October 9, 2019

How can a company respond to impersonators spoofing its email addresses?

Hypothetical:  

Your company is a large retailer with numerous brands, subsidiaries, and customer relationships with major outlets.  One day, you hear from one of your customers asking you to confirm the details of a suspicious email they received, purporting to be from you, asking for money related to a recent deal.  You and your IT team examine the email and see that while the domain in the email address looks similar to yours, there are small differences that would be easy to miss.  The next day one of your subsidiaries alerts you that they received a similar email from the same address also asking for money.  What do you do?

Key Considerations:

  • Weigh communications with customers, subsidiaries, and partners.  Arming your partners and customers with knowledge that a spoofing campaign is underway may be the most effective way to limit any damage.  However, there are some considerations you should weigh.  For example, the timing and accuracy of any such communications will be critical to maximize the usefulness of such information.  Adequate warning is likely to help prevent any damage that the bad actors are trying to cause much more quickly than you can identify and attack the source of the problem, but reacting without all the relevant information may be more harmful than helpful.

  • Verify the threat is external.  It may appear that fraudulent emails coming from an independent domain are a purely external threat.  However, the attackers might have gained access to portions of your network for the purpose of gleaning information, including contact information, to target and shape their attacks.  Enlist the help of your IT and security teams to determine whether there has been, and the extent of, any intrusions into your network.
  • Investigate the source.  Using online look-up services, your IT or security team can likely determine what service providers are hosting the fraudulent email address, domain name, and other key inputs to the spoofing campaign.  Such malicious activities violate most of these providers’ terms of service, and many providers have procedures for contesting the validity of, and removing, customers who are violating their terms.

  • Determine whether you need outside help.  Depending on your in-house capabilities, your IT and security teams may be able to respond to such an incident.  If your teams are relatively small, or do not have sufficient experience handling such matters, it may be helpful to retain outside forensic investigators through outside counsel. 

  • Consider involving law enforcement.  Reaching out to law enforcement may be necessary for insurance purposes, may be required under certain legal regimes, may protect against liability, and may provide the necessary tools to stop the attack.  However, any contacts with law enforcement should be discussed with your counsel who can advise you on any potential pitfalls.