How to Protect Against Spoofing

Scammers are creating fake company domains and using them to send out fraudulent job offers. The goal? Trick people into handing over sensitive personal information — Social Security numbers, bank details, even direct deposits — by pretending to be legitimate employers. These scams are growing. If it hasn’t happened to your company yet, it probably will. Here’s what businesses and individuals can do to stay ahead of it: For companies: - Register obvious lookalike domains. Think: careers-yourcompany.com, yourcompanyjobs.com, etc. - Enforce SPF, DKIM, and DMARC to protect your brand in email systems. - Set up monitoring for new domains containing your company name. - Publish a fraud warning on your website’s careers page. Make it clear how real offers work — and what red flags to watch for. - Have a plan. Know who will handle takedown requests, legal notices, and victim communication if it happens. For job seekers: - Be skeptical of surprise offers. No real employer hires without at least one live interview. - Check the email address. If it’s not from the company’s official domain, it’s probably a scam. - Never send personal info or money upfront. Legitimate companies won’t ask for it during hiring. - When in doubt, contact the company directly using a phone number or email listed on their official website. This kind of fraud doesn’t just hurt the individuals who fall for it — it chips away at trust in the whole system. Protect your people. Protect your brand. And make sure someone in your org is thinking about this before it hits your inbox. #Cybersecurity #Phishing #FraudPrevention #BrandReputation #SecurityAwareness #HR #ITsecurity

Imagine you get an email from your CEO requesting that you send a $50k wire to a company you regularly do business with. You send it, and now your company is out $50k. “Spoofing” is when hackers take over a trusted email and put company funds and information at risk. It’s getting really hard for the average person to spot. It could be in the same thread as a previous email, so you’d have no idea it’s spoofed. As someone who’s been in the cyber industry for a long time, I feel it’s important to share this. Here’s 2 key processes and procedures your MSP can help you put into place to combat this: 1. Multichannel authentication If you receive an internal request from your CEO to buy the team 100 gift cards or to wire money, follow up with: • a phone call • a Slack message • an email to an alternate, personal account Really clever scammers will also spoof a phone number, so that’s why I didn’t put “send a text” on that list. But regardless—generally speaking—you’re more protected if you move to multichannel authentication. 2. Security awareness training This is going to be one of the best ways to fight spoofing and other scams. You want your employees to be on alert and educated about the different types of attacks scammers try to pull on businesses. Especially small businesses. The faster employees are able to identify and prevent a scam attempt, the more secure your company will be. At the end of the day, people are the biggest liability when it comes to cyber. So it pays to make sure your people are prepared.

I am excited to share insights from our recent exploration into Email Security. As cybersecurity professionals, securing our email communications is critical to our perimeter defense. In this CCD module, I reinforced and implemented email security defenses to strengthen a domain’s integrity and protect against email-based threats. Here’s an overview of the steps taken and the lessons learned: Sender Policy Framework (SPF): Configuring SPF records to ensure that only authorized email servers can send emails on behalf of our domain. This step is foundational in preventing email spoofing and enhancing email integrity. DomainKeys Identified Mail (DKIM): Implemented DKIM to add a digital signature to emails, ensuring that the content remains unaltered during transit. By analyzing email headers, I gained a deeper understanding of how DKIM selectors function and their role in email authentication. Domain-based Message Authentication, Reporting & Conformance (DMARC): DMARC enabled me to define policies for handling emails that fail SPF or DKIM checks. I also utilized DMARC reports to monitor and analyze email activities, helping me identify any unauthorized attempts to use the domain. Brand Indicators for Message Identification (BIMI): I explored BIMI, which allows organizations to display their brand logos in recipients' inboxes. Implementing BIMI not only strengthens brand visibility but also instills greater trust among email recipients. Tools and Techniques Utilized: DNS Lookups: Employed tools like dig to query DNS records for SPF, DKIM, DMARC, and BIMI. Email Header Analysis: Inspected headers to verify authentication results and selectors. Online Services: Leveraged platforms like MXToolbox to streamline and validate our DNS queries. Key Takeaways: Email Authentication: Proper configuration of SPF, DKIM, and DMARC is essential to secure email communications and prevent phishing attacks. Regular Monitoring: Continuous analysis of DMARC reports is vital to detect and address unauthorized email activities. Brand Enhancement: Implementing BIMI can significantly improve brand recognition and trust in email communications. #EmailSecurity #CyberSecurity #SPF #DKIM #DMARC #BIMI #TechInsights #CyberDefenders

