How we at the Email Laundry are Working Towards Stopping CEO Fraud Emails
The best way to stop CEO fraud is to ensure that all employees are well trained and aware of the consequences of such an attack. In order to detect a fraudulent CEO email, users must first know how and why CEO fraud is so successful. Playing on the natural human instinct to not want to upset a boss or superior, CEO fraud uses a wide range of trick and tactics many users aren’t accustomed too. Barclays outlines this in their explanation of CEO fraud in the video below:
While the above Barclays video outlines how CEO fraud occurs and gives a quick three tips to avoid it. Here at The Email Laundry, we want to help avoid CEO fraud emails from ever reaching your employees. This is because we know the lack of security within the header sender address and the way CEO fraud emails work, leaves companies with a major cyber security vulnerability.
Envelope & Header Addresses
The first type of sending address is the envelope sender which is not visible to the user on their mail client or the headers. The envelope sender dictates where the message is from, where it is going, and where to send the message if it were to bounce.
In terms of a physical letter, this would be the official addresses on the front of the envelope, telling the post office from where and to who to send the letter.
The second type of sending address is the header sender which is displayed in the email header as the From: address. This address helps the user to identify who they are receiving the message from, although these addresses are not always authentic.
The message receiver will only see the header sender, not the envelope sender, making it almost impossible for the user to ensure the sender is who they claim to be.
Therefore, the email that you see coming in from email@example.com could easily be from firstname.lastname@example.org. (Especially if they have an Gmail account)
How to Stop CEO Fraud Emails
Cyber criminals make use of these header from: addresses to launch phishing attacks that appear to be from authoritative sources such as CEOs. These attacks or Business Email Compromises (BECs) as the FBI calls them, can be detrimental to a company’s reputation and cost billions in losses.
While these emails almost always originate from an external source, the header sender address is usually spoofed to appear as if it is coming from your domain, to trick users The best way to prevent these emails from being delivered to your employees is to follow our very simple email filtering steps.
Step 1: Implement an SPF record
Sender Policy Frameworks (SPF) allow companies and organizations to publish a list of IP addresses that are authorized to send mail from their domain. This helps to validate the envelope sender, ensuring that it is from an authentic related IP address, and not a forgery.
Once an SPF record is implemented, we will stop any emails that don’t comply with it, sheltering your employees from potential attacks.
Although fraudulent envelope senders will be blocked once an SPF record is set up, users may still be exposed to false header senders.
Step 2: Implement a Blacklist for your Own Domain
Unless your company uses an external legitimate domain spoofing service (such as a mailing or reservation service), a blacklist rule can be put in place.
Blacklists allow administrators to restrict or remove access for induvial people and areas. In this case, the blacklist would set your company’s domain to only receive an email from its internal domain (@yourdomain.tld to @yourdomain.tld), removing the possibility of a spoofed domain coming from an external source.
How to blacklist your own domain
- Login to manage.securesuite.io as an administrator
- Go to the Rules tab
- Click on the Add rule button
- Enter ‘@yourdomain.tld’ for the Sender field without the quotes.
- Leave the Recipient field empty. (This applies the rule to your entire domain)
- You should select ‘Apply to all recipient domains’ if you have multiple domains under your account
- Select the Action to be “Blacklist” from the drop down list
- Click on the Save button
- Repeat the above steps until you have entered all your domains
If your company uses a legitimate domain spoofing service to send out company newsletters, reservation system, or something similar; the process to blacklist becomes a bit more intense.
However here at The Email Laundry, we like to simplify the lives of our clients and would be more than happy to expedite the process, by implementing the rule for companies ourselves. With nothing more than a list of sources and phone call or email, your users can be safe from header senders and spoofed domains.
Companies must compile a list of all the IPs the emails will be originating from, the sending addresses in case they come from a fixed address or a combination of the two. From this information, we will implement a rule, within minutes, that will allow your sources while blocking any unauthorized emails that are spoofing your domain.
The Future: Threat Intelligence
Traditional email security includes services such as filtering, anti-spam, and anti-virus; services that, although helpful, can only defend against a previously reported attack. If the hacker is using a new version of the attack or the attack hasn’t been seen before, then the chances of these services stopping the attack are very slim.
While implementing the above two steps will help to dramatically reduce the number of CEO fraud and other phishing emails that get through to your employees, we don’t believe that is enough.
For the past 10 years, we have been continuously been researching and developing our threat intelligence to create a service that we can be proud of. Making use of lookups and feeds, assignment rankings, and passive DNS services, we are able to predict whether an email will be spam or not before it is even sent.