Yet another org that I volunteer with has had a hacker try to scam them out of money by spoofing an email that appeared to come from the executive director sent to the finance guy.
What many people don’t realize is that it is very easy to spoof an email. They don’t even need to have your password to sign in as you. Most email systems will let you create a separate “send only” account with a custom display name and email address. This is useful if you want an email to come from Marketing <email@example.com>. Of course you don’t have to use marketing. You can use anything, even Drumpf <firstname.lastname@example.org>. And that’s what these hackers do.
Some emails (like the one that this particular org received) try to get you to wire money to a bank account. Others are designed to look like a security message from Google, Microsoft, or Apple in an attempt to get you to go to a page that looks like an official password reset form, but is actually a forgery that looks legit on the surface. If you fall for it and type in your username and password, the bad guys will now have access to your account and will use it to do bad things. This is what happened to John Podesta. And also to the staff of the Reply All podcast.
So what can you do to protect yourself from spoofed emails? In a nutshell: be cautious. If this is someone you know well, you will notice if the wording or request in the email is out of the ordinary. And when in doubt—and especially when there are costly ramifications to getting it wrong—verify the email with the person using a different communication channel. This part is essential, as it is practically impossible for a hacker to have access to multiple communication channels of their target. I recommend talking to them in-person or over video chat if possible. A phone call or audio chat is next safest. And text message will suffice if the first two aren’t possible.
And for all unsolicited “please reset you password” emails you receive, go directly to the site by opening a new tab and typing the site into the address bar. Never, ever click a link in the message and then enter the password into that page. To help with this, I highly recommend using a password manager. It will never auto-fill your password into a site it doesn’t recognize. Just don’t defeat this protection by copying and pasting the password manually. 😉
If you would like an online training option for your employees so that they can learn best practices of online safety, I’ve heard good things about KnowBe4 (although I’ve never used it personally).