Email spoofing, mail sent from one’s own address
A forged or spoofed e-mail uses the sender’s real e-mail address, without the sender having actually sent the e-mail. An email spoofed with the interlocutor’s usual email address makes the request in the message plausible. The most advanced frauds collect information about the company in advance (social engineering) to give credibility to the scam.
Professional social networks like LinkedIn make it easy to identify a company’s manager or accountant, and to usurp their identities.
The ” email spoofing ” technique can be used to request a change of bank details. Fraudsters send an e-mail to a member of the target’s accounting department, pretending to be a supplier. The e-mail requests that future payments be transferred to another bank account controlled by the fraudsters.
This scam is similar to the “Faux Ordres de Virement International” (FOVI) and the “Arnaque au Président “. In France, 485 million euros were stolen between 2010 and 2015 as a result of this type of scam; 2,300 complaints have been filed about them. In the United States, 3 billion dollars have been embezzled over the past 3 years.
A “forged” e-mail may also contain “ransomware”, i.e. malicious ransomware. The recipient of the forged email will open it in confidence and trigger the deployment of a Trojan horse that will encrypt the data on the network files it uses. The “ransomware” then demands money in exchange for the key to decrypt the corrupted and unusable files. Payment is mostly made via a cryptographic virtual currency such as Bitcoin, which anonymizes the scammer. France is the fifth most affected country by “ransomware”, with almost 400,000 attacks in 2015.
Identity theft via forged emails can be used to destabilize a company’s human environment. Falsified e-mails can be the subject of rumors to discredit employees and create a poisonous climate within the company.
Solidnames offers a Diagnosis of the Risk of Identity Theft by Email (DRUIDE) to identify and limit the risks of identity theft via email.