I assume there is no way to stop domain spoofing scams?

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,368
MSP client called me all upset because he said his email get hacked and it was used to scam a client out of $50k in wire fraud. I explained to him that it was unlikely his account was compromised due to an MFA token requirement for his email account. I logged into Azure and saw that there were attempts to log in to his account which all failed due to either incorrect password & MFA requirement failure.

He explained that they had his signature which made it look more legitimate to the client, but I explained that it's entirely possible that your client was the one that got hacked and they were able to dig through his emails to pull the signature to make it look more legitimate from prior correspondence.

The final red flag was that after his client examined the email that was supposedly sent from my client he saw that the domain looked similar but was not the correct. Example being miicrosoft.com instead of microsoft.com. Also that they may have attempted to use his account to scam this client but since they were unsuccessful at logging into the account they just purchased a new domain.

In the end I told my client that his client should not so easily hand over $50k at the request of an email and it is likely that lack of double verifying, ignorant or recklessness, is likely the main problem here and that there really is no way to prevent someone registering a domain like miiicrosoft.com and setting up an email like bill@miiicrosoft.com in an attempt to pretend to be Bill Gates and scam people out of money.

I know the above example is overly simple and unlikely but I'm just trying to get the point across.
 
Spoofing, pretty much by definition, is impossible to prevent. It's the cyber equivalent of many traditional cons where someone presents themselves as something they're not to extract something, typically money, from the target.

And you are very wise to tell your client that their email has NOT been hacked. Spoofing is just so common, and has been for years now, that I long ago stopped even telling people when I receive what is clearly a spoof email (and it is not that hard to learn how to very quickly identify a spoof).

I cannot imagine, why, EVER, anyone would hand over $50K on the basis of an email message alone. For heaven's sake, if you cannot be bothered to pick up the phone and call who you think is asking for the money BEFORE you hand it over, well . . .

This is a classic example of, "You can't fix stupid," on the part of the scammed at so many levels. And the person who was the spoofee needs to understand that this can, and likely will, happen again and there's nothing that can be done to prevent it.
 
The only thing I'd do is update your contract to all your MSP contracts right now, outlining this exact issue. Offer training and phishing testing, etc... they all sign off that you are not responsible. Then you have a backup if this happens again.
 
thecomputerguy said:
The final red flag was that after his client examined the email that was supposedly sent from my client he saw that the domain looked similar but was not the correct.
Click to expand...
Which is why businesses should register domains that are very similar to their real domain, both to prevent this and so that your website pops up even if someone types a variation of it by mistake. I have like 38 domains for my business including misspellings, .org, .net, .etc. Admittedly domains have gotten a lot more expensive in recent years but I still consider it money well spent.
 
callthatgirl said:
The only thing I'd do is update your contract to all your MSP contracts right now, outlining this exact issue. Offer training and phishing testing, etc... they all sign off that you are not responsible. Then you have a backup if this happens again.
Click to expand...

Not that I don't think updating the contract and offering training is a bad idea. But he's already not responsible.

Nothing he did, or did not do, has anything whatsoever to do with what occurred.

To be honest, anyone who isn't already "on the lookout" for phishing messages, and recognizing them, is really being willfully stupid or is living in a bubble. This has been going on for ages, and the solution to it, vigilance, has been well known for ages.

I've reached the point where I no longer think that "more is necessarily better" with regard to training, because it's just the same thing that most clients have most likely heard repeatedly over the years (and they continue to ignore it).
 
  • Like
Reactions: GTP
sapphirescales said:
Which is why businesses should register domains that are very similar to their real domain, both to prevent this and so that your website pops up even if someone types a variation of it by mistake. I have like 38 domains for my business including misspellings, .org, .net, .etc. Admittedly domains have gotten a lot more expensive in recent years but I still consider it money well spent.
Click to expand...
This is a waste of time, effort, and money. There is no way on the green Earth you're going to buy all of the misspellings of your domain that would readily be misconstrued as you.
 
Sky-Knight said:
This is a waste of time, effort, and money. There is no way on the green Earth you're going to buy all of the misspellings of your domain that would readily be misconstrued as you.
Click to expand...
Not to mention when buying domains for a client and you tell them that you recommend buying at least the .net and the .org as well is usually met with a "ughhhhhhhhgghh how much is that now?" Oh and also I recommend privacy for all 3 domains as well "ughhhhhhhhh what is that cost now?"

