit resource at www.abdn.ac.uk/toolkit/skills/it-security/
Author: IT Security Team, DDIS