All organizations rely on business email in some way, but its popularity and ease of use also makes it a target for cybercriminals, who may use tactics like look-alike and domain spoofing.
Look-alike domains and email spoofing attempt to visually trick victims into thinking an email originated from a legitimate sender, when it actually came from a criminal with an email address that looks similar or is forged. Both schemes are used in phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. This is done to manipulate your employees or business partners into divulging confidential information or redirecting payments. This scheme is commonly known as email spoofing and is a form of phishing attack meant to manipulate your employees or business partners into divulging confidential information or redirecting payments.
Look-alike domains are a cyber risk for companies of all industries and sizes. The following information and best practices are meant to help your business implement look-alike domain and email spoofing prevention policies and controls.
Below are some common ways that criminals construct look-alike domains. Can you spot the differences?
|Removing a character from the email@example.comfirstname.lastname@example.org|
|Changing the top-level email@example.comfirstname.lastname@example.org|
|Changing a character in the email@example.comfirstname.lastname@example.org|
|Adding a character in the email@example.comfirstname.lastname@example.org
Successful domain spoofing attempts depend on the recipient being distracted or rushed. It can be very easy to mistake an “rn” for an “m.” Protecting against email domain spoofing requires vigilance and a critical approach to verifying that messages come from authentic sources.
Being prepared for domain phishing attacks requires a multilayered approach. Protecting your business, your clients and your employees can be achieved through a combination of strong internal controls and employee education, including:
Teach employees to never trust email for payment instructions and to always validate payment-related requests by doing a callback to the actual person making the request using a trusted phone number obtained from a system of record.
These additional tips can help you mitigate spoofing risks, or help you recover from a suspected attack:
JPMorgan Chase is continually investing in our fraud prevention tools and capabilities to protect both our firm and your business. If you believe you’ve been the target of a domain spoofing scam, talk to your relationship team immediately.
You can also access our guide to business email compromise to learn more about email spoofing prevention.