Marquez: Spoofing and impersonation: identifying and addressing the issues

We have all seen those unusual emails with someone’s name we know in the “From” field with an odd request out of the blue. Sometimes it may be to wire money, pay an invoice or even go purchase a bunch of gift cards for an unnamed client.

In the instant-gratification society we live in, it can be difficult to slow down and think things through, especially for a new associate who gets such an email with a partner’s name in the From field at the firm they just started at. The associate, not wanting to disappoint, goes and gets a bunch of gift cards and replies to the email only to be given additional instructions of sending the serial numbers from the gift cards for the clients. Of course, they do so without question, after all this was an urgent request from someone important. The associate has become a victim of impersonation.

In this example we are using an inexperienced and eager associate to demonstrate how easy it is to fall to an impersonation attempt. However, it can happen to anyone, including those in leadership roles.

What’s the difference?

So, what is the difference between spoofing and impersonation? These terms are often used interchangeably, but they really are not quite the same. In tech terms, spoofing is when a bad actor will use an email with the same domain as a legitimate firm or company. This includes using an actual email address.

Spoofing is very difficult to do (almost impossible) for bad actors if your IT personnel or vendor has properly setup the firm’s DNS records properly (SPF, DMARC, and DKIM).

It is rare these days that you or someone you correspond with will get a spoofed email from your firm’s domain (ex. [email protected]). In most cases when this does happen, it is because that user’s mailbox has been compromised and is now being used to send out hundreds if not thousands of emails to try and get an unknowing victim to mistakenly send money or provide credentials.

Impersonation is common when a bad actor pretends to be someone else using that person’s name in the From field, but they do not use their real email address or mailing domain. This is how bad actors circumvent properly setup DNS records and get their emails to make it to your inbox (assuming they pass all the other spam filtering diagnostics). The email is not stopped for spoofing because it isn’t trying to pretend to be coming from a legitimate email address. In fact, many times these types of emails come from gmail.com, yahoo.com, outlook.com or any other freeemail service.

How to guard yourself

So how does this look? At first glance, the From field of the email may say “Tino Marquez,” but upon a closer look the true email address sending the message is something like [email protected] rather than the familiar name originally stated. So it is impersonating a user’s name but it is not spoofing their email address.

Where this becomes extremely problematic is when someone is checking emails from their phone and receives such an email. The actual email address will not show unless you click on the name in the From field to verify the sending email address. These bad actors are smart, and many times in the signature area of the email they will put “Sent from my iPhone” to throw the victim off as to why the standard automated (or otherwise) email signature is not in the email body. After all, what are the odds of an attorney or client having an iPhone?

What kind of nasty things can happen when someone falls victim to a successful impersonation attempt? Pretty much anything you can think of can happen when a user is engaging with whom they believe is trusted source. The things that scare IT the most are:

• Financial Information such as bank accounts divulged.

• Credentials given through the use of a very clever URL.

• The deployment of ransomware on the network triggered via a download of an attachment.

Any of these can be devastating to a law firm. A user inadvertently sharing their credentials through a fake website URL could grant an actor access to your systems (especially if you have not implemented MFA). If the ransomware is the goal, a senior partner or someone else in management being compromised could really cripple the firm’s ability to function for a few days if not longer.

Steps to minimize spoofing and impersonation

Nothing is ever going to provide 100% protection, and nothing can protect your systems from a user who didn’t pay attention during the last quarterly security webinar. So, what are some things you and your firm can do to help minimize the impact of spoofing and impersonation email attempts?

Audit DNS records

Have your IT department or vendor review that your DNS records for your law firm have been setup properly including your SPF, DMARC and DKIM records. The actual technical terms and their applications are outside the scope of this article, but they should be able to take this request and run with it to ensure these have been set up properly. If your DNS records are set up properly, it is very difficult for bad actors to spoof emails from your domain.

Monthly or quarterly security training

It is always good to have regularly scheduled refreshers to discuss and help the firm users identify and be aware of new threats. Chances are you may have a client or insurance policy that requires this type of training, so that is even more incentive to conduct these types of trainings.

Use automated email signatures

You are most likely already using a SPAM filtering system that inbound and outbound email is routed through. Many have the ability to automatically add text to emails such as confidentiality statements and can be used to automate email signatures. This way your users will be able to more easily identify impersonation attempts when they receive an email with a similar name to someone in the firm. Even Microsoft 365 can be configured with rules to add text to all emails.

Never whitelist free email domains

There have been times when a frustrated attorney will demand that all emails from @gmail.com be whitelisted because an important client had their email flagged as SPAM and the attorney didn’t see it on time. As a consultant, I would recommend never whitelisting an email address from a free email service and most certainly never whitelist an entire domain from an email service.

Email is and will likely remain the largest attack vector against your firm. With the amount of damage that can ensue by trusting the wrong email, it is important that you understand your risks and take the necessary steps to minimize those risks. Unfortunately, this is not something IT can just solve magically without any effects on the user base. The firm’s attorneys and staff must always remain careful when reading emails and be overly cynical when an email request seems to come out of the blue.•

__________

Tino Marquez ([email protected]) is co-owner of the Indianapolis-based legal technology company Modern Information Solutions LLC. Opinions expressed are those of the author.