❌ Stop thinking spoofing only happens to big organizations or tech companies. You should learn from these real-life examples instead. 👀 Is this you right now? You see headlines about email scams, fake websites, and caller ID fraud. You think your business or personal accounts are too small to be a target. But here’s the truth: Spoofing can hit anyone—any business, any individual, at any time. 🔑 Here’s the strategy you should adopt to protect yourself and your organization from spoofing attacks: 1️⃣ Always verify suspicious communication → Many spoofing attacks rely on you not double-checking details. → Verify email addresses, phone numbers, and URLs before responding or clicking. 2️⃣ Strengthen email security → Spoofed emails can trick even the most seasoned professionals. → Implement SPF, DKIM, and DMARC to protect your domain from email spoofing. 3️⃣ Educate your team → Awareness is your best defense. → Regularly train employees to spot signs of spoofing—like subtle changes in email addresses or unusual requests. 📌 Bonus tip for you: Use multi-factor authentication (MFA) → Even if attackers steal login credentials, MFA adds a layer of protection → Enable it wherever possible to stay one step ahead. 👀 Ready to stop spoofing in its tracks? Start by adopting these strategies and stay vigilant. Spoofing is preventable if you take the right steps now. #CyberSecurity #Spoofing #EmailSecurity #DataProtection

I received a lot of good feedback on my last post that unpacked Defender for Office 365, Ben Harris and team have done a great job in documenting this stuff so I will share some more! Let's understand the Spoof and Impersonation configuration within Microsoft Defender for Office 365: Spoofing Protection -Sender Verification: Understanding the difference between header "From" and envelope "From" addresses is vital in authenticating the sender. -Exact Domain Spoofing: Be wary of messages where the domain is forged to resemble a legitimate organization, a tactic often used in Business Email Compromise (BEC) attacks. -Email Authentication Checks: Utilize protocols like SPF, DKIM, and DMARC to verify the legitimacy of the sender and their infrastructure. -Spoof Intelligence: A feature that learns a domain's email sending patterns to help identify spoofing, especially beneficial for domains not enforcing DMARC. Safe Spoofing Overrides -Allows for legitimate spoofing in specific scenarios, such as a trusted application sending emails on behalf of your domain. Tenant Allow/Block List Spoofing Controls -Control which domains are allowed or blocked from spoofing through the Tenant Allow/Block List. User Impersonation Protection -Impersonation Techniques: Impersonators often register their own sending domain to pass email authentication checks, leveraging the recipient's trust in a known contact to execute attacks. -Mailbox Intelligence-Based Protection: Utilizes AI to understand a user's email patterns with frequent contacts, flagging anomalies in sender details to identify impersonation attempts. -Specifying Users to Protect: Allows for the protection of up to 350 internal and external users from targeted impersonation attacks. Domain Impersonation Protection -Flags messages where the sending domain closely resembles a legitimate domain, helping to prevent attacks leveraging domain similarities. Safe Impersonation Overrides -Configure trusted users and domains in the anti-phishing policy to bypass impersonation checks while maintaining other security protocols. Preset Security Policies -Offers standard and strict security configurations, including impersonation and spoofing protections, ideal for smaller organizations. Monitoring Spoofing and Impersonation -Utilize insights available in the Microsoft 365 Defender portal to monitor and manage spoof and impersonation activities effectively. User Education -Visual Cues and Insights: Equip users with tools to self-detect unusual sender behaviors through safety tips and indicators. -External Sender Callouts: Configure native Outlook settings to alert users to emails from external senders, enhancing cautious engagement with such emails. If you want to check out the original Blog by Andrew Stobart, check out the link in the comments. #healthcareit #healthcarecybersecurity #k12it #higheredtech #fintech

