Email security technologies come in many forms. But ultimately, all have a common set of goals: keeping the volume of spam emails down, detecting threats, and stopping them from reaching your inbox.  

More often than not, these technologies work by looking for the most common traits of a malicious email - like a blacklisted IP address or a suspicious domain - and then blocking it from reaching your inbox.  Exact domain impersonation is when an attacker uses your domain to send a fraudulent email.

All email security measures (apart from DMARC - more on that later!) are ineffective at spotting a malicious email when it appears to come from a legitimate domain.  

This is because of a flaw in Simple Mail Transfer Protocol (SMTP) - the internet standard for transmission of electronic messaging. In October 2008, the Network Working Group officially labeled it ‘inherently insecure’. They said that anyone could impersonate a domain and use it to send fraudulent emails pretending to be the domain owner. 

Anyone with a very basic knowledge of coding can learn the steps required to impersonate someone’s email identity. All it takes is a quick Google search. The result is an email that looks legitimate and doesn’t have the typical indicators of a phishing attack, such as a suspicious email address. A recipient email server will then allow this email into an individual’s inbox (if the right security measures are not in place). It’s then hard for them to see that the email is, in fact, a phishing attack using a spoofed domain. 

Email phishing is when an attacker or ‘bad actor’ sends fraudulent emails pretending to be from a reputable organization, with the purpose of getting the recipient to reveal sensitive information like bank details or personal data. Sometimes, phishing emails are sent with the intention of deploying malicious software to the victim’s infrastructure. 

A traditional phishing attack usually involves one fraudulent email being sent to multiple recipients. However, phishing attacks are becoming increasingly personalized thanks to the rise in social engineering, the practice of using psychological tactics to get victims to divulge sensitive information. There’s much more information readily available online, and attackers can use this to craft more specific and targeted attacks. 

While some phishing attacks focus on the consumer, bad actors know that there is much more to be gained by targeting an organization. Business Email Compromise (BEC) is an umbrella term that describes phishing attacks that target an organization by impersonating its domain. The attacker relies heavily on Social Engineering and crafts a phishing email designed to look like one from someone inside the business  (usually the CEO). The main aim of this type of attack is to steal money or sensitive data.

The types of attacks that come under the umbrella term Business Email Compromise include: 

Ransomware is malicious software that encrypts files or locks down computer systems, demanding payment (a ransom) for their release.

When the attacker poses as the CEO or another senior executive and targets employees. 

When the attacker tries to trick the recipient into paying an invoice or multiple invoices. 

An attack targeting those with access to Personally Identifiable Information (PII), such as HR managers.

Account compromise refers to unauthorized access to a user's account by a third party, often resulting in the theft of sensitive information or misuse of the account for malicious purposes.

It’s not surprising that many users are deceived by phishing emails. When done well, they can be almost impossible to spot. Organizations that experience phishing attacks haven’t necessarily done anything wrong, and the attacker doesn’t even need access to their systems to carry one out. But regardless, many governments and regulators consider organizations to have a responsibility to safeguard their customers against phishing attacks. So organizations that haven’t taken appropriate measures to safeguard their customers may be liable for a data breach - and penalties. 

In the last decade, a series of email protocols have been introduced by industry leaders to try and improve email security, but email impersonation bypasses many of these. 

Dive into the next chapter to gain a quick understanding of these protocols and what they protect against.