All organizations rely on business email in some way, but its popularity and ease of use also makes it a target for cybercriminals, who may use tactics like look-alike and domain spoofing.
Deceptive by design
Look-alike domains and email spoofing attempt to visually trick victims into thinking an email originated from a legitimate sender, when it actually came from a criminal with an email address that looks similar or is forged. Both schemes are used in phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. This is done to manipulate your employees or business partners into divulging confidential information or redirecting payments. This scheme is commonly known as email spoofing and is a form of phishing attack meant to manipulate your employees or business partners into divulging confidential information or redirecting payments.
Look-alike domains are a cyber risk for companies of all industries and sizes. The following information and best practices are meant to help your business implement look-alike domain and email spoofing prevention policies and controls.
Telltale signs of domain phishing
Below are some common ways that criminals construct look-alike domains. Can you spot the differences?
| Tactic | Real | Look-alike domain |
|---|---|---|
| Removing a character from the domain | @marquettefarm.com | @marquetefarm.com |
| Changing the top-level domain | @marquettefarm.com | @marquettefarm.co |
| Changing a character in the domain | @marquettefarm.com | @marguettefarm.com |
| Adding a character in the domain | @marquettefarm.com | @marquettefarms.com |
Successful domain spoofing attempts depend on the recipient being distracted or rushed. It can be very easy to mistake an “rn” for an “m.” Protecting against email domain spoofing requires vigilance and a critical approach to verifying that messages come from authentic sources.
Tactics to fight email spoofing and look-alike domains
Being prepared for domain phishing attacks requires a multilayered approach. Protecting your business, your clients and your employees can be achieved through a combination of strong internal controls and employee education, including:
- Striking first: Think of ways that fraudsters could try to spoof your email domain, then proactively purchase look-alikes to prevent them from ever being used against you
- Working with experts: A third party that specializes in finding fakes (like a brand protection service) may be able to more quickly detect look-alike domains and take action against them
- Using email control tools: Alerts, flags or banners in your email system can be used to warn users when an email originates from outside of your organization; another option is Domain-based Message Authentication, Reporting, and Conformance (DMARC), which many business email providers offer for further control and detection
- Educating and testing employees: Train staff on the basics of how to spot phishing attacks, domain spoofing emails, look-alike domains, business email and social engineering; run phishing tests to see who falls for a spoof and who can correctly flag one
Callbacks are crucial
Teach employees to never trust email for payment instructions and to always validate payment-related requests by doing a callback to the actual person making the request using a trusted phone number obtained from a system of record.
Further steps to stop domain spoofing
These additional tips can help you mitigate spoofing risks, or help you recover from a suspected attack:
- Protect yourself: Using a password manager will help you avoid look-alike domains. Only domains you have stored in the password manager will auto populate your credentials. When your username and password don’t automatically populate, you know you are on an unrecognized domain.
- Report the imposter: Contact your information technology or information security team so they can look for any internal compromises and block further inbound emails from the look-alike domain.
- Escalate it: Notify your organization’s upper management and legal counsel so they can take action against the spoofing domain, such as getting it removed.
- Update others: Notify business partners and remind them not to accept changes in payment instructions without calling you first to validate.
How we can help
JPMorgan Chase is continually investing in our fraud prevention tools and capabilities to protect both our firm and your business. If you believe you’ve been the target of a domain spoofing scam, talk to your relationship team immediately.
You can also access our guide to business email compromise to learn more about email spoofing prevention.
