Warning about email fraud

Attempts at fraud using misspelled email addresses have increased markedly in Sweden. At the end of May, Internetstiftlesen I Sverige (IIS; the Internet Foundation in Sweden) sent out a warning to Swedish companies and organisations about so-called email fraud. These are scams that operate via forged emails, in which a potential victim will be contacted from someone claiming to be a person of responsibility in their organisation – often the CEO or similar. Recently, the team at Dotkeeper have been targeted for this kind of fraud.

Attempted email fraud

A few members of the Dotkeeper team received an email that appeared to come from Hjalmar Antonsson, the company’s CEO, instructing them to pay a sum of money via bank-transfer. Although the email seemed authentic (the signature, for example, was copied from a genuine email) it did not actually come from someone within the Dotkeeper organisation.

In this case, the email was made to look as if it came from Hjalmar but in reality it had a very different origin. The scammers had manipulated the email so that Hjalmar’s name appeared as the sender. The most common approach though, is to send out fake emails from an address very similar to that of the victims. This type of fraud typically starts by registering a domain name that’s close to the name of the targeted company or organisation. The domain name might be deliberately misspelled in such a way that they look similar to the target’s domains. For example, an “o” might be changed to a “0”. Once they have registered the domain, the fraudsters can send out emails from an address that is very similar to the person they’re imitating.

Another common way to falsify emails is to send a “spoofed” mail. This involves a scammer changing the ‘sender’ field on the fraudulent emails they send out. Depending on the target’s mail-client, this can make it seem as though the emails have came from someone the recipient knows and trusts.

The next step will be to send out an email, to the finance department for example, apparently from the CEO of the company. In many cases the signature on the emails will match those of others in the organisation. In the mail there might be a request to make a bank-transfer. If the finance department reply to the mail, then the fraudster will likely try to continue the conversation in a convincing way, to persuade them to make a payment.

IIS encourages companies to be vigilant

Peter Forsman, Abuse Manager at IIS and one of the country’s foremost IT security experts, said in a press release:

– IIS wishes to warn finance departments around the country and ask them to be extra vigilant and to check the spelling of email addresses, especially those that request the payment of invoices or ask for transfers of large sums of money.

According to IIS at least 60 attempted frauds could have been prevented recently. These fraud attempts affect many industries and companies of all sizes. There isn’t a reliable figure for how much these frauds have cost Swedish companies to date, but according to police working in this area millions of kronor have been lost. In the US, the FBI released a fraud warning in April and claimed that criminals had tricked companies around the world out of 2.3 billion US dollars through these activities. This kind of fraud is very common and can affect any business.

How you can protect your company

• Internal procedures. First and foremost, companies should remain vigilant and have secure internal routines for making payments.
• SPF-record. An SPF-record is used to validate which IP addresses are allowed to be sent from a particular domain. This means that if someone sends an email that purports to be from your mailbox, but which actually came from a different location, then that email should be flagged as spam. As a result, only legitimate mail from your domain should get through.
• Email certificate. Just as you can have a certificate to verify the owner of a website, the same possibility exists for email addresses. By using an email certificate, the recipient can see that if an email has been sent by the genuine owner of that email address.
• Defensive registration. One part of your overall strategy could be to register domains for the misspellings that are most like your company’s name under the most common TLDs. This makes these domains unavailable to potential scammers.
• Domain monitoring. Dotkeeper can provide a domain monitoring service. This means that you’ll receive information whenever the names you’ve chosen to monitor, or common misspellings, are registered. This is the most effective and best way to find out about potential frauds before they occur, as you’ll be able to take steps before scammers have the opportunity to use the domains.

IIS’s press release that warns about email fraud from the 26^th May 2016 can be found here (link in Swedish).