The world is crazy to me. People spend $1500 everytime a new iphone comes out but when it comes to ANYTHING related to how they actually make money and what tools they use in their business they just groan.
 
thecomputerguy said:
The world is crazy to me. People spend $1500 everytime a new iphone comes out but when it comes to ANYTHING related to how they actually make money and what tools they use in their business they just groan.
Click to expand...
Must be your clientele. I get people like this as well but the majority of my clients know how important their computers are when it comes to their business and spend accordingly.

Sky-Knight said:
This is a waste of time, effort, and money.
Click to expand...
No, it's really not. When you buy as many domains as I do you can get them for about half off. I spend about $400/year in misspellings for my main business domain. Not only does this help when I'm talking to a client over the phone and trying to get them to go to my website and download my remote support agent, it prevents the issue stated by the OP.
 
This is not so much domain spoofing, but just phishing. Spoofing would be where they actually used your clients domain as the "from" address, but it actually came from another account. If you havent already, setup SPF/DKIM to help prevent this.
As already said, protecting against a similar domain is near impossible. Buying similar domains seems futile to me, there will always be another option the scammers will use.
While you may be able to train your client about these situations, your clients client is not your responsibility. Who really hands over $50k without confirming, especially when i assume this just came out of the blue, unless it was a thought-out scam and the clients client actually owed your client $50k and they copied the invoice style etc but generally that would require some inside knowledge from either side and if your clients side is secure then its their client that is 100% responsible.
 
thecomputerguy said:
He explained that they had his signature which made it look more legitimate to the client,

The final red flag was that after his client examined the email that was supposedly sent from my client he saw that the domain looked similar but was not the correct. Example being miicrosoft.com instead of microsoft.com.
Click to expand...

That is a classic, textbook example of "spoofing"...and it's often an important person who gets spoofed, such as the main finance person, or owner, etc. Hence the nickname "CEO impersonation".

Yes some of the bad guys really do their homework and will copy the email signature of the person they're spoofing.

Todays better spam filters are doing better jobs at preventing this. In an email, you have the"mailfrom" domain, aka "envelope", and the actual "header domain"..the actual mailbox it was sent from. Modern spam filters will label this as a "spoof" if they detect proper SPF and DKIM as well as DMARC records for the senders domain. However, many recipients still use crappy email services with poor (or none) spam filters. So...you can't really do anything about that. And, although I believe in training clients...however, training your client won't prevent their email from being spoofed. You'd have to train every person who receives email from your client.

Microsofts "Defender"....previously known as Advanced Threat Protection, has a VERY robust spoof intelligence system for incoming emails to your client. One of the many reasons we really only start with "Microsoft 365 Business Premium" for our clients. Or...if they have E3..tack on Defender plan 1 (which..you may as well just do M365BP).
techcommunity.microsoft.com

Email Protection Basics in Microsoft 365: Spoof and Impersonation

This blog is part three in a series aimed at demystifying how email protection works in Microsoft 365.
techcommunity.microsoft.com
 
One thing to note in this case is that the person with the actual problem isn't the OP's client. The OP protected his client well from the attack the client thought happened and explained that his client was not at fault. Overall, the OP did what was needed. One thing I'd like to point out is that there's no need to get in the middle of something like what happened, no need to tell his client that the other guy was stupid or shouldn't have done something. These situations are good opportunities to turn on your sales hat and offer your assistance to the third party that got swindled.

You can point out to your own client that they are well protected because of everything you do for them, remind them that no protection is perfect and to never do what that third party did, and then ask if your client would be willing to introduce you to the third party to see if you can help them be better protected in the future. If you sour the relationship in any way, your client won't want to involve you and the third party won't want to talk to you.
 
John Kennedy said:
If you sour the relationship in any way, your client won't want to involve you and the third party won't want to talk to you.
Click to expand...

While I agree with everything you say, the subtext suggests that the client was pre-soured, or so it seems.

Sadly, clients are often looking for someone to blame other than themselves, or their own clients, and my gut tells me that's at play here. And if it is, you do not accept responsibility for something you are absolutely not responsible for.

Although I would never say this to a client, if this isn't a classic example of, "You can't fix stupid," writ large, then nothing is. Everything that any individual could possibly do wrong when they receive such an email was done wrong. Not picking up the phone, at a minimum, to call and ask, "Did you actually send me this?," was the first and biggest mistake. Handing over $50K without any sort of discussion and verification is just plain stupid.
 
The point above that Bri makes..."Verification"...is something we encourage our clients to make a standard "policy". If someone at a business gets one of those emails appearing to be from "their boss"...requesting <something> to do with money, follow that up by making a phone call, or better yet, get up out of your chair and walk down the hall and ask face to face. Yes sometimes "the boss" is out of the office, so..place a direct call, to their cell phone..and ask. Basically..."MFA that request to transfer/deposit/whatever....money".

