Modern technology means modern solutions to old problems. Back in the day, co-workers were only able to meet and work with each other physically at the office. This meant work was only done during office hours and one had to wait until they met their co-worker the next day if they were working late and needed a file or basic help. But modern inventions like email have made for effective and efficient ways for co-workers to stay in touch even outside of office hours. This means co-workers can communicate with each other and share files digitally. Email has now served as the standard form of communication in multiple organisations for years. But it’s being exploited by hackers in the form of spoofed work emails.

What is Email Spoofing?

A form of phishing, spoofed work emails, or better known as email spoofing, is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. The goal of this cyber attack is to make the recipients of this email open or respond to the message in the email. This technique is particularly effective because it works on the simple psychological fact that people are more likely to open an email when they think it has been sent by somebody they know. This technique has already been heavily used to a quite effective degree on a global scale. This is made clear in Singapore, where, according to the popular Malaysian news site, The Star, at least 149 people fell victim to this phishing technique from the start of last year.

How does it work?

The email spoofing campaign in Singapore has proved to be very devastating on an economic level. And with total losses amounting to over 70 million Singaporean dollars, it is particularly clear why this is the case. Singaporean police were reported to say in a statement that the attackers, with the use of already hacked email accounts and addresses, would impersonate the colleagues, co-workers, business partners, or suppliers of the victims.

This led the victims to be more vulnerable to potential attack and loss as they felt like they were communicating with somebody familiar and would easily trust the emails and their sources without checking or inspecting the email that had been sent. This is unfortunate because it has been reported that many of these emails and email addresses used to spoof victims contain subtle misspellings and/or replacement letters, which most users would miss at first glance but could easily catch if they checked with more attention to detail.

Standard Techniques Used by Attackers

The report further detailed exactly how these attackers would go about duping their vulnerable victims. For example, attackers would send emails informing their victims that there was a change in bank account details and that they should instead send money to a new different bank account provided by the attackers in the email. Given the nature of email spoofing and how many internet users can easily be misled into thinking the emails are coming from a genuine source, the recipients of these emails would gladly comply and transfer the money to these new bank accounts that they have been instructed to transfer the money to.

In other instances, attackers would send emails to their victims detailing that the victim must purchase something on behalf of their supervisors or bosses. This could be anything, such as a gift card. The victims were to later send the gift card code back to the attacker’s emails under the illusion that they were sending the code to their supervisors as they were instructed to.

Many of the victims of these email spoofing campaigns would only find out that they were spoofed upon talking to their supervisors or bosses to check if they received the money or other things that the victims were instructed to send by the attackers.

Some Tips to Avoid Becoming a Victim

From this, it is quite clear how dangerous email spoofing is. Because it exploits a human vulnerability and not a technological vulnerability, it is not particularly easy to combat, as many internet users, psychologically speaking, will not do things such as double-checking an email address for spelling errors and irregularities. But there are still many ways internet users can protect themselves and make themselves less vulnerable.

Tip 1: Educate users

One effective method would be to educate users on the existence of email spoofing and its dangers. Let internet users know they are at risk of receiving such emails just by owning an email.

Companies should take charge of educating their employees on various forms of cyber-attacks, including email spoofing. People responsible for transaction processing in a company must be made aware of such schemes and how to identify them.

Tip 2: Be wary of emails that contain new or unexpected information.

The Singaporean Police have provided some preventive measures that the general public must adopt in order to make themselves less susceptible to such scams. One of these is that internet users must be more mindful and aware of any emails detailing new and sudden changes in payment instructions and bank accounts. They also suggest that when presented with such an email, internet users must attempt to contact the person being impersonated using previously known communication channels that have not been provided in that new email.

Tip 3: Some technological precautions that Internet users should take

The police also provided technological measures that internet users must take in order to give themselves further protection. These include using stronger passwords for your email accounts; changing your passwords regularly; not using the same password on multiple accounts; enabling two-factor authentication, and making use of software such as email authentication tools. Furthermore, police also suggest installing up-to-date anti-spyware and antivirus software on your devices. They also state that one must update their operating system software and always keep it up-to-date.

Our advice

For any businesses or individuals that fall victim to these scams, contact must be made to the bank immediately upon realisation of fraud to request a recall of funds before it is too late.

Our advice to the general public is to stay vigilant and aware when doing business on the internet. We must all educate ourselves, educate each other, and watch out for irregularities in received emails in order to fight the email spoofing threat.

Condition Zebra is a CREST-certified and ISO 27001:2013 company that provides Professional Cybersecurity Solutions and Cybersecurity Training to SMEs in a variety of industries, including Financial Services (Banks & Insurance), Government Ministries & Agencies, Government-linked companies, and other SMEs in IT, Hospital & Healthcare, Construction, FMCG, Real Estate, Retail, Education Management, Accounting, Computer Software, Higher Education, Automotive, Transportation, Manufacture, and Manufacturing.

Please reach out to us to protect and secure your company’s IT infrastructure, such as network, server, web & mobile apps, Internet (WiFi) and others.

Learn about our online distance training:

Network Penetration Testing is suitable for participants that have prior experience in setting up, managing or securing an organization’s network.

Web Penetration Testing is suitable for participants that have basic programming language skills and prior experience in managing, developing, or testing web applications.


TheStar: SG victims of spoofed work emails suffer losses of over S$70mil

Share this: