be Smart.
be Secure.
Phone: 800-441-6612

Why protecting and validating email identity is a top priority for a secure 2015

The scope and frequency of cyber attacks, data breaches, information disclosures, and the sophistication of the tools used to attack companies and individuals has been increasing at a tremendous rate.

It doesn’t strain our memories to come up with numerous prime examples including the deliberate corporate penetration of Sony (which was “easy”) and of Sands Casino (presumably very hard); or the exposure of super-powerful nation state sponsored attack software Regin that helps enable penetration of specific, complex targets.   Don’t forget as well, the numerous phishing attacks that were propagated in 2014.  And, perhaps just as infamous, the social engineering attacks in which malicious individuals tricked Apple and GoDaddy into revealing sensitive information.

All of these are different attack vectors, with different ultimate purposes, targeting individuals or corporations.  All were successful.  And the actual, complete list would be too large to publish (and would be impossible to know as more than half of data breaches go unnoticed).

What do the majority of these attacks have in common?

In order for most of these attacks to be successful, the attacker must penetrate your systems or defenses in some way and establish a “beach head”  — just as in war.  Once the attacker gets his foot in the door, it becomes much easier for him or her to escalate the scale and scope of the attack with much more potential for very serious impact.

What are the most common vectors for attackers?  Besides your public-facing web and internet presence, email is one of the primary means that attackers use to begin.  In order for email to work as a vector, the attacker must trick you into trusting him/her somehow.  It’s the old “Jedi mind trick” over the Internet …

“…You will trust me … I am your friend … clicking on this link is Ok … You feel comfortable doing what I ask of you…”

As attacks are escalating, so is the pressure on your email …  more and more attackers are using well crafted email messages as a vector.  And by “well crafted,” I mean messages that really look legitimate and not like a Nigerian Spam.

How Attackers Get Your Trust In Email: Identity Theft


Some attackers use low-quality brute force methods to infiltrate random people.  They send loads of spam with “interesting” content.  Those messages contain links which, if clicked on, can infect your computer with malware or which try to collect sensitive information from you.  These generic “phishing” attacks are incredibly common, fairly easy to spot, and pretty easy for anti-Spam filters to block.  This is not really what we are concerned with here.

Spear Phishing

The “next level” beyond generic phishing attacks are “spear phishing.”  In these attacks, the malicious sender has some information about you and uses that to trick you into believing that the message should be trusted.   Simple spear phishing attacks are very common and are often easily recognized, however artfully crafted attacks can be sophisticated in their design and not nearly as easy to identify at first glance.

What are some of the things that attackers use against you in a spear phishing attack?

  1. Email addresses of your co-workers, friends, vendors, and associates.  Messages can be forged to look like they are from these people.  This may allow the message to slip through your spam filters and your mental filter.  You see the message from someone you know and you open it.  Your guard may be down and you may not look critically at the message for “tells” that it is not really from this person.
  2. The names of these people.  If the attacker knows the names (and email signatures) of these people as well, then the message can be better crafted.
  3. Subjects and message content, images, and formatting.  If the attacker knows what messages to you from this sender look like, then s/he can craft similar messages to better entice you to do what s/he wants.  The familiarity will lower your guard further.  This includes things such as using the same subject lines, the same formatting, the same wording and phraseology, the same images and email signatures, etc.

A large part of what this comes down to is “email identity theft.”  The attacker needs to pose successfully as someone else in order to gain your trust.  Your ability to detect this type of fraudulent behavior is crucial to your ability to defend yourself (and your organization) from such attacks.  And you may never know the attack was successful or that it even was an attack.

Common reasons for phishing attacks

To put this in perspective, here are a number of reasons we have seen for phishing attacks (and there are clearly many more possibilities).  Think about which could apply to email messages sent to you and what the impact would be if you accidentally fell for one…

  1.  Divulging your personal information.  Trick you into filling out a form that gathers your username, password, social security number, account number, address, or other information.  Sometimes this is used to then gain access to other accounts that you have (e.g. a bank or email system); other times it is used to further build a profile of you so that the next attack on you can be more targeted.
  2. Installing malware.  Trick you into clicking on a link in the email message that opens a web page that then infects your computer with some type of virus or malware.  This could be a key logger that captures everything you type; it could be a botnet that uses your computer to attack other computers; it could be a back door that gives the attacker full access to your computer and everything on it and a privileged foothold into your local network to attack other computers and servers, etc.
  3. Divulging privileged / sensitive information.  Trick you giving out information about someone or some thing to which the attacker is not authorized.  This is “social engineering” at its core.   A good example is someone posing as a customer and calling a call center for help and requesting information about the company, the account, users in the account, etc.  Usually there is a high degree of urgency — “my boss is out of town and our systems are down and we need this ASAP or else we’ll lose some important business!”  If you believe them, you give out the information requested and they are happy.  They then use that information for ill-intentioned purposes, such as further targeted attacks.
  4.  Getting you to perform some action.  Trick you into doing something that you should not.  E.g. leaving a door open, resetting someone’s password, leaving where you are to go on a “wild goose chase.”   If you are in technical support, this could involve convincing you to make some change to some account, such as closing it, changing security settings, creating a user, etc.  All of these actions then enable the attacker to continue to escalate the attack.

What can you do to better detect forged identities and to protect your own from theft?

We will discuss how attackers go about forging email identities and the details of how defenses against that work in future articles.  For now, the simple answer is to follow these steps to protect yourself:

How to protect yourself from Fake/Forged email

You would be well served to also add SPF and DKIM to your own domain’s email settings (if you have your own domain name), as these technologies can help others detect if email purporting to be from you really is from you.

If you have questions on what you can do to lock down your email account to block forged email (as best as possible) and to help ensure that you email cannot easily be forged, please contact LuxSci or your email provider.

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries