An email hit my inbox about one family member, Samantha, asking another family member to transfer money. My mother’s credit card is denied for some reason. She needs money for a surprise present. This scam was obvious and my family knew it. But there was still an issue of how they got access to Samantha’s email.
The steps taken to perform this were sophisticated. These emails look like they are coming from the real email account but were from a similar account. This is what the email From and To field look like. I have changed the names for privacy.
Sent: Thursday, September 28, 2017 at 5:20 PM
From: “Samantha Collins” < Samanthacollins3465@gmail.com>
To: “Mark Collins” < Markcollins647@gmail.com>
Subject: Re: Surprise Package
Samantha thought her email was hacked. Luckily, they had yours truly. I looked at the email headers. Email headers contain the routing information and sometimes details on how the email was handled by the server and firewall. I saw Gmail reviewed the email and the sender was a “permitted sender.”
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of Samanthacollins3465@mail.com designates 74.208.4.201 as permitted sender) smtp.mailfrom= Samanthacollins3465@mail.com
Return-Path: Samanthacollins3465@mail.com
After a closer look, the email was not the same email. Notice @mail.com verses @Gmail.com. So how could the From field be @gmail.com and the headers show @mail.com. This was done by manually editing the email after the first replay so that if Mark were to look over the email he sees that it comes from Samanthacollins3465@gmail.com. If Mark were to go back to the original replies he would see that it comes from @mail.com.
A variation of this email spoofing caused another email user to lose thousands of dollars. Unfortunately, this wasn’t identified until after the money was sent. A malicious user had access to the email chain. They used the email chain to add legitimacy to their email. The spoofer sent the banking details of their own account with the email chain from financedepartment@spooferdomain.com to the victim when the victim was expecting an email from financedepartment@company.com. The victim didn’t review the domain name and sent the money to the spoofer’s account.
When receiving emails, it is important to check the sending address closely. If the name and domain don’t match exactly what you expect then it’s best to review previous replies and make changes as necessary. –Trevor Collins