For the sake of the technical discussion, assume for a moment that I particularly dislike the CEO of a fictional company, Blue Widgets Galore (BWG), and also assume I have a very nasty vindictive streak (this is hypothetical remember!). If I have some time and a little money on my hands, I could quite easily type a letter purporting to be from the CEO. I could create a fake letterhead with all the correct details. On the outside of the envelope, I can print the ‘from’ address and then send a nasty or damaging letter to anyone I choose. If I wear some gloves when I place the letters in the envelopes and buy my stamps from various locations, I think I could get away with sending this letter to all and sundry and it would appear to come from the CEO. I could tell everyone that the company has gone into liquidation or that I am resigning as CEO or similar malicious messaging.

The point is that we receive a letter in the mail and we trust that it has come from the location stated on the outside of the envelope but there is no actual checking mechanism in place. The limiting factors are time (to print the letters and put them in envelopes) and money (to pay for the stamps).

Then along came the Internet.

When Internet e-mail was first developed, it was designed for communication amongst a limited number of trusted institutions so security was not high on the priority list. The protocol developed was Simple Mail Transfer Protocol (SMTP) and, as the name suggests, it is relatively simple. Neither the sending or receiving address are checked for authenticity.

Unfortunately, when people with dishonourable motives discovered that they could send a message and appear to be anyone, the previous limitations with the paper version of time and money were suddenly removed. You no longer needed a lot of time or money to pretend to be someone you weren’t.

And so e-mail spoofing was born.

The FBI estimates that e-mail spoofing has amounted to global losses of AU$40 billion over the past three years. For example, back in 2013, scammers purchased a number of shares in a company and then spoofed the e-mail address of the CEO to send an e-mail to media outlets to inform them of a buyout offer well above the current market price. The offer was reported and shares jumped fifty per cent – allowing the scammers to sell their shares before the scam was realised. Just last week the CEO of a company in the UK e-mailed his Chief Financial Officer (CFO) to inform him that the £6 million acquisition had been completed and could he please transfer the funds to the attached bank account before the close of day. Except the CEO didn’t send the e-mail. They just waved goodbye to £6 million!

Drop back to a smaller scale. The HR department would not think twice about receiving an e-mail from an employee with a request to change bank account details. The next pay run would proceed as normal – and then the real employee would ask why they weren’t paid this week. We have a level of trust with e-mail that would mean we would typically not question the e-mail.

The good news is that if someone spoofs an address and you reply to it, the reply will go back to the correct person. If that person says the original e-mail did not come from them, the alarm bells can start ringing!

Tell me if you have received a spoofed e-mail at ask@techtalk.digital.

Mathew Dickerson

Scroll to Top