My favorite way to hack in my ethical hacking is phone call based hacking with impersonation. Why? Because it has the highest success rate. This is what we're seeing in the wild right now, too. Let's talk about how phone call attackers think and how to catch Scattered Spider style attacks for Insurance companies (that are heavily targeted right now, Aflac recently): 1. *Impersonating IT and Helpdesk for passwords and codes* They pretend to be IT and HelpDesk over phone calls and text message to ask for passwords and MFA codes or credential harvest via a link 2. *Remote Access Tools as Helpdesk* They convince teammates to run business remote access tools while pretending to be IT/HelpDesk 3. *MFA Fatigue* They will send many repeated MFA prompt notifications until the employee presses Accept 4. *SIM Swap* They call telco pretending to be your employee to take over their phone number and intercept codes for 2 factor authentication Let's talk about the types of websites they register and how to train your team about them and block access to them. Scattered Spider usually attempts to impersonate your HelpDesk or IT so they're going to use a believable looking website to trick folks. Often times they register domains like this: - victimcompanyname-sso[.]com - victimcompanyname-servicedesk[.]com - victimcompanyname-okta[.]com Train your team to spot those specific attacker controlled look-alike domains and block them on your network. What mitigations steps can you take to help your team spot and shut down these hacking attempts? Especially if you work in Retail or Insurance and are heavily targeted right now, focus on: Human protocols: - Start Be Politely Paranoid Protocol: start protocol with your team to verify identity using another method of communication before taking actions. For example, if they get a call from IT/HelpDesk to download remote access tool, use another method of communication like chat, email, initiating a call back to trusted number to thwart spoofing to verify authenticity before taking action. More than likely it's an attacker. - Educate on the exact types of attacks that are popular right now in the wild (this above thread covers them). Technical tool implementation: - Set up application controls to prevent installation and execution of unauthorized remote access tools. If the remote access tools don't work during the attack, it's going to make the criminal's job harder and they may move on to another target. - Set up MFA that is harder to phish such as FIDO solutions (YubiKey, etc). Educate that your IT / HelpDesk will not ask for passwords or MFA codes in the meantime. - Set up password manager and require long, random, and unique passwords for each account, generated and stored in a password manager with MFA on. - Require MFA on for all accounts work and personal accounts, move folks with admin access to FIDO MFA solution first, then move the rest of the team over to FIDO MFA. - Keep devices and browsers up to date.

Simplifying The Cybers™ Month - July 22 Say Hello to MATANBUCHUS! Hackers are now impersonating IT help desk staff and calling users directly through Microsoft Teams. Their goal? To convince you to download malware, specifically a strain called Matanbuchus. They use social engineering to make it sound like a legitimate support request. This is more than just phishing and click-dependent email, this is voice-based social engineering on platforms you trust. Here’s how to protect yourself and your team: 👉 Don’t let anyone remote into your device unless you’re 100% sure who they are. Verify their identity through a known internal contact or your company’s official help desk channel. 👉 Turn on multi-factor authentication (MFA) for all your communication platforms, including Teams and email. I KNOW, I say this ALL THE TIME. There is a reason - a large percentage of people and companies STILL don't use it appropriately. IMHO anyway! 👉 If something feels urgent or out of the ordinary, slow down. These criminal Social engineers create a false sense of urgency to bypass your judgment. If something seems off, trust your gut and escalate through the right channels. These kinds of attacks rely on familiarity. Teams feels safe because it’s internal. But bad actors are exploiting that trust. This is happening to companies of ALL sizes, don't think you are too small to be a target. If you’re in charge of cybersecurity awareness at your organization, this is the kind of example worth sharing in your next training session. Stay sharp and be Cyber Safe. Share/repost/comment - do the things, please. #CyberSecurity #SocialEngineering #SecurityAwareness #KnowledgeIsProtection #CyBUrSmart #MATANBUCHUS