I've seen some businesses have someone who fell too that, and I really sometimes agree with "You can't fix stupid". Some employee gets an email or text appearing to come from "the boss"...asking to purchase XXX amount of iTunes gift cards or something...and they go do it. Even though everyone working there know for sure that "the boss" wouldn't have a the slightest idea of what an iTunes gift card is or how to use it!
 
britechguy said:
While I agree with everything you say, the subtext suggests that the client was pre-soured, or so it seems.

Sadly, clients are often looking for someone to blame other than themselves, or their own clients, and my gut tells me that's at play here. And if it is, you do not accept responsibility for something you are absolutely not responsible for.

Although I would never say this to a client, if this isn't a classic example of, "You can't fix stupid," writ large, then nothing is. Everything that any individual could possibly do wrong when they receive such an email was done wrong. Not picking up the phone, at a minimum, to call and ask, "Did you actually send me this?," was the first and biggest mistake. Handing over $50K without any sort of discussion and verification is just plain stupid.
Click to expand...
Part of the problem is that this is genuinely hard for some people to comprehend what is going wrong let alone who is to blame.

One time I had to go old school and literally make a fake paper invoice and pretend to "mail" it to the "client" for the people in that office to understand what was going on. I opened my laptop in front of them and "stole" their logo from their website and made a fake invoice with incorrect remit instructions to one of their clients put it in an envelope and handed it to one of the people in the office and said, "pretend you are the client and just got this." How can anyone prevent this? Then they understood. And years ago this kind of crime actually did happen. The internet just makes doing this far easier.
 
YeOldeStonecat said:
The point above that Bri makes..."Verification"...is something we encourage our clients to make a standard "policy".
Click to expand...
I've been doing that for a while. The problem is the next layer/step which is outside of my, or any of our, ecosystem. Just like the OP. I've been preaching for several years to always follow up with a call on anything that involves any amount of money they deem to be significant. But that didn't stop the bookkeeper of a customer mine. She received a poorly worded email in the middle of the night on a weekend asking for a dozen $1000 gift cards from Home Depot. Which she promptly ordered. This guy is a high end interior designer who wouldn't be caught dead or alive having anything to do with HD. And she knows that. Fortunately he got to the CC company in time to have it reversed.
 
Markverhyden said:
I've been doing that for a while. The problem is the next layer/step which is outside of my, or any of our, ecosystem. Just like the OP. I've been preaching for several years to always follow up with a call on anything that involves any amount of money they deem to be significant. But that didn't stop the bookkeeper of a customer mine. She received a poorly worded email in the middle of the night on a weekend asking for a dozen $1000 gift cards from Home Depot. Which she promptly ordered. This guy is a high end interior designer who wouldn't be caught dead or alive having anything to do with HD. And she knows that. Fortunately he got to the CC company in time to have it reversed.
Click to expand...
The amount of common sense that was ignored there is mind-boggling. Who the f-ck pays major bills with gift cards? WTAF?
 
nlinecomputers said:
The amount of common sense that was ignored there is mind-boggling.
Click to expand...

Agreed, but it was for all the examples so far offered.

And what makes me really POed is that there is an attempt to pass responsibility for the stupid actions to people who have nothing to do with the choice of whether or not to take those actions or actually taking them.

Your email service provider, MSP, etc., simply is not responsible for your falling for this stuff. And I know how authentic some of it appears - with emphasis on appears. There are SIMPLE steps you can take to ensure you're dealing with something genuine. That's no one's job but your own. Actions without due diligence can and do sometimes have very negative outcomes. But that due diligence falls on you (the generic you who's about to do something, BEFORE you actually do it).

As either Dear Abby or Ann Landers (I can't recall which) said years ago: No one can take advantage of you without your consent.
 
You must log in or register to reply here.

Similar threads

Velvis
Best way to facilitate roaming users for M365
Replies
3
Views
200
YeOldeStonecat
YeOldeStonecat
thecomputerguy
Family friends son died unexpectedly and is out of options right?
Replies
15
Views
342
fincoder
fincoder
thecomputerguy
Client upset because mail is now going to spam after upgrading to Business Premium.
Replies
6
Views
326
britechguy
britechguy
Appletax
[SOLVED] Client wants someone to hack Facebook to get him back into his account
Replies
6
Views
436
frase
frase
thecomputerguy
$300k wired and lost.
Replies
5
Views
251
Sky-Knight
Sky-Knight
Back
Top