I guess all of us are lucky enough to get emails from central banks, National Lottery and other organization for bumper cash prize and others. Is it lucky? Some of us will say ‘Yes’ and then some others know what’s behind the scenes. As spam email and spoofed email attack patterns are shifting from monetary gain, to identity theft, these types of attack can be more profitable ways to collect user account details or sensitive information.
As an example, when someone gets monetary reward emails they try to understand more about it, in order to receive the offer. In the process they lose data, money and precious time by this type of attack. Though this is quite an old fashioned attack, it has given this type of approaches to an advanced form of attack to obtain identity or sensitive information through malicious attachments. Imagine if we get such a spoofed mail from one of our organization’s head/lead for some mandatory compliance activity; users unaware of the risk will be the first victims. Reason being, the average user doesn’t have the technical background to identify or challenge the emails that come into their inbox. For example they won’t look for the source of origin; domain verification or the sender’s signature. There is an easy technique available to handle this type of adversary.
Having a unique email signature like special image or, special quotes or font style for example will provide uniqueness than a normal text signature would not have. Once this uniqueness has been created and practiced among all the subordinates in the organization and among all the friends in the personal mails. It will be really tough for attacker to guess the signature and to send spoofed email in the recipient’s name.
A story based example is given below –
“The following is an example that I have heard about in the past. A group of people within a project got an email from their project manager with reference to an attached .pdf that was a match to the project work. The attachment could have born any type of malicious code or application to gain access over their machines or email. Luckily, the project team use daily huddles (stand up calls) where one of them just spoke about that mail. The project manager on hearing this was shocked and tracked through their email and found that it was a spoofed mail.
Although the Project team were not that aware about the information security practices, the project manager was able to locate the malicious mail and said, “Ah!!! This is not my mail signature and indeed this is not my mail”. Later it was diagnosed and found that the mail was sent by a malicious agent from remote location with a key-logger attached in the attached file”
Take away from above story, one of the easiest ways to keep our mail secure from spoofing attack is to maintain a unique mail signature. Here are some best practices to keep your mail signature unique –
- Keep an organization logo or unique image at the end
- Maintain unique quotes which should not be guessable
- Never put your address in detail until it asked for
- Maintain a unique font style across all mails
Let’s make a practice to adopt it and keep ourselves safe and secure from the dark cyber-world.