The FBI recently issued a stark warning: AI-generated voice deepfakes are now being used in highly targeted vishing attacks against senior officials and executives. Cybercriminals are combining deepfake audio with smishing (SMS phishing) to convincingly impersonate trusted contacts, tricking victims into sharing sensitive information or transferring funds. This isn’t science fiction. It is happening today. Recent high-profile breaches, such as the Marks & Spencer ransomware attack via a third-party contractor, show how AI-powered social engineering is outpacing traditional defenses. Attackers no longer need to rely on generic phishing emails; they can craft personalized, real-time audio messages that sound just like your colleagues or leaders. How can you protect yourself and your organization? - Pause Before You Act: If you receive an urgent call or message (even if the voice sounds familiar) take a moment to verify the request through a separate communication channel. - Don’t Trust Caller ID Alone: Attackers can spoof phone numbers and voices. Always confirm sensitive requests, especially those involving money or credentials. - Educate and Train: Regularly update your team on the latest social engineering tactics. If your organization is highly targeted, simulated phishing and vishing exercises can help build a culture of skepticism and vigilance. - Use Multi-Factor Authentication (MFA): Even if attackers gain some information, MFA adds an extra layer of protection. - Report Suspicious Activity: Encourage a “see something, say something” culture. Quick reporting can prevent a single incident from escalating into a major breach. AI is transforming the cyber threat landscape. Staying informed, alert, and proactive is our best defense. #Cybersecurity #AI #Deepfakes #SocialEngineering #Vishing #Infosec #Leadership #SecurityAwareness

Cybersquatting (also known as domain squatting) is the practice of registering, trafficking in, or using an Internet domain name, with a bad faith intent to profit from the goodwill of a trademark belonging to someone else. Cybersquatting raises cybersecurity concerns because hackers commonly register domain names that are confusingly similar to an organization's domain name in an effort to hack employees or customers of the organization.   Here are a few tips for organizations to help reduce the impact of cybersquatting:   1. REGISTER AND TRADEMARK YOUR DOMAIN: First, secure domain names relevant to your brand or business. Consider registering domains for longer periods to deter cybersquatters. Make sure to also register any trademarks related to the domain in order to establish legal rights to your brand.   2. REGISTER COMMONLY MISPELLED DOMAINS: It is generally not feasible to buy every possible domain name that is similar to your organization's domain name, but consider purchasing the most common misspellings before someone else does. Several websites purport to help you identify the most common misspellings of a domain name. See e.g., https://lnkd.in/gd-5BUaD or https://lnkd.in/gKVqJggD   3. MONITOR FOR CYBERSQUATTING: Organizations should monitor for registrations of confusingly similar domain names both to protect their trademark and reduce cyber risk. There are many organizations that offer cybersquatting monitoring services, including MarkMonitor and BrandVerity.   4. ENABLE DMARC: Enable Domain-Based Message Authentication, Reporting, and Conformance (DMARC) along with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to help your organization protect its domain from email spoofing and phishing attempts by allowing it to specify how email authentication should be handled and providing insights into the email traffic using your domain. DMARC, SPF, and DKIM enhance email security and help recipients verify the legitimacy of incoming email.   5. TRAIN EMPLOYEES: Train employees to report cybersquatting and spoofed domains. Also reduce the impact of phishing through regular phishing exercises and email security solutions.   6. RESPOND TO CYBERSQUATTING: If you identify cybersquatting, consult ICANN's Uniform Domain-Name Dispute-Resolution Policy (UDRP). See https://lnkd.in/gS552h4M. Ultimately, you may have to bring litigation against the improperly registered domain names themselves, seeking to have the court order that the domains be transferred to you. The action filed last week by a law firm is a great example of such a lawsuit. See https://lnkd.in/gva6V6BZ. In most instances, nobody will show up to defend these lawsuits and the court will enter a default judgment in your favor. But be prepared for the rare defendant who actually wants to litigate.