9 Simple Ways to Check Whether an Email is Fraudulent or Not

Email fraud or using email as a mechanism for breach has been around for almost as long as the existence of email itself. From the moment of its creation, there have been those who seek to use it for nefarious purposes.

Like many others in the security industry, I started my career working with email and web filtering solutions, which at the time when paired with an AV solution, were the cornerstones of any IT departments defences.


How Has Email Security Changed?

Particularly with email security, we would use blacklists and malware detection engines to filter emails into those that could pass and those that would be binned. And, although today the technology has become a little more sophisticated, its value in our networks has been diminished by its absorption into other technologies or assumed to be part of a stand email service.

With complacency in abundance, it is no surprise then that phishing has become such a important tool for fraudsters. In-fact, some research suggests that up to 90% of network breaches begin with a fraudulent email.

Is it the case then that we should be looking at this again? Instead of relying on our users to be email detectives at the gates of our networks?

All is not lost, there are numerous techniques that can be employed to test the legitimacy of an email, some of which I have listed below. You may be under the assumption that your provider already employs all of these techniques.

If you rely on Office 365 as your sole defence, I can assure you that they do not.


9 Checks for Email Fraud

1. Domain Impersonation Check - Where this email is being sent from, is not a valid source for the senders email domain. This can be verified using an SPF record.

2. Cryptographically Signed Email/Header Check - Email servers using DKIM can verify the emails content, headers of both using cryptography can be validated using a DKIM record.

3. Company Domain Check - Verifying that the sender domain is indeed owned by the sending company it is purported to be.

4. Trusted Domain Check - Some IT departments will maintain a list of known good sender domains which have been whitelisted.

5. Reply Redirection Check - When an email is sent from one address, yet a push of the reply button will send it to another. This is a sign that sending address has been spoofed and not compromised.

6. Internationalised Domain Name Check - Often called and IDN homograph attack. This involves using a unicode domain name which would include characters from languages such as Arabic, Cyrillic, Mandarin or Hebrew. For example, the letters E and A in Cyrillic unicode would allow for a domain to be registered that looked the same in a latin alphabet but was indeed a different domain - this is a particularly cunning style of attack.

7. Prior Communication Check - Validation of whether or not you have communicated with this address before. Some email clients hide the email address and just present a display name which can be configured to spoof a known contact.

8. Domain Age Check - Domains which have been registered recently, even within the last few days are not likely to be on a blacklist. Being able to check the age of a domain can therefore provide insight into its trustworthiness. 

9. Same Domain Name Check - This might seem like an obvious test, however with many cloud-services now being used to communicate with internal services through email, a lot of email is sent from and to the same domain. This leaves a level of risk for a the possibility of impersonation by an outsider.


Is My Email Provider Doing This Already?

You would hope so...however our experience tells us that it is unlikely that they are using all or any of these techniques. Instead relying on the age-old technique of checking blacklists.

When your users are faced with deciding whether or not an email or a link inside of an email is to be trusted, it is reasonable to suggest that supplying them with more evidence to help with the choice will encourage a better outcome.

Solutions such as CORVID Email Protection can do just that.

Corvid Yelllo

By scanning all incoming emails and implanting a traffic-light colour coded indicator at the top of each email, users can apply a level of caution appropriate to the warning message.

It works with self-hosted email solutions, Office 365 and other email security tools. It's low intrusiveness and simple warning system means that your users can finally shrug off that tiring label of "the networks biggest weakness"; and finally show what they can do when armed with the right tools.

If you would like to learn more about email security or CORVID email protection, you can book a call with one of our solution specialists by clicking here.


BMJ Case Study for Human Firewall and EmailAuth