How fraudulent email can look legitimate

Date:30 May 2017 Author: Nikky Knijf Tags:, ,

The onslaught of fraudulent email seems never-ending. Even as email security improves, new scams pop up every week. Luckily there’s (fairly) simple solutions to keep you and your company safe.

Vigilance, says Mimecast MEA Sales and Engineering Brian Pinnock, is the best solution to avoid becoming a victim. It’s also important to educate yourself, he says. Yes it might seem like effort, but like locking your front door, securing yourself online should be a habit.

Why, you ask? Simple: because the safer you are, the less is the likelihood that you’ll become a victim. And it’s crucial, because cyber-criminals aren’t easily caught.

The fraudulent email scam

In the past email users had to be on the lookout for emails that took them to domains that carried similarities to existing/well-known domains. These domains carry such a close resemblance to their legitimate counterparts that many users won’t realise it is counterfeit.

One example of fraudulent domain creation is swapping letters with numbers. An example:

  • (see the 1?); or
  • (or the rn?)
  • instead of the real

This seemingly small error is unnoticeable to most, especially when you’re accessing the website through a “legitimate” email.

Users would receive emails beckoning them to click through to these domains in an attempt to gain access to corporate networks or to commit fraud. But now, they’re getting creative and sending fraudulent email from completely legitimate domains.

Seems legit?

Recently South African Finance Minister Malusi Gigaba posted a screenshot of a fraudulent doing the rounds. Seemingly sent from the minister via the official Treasury domain, the email discusses the discovery of an escrow account with a balance of R126 million belonging to the email’s receiver. Needless to say the email was not real. Criminals tried to get South Africans to “pay a fee” for the release of their purported windfall.

The ministry responded with an official statement, saying it would never request payments for its services. They would also never pay out funds to anyone, the ministry confirmed. “Origins of these scam notices and how individuals are targeted is continuously being evolved by criminals, and is an international phenomenon.”

But don’t think this cyber-crime is limited to super skilled criminals with advanced systems. Even amateurs can gaining access to an organisation’s legitimate domain. It is “laughably easy”, says Pinnock.

How does it happen?

“You don’t have to gain direct access to an organisation’s legitimate domain to create a spoof email that appears to come from that domain,” Pinnock explains. “There are numerous free tools on the Internet that allow a relatively unsophisticated person to firstly establish if an email name exists and what format that organization uses.” For example, does the company use or

After figuring out the email structure a fraudster needs to establish the level of security of an email domain. Yes, there are free tools available to achieve this, therefor the fraudster will employ them. Pinnock explains that about two thirds of domains don’t use (even basic) DNS authentication. DNS (Domain Name Servers) authentication is a process of security checks that verifies inbound and outbound email. This helps to prevent unwanted and potentially harmful email landing in your inbox. Without DNS authentication the fraudster to use a third free tool to spoof a domain.

He explains even in the case of more sophisticated fraudsters who use slightly more sophisticated systems, the principles remain the same.

How you can stay safe:

Pinnock says it’s not easy to be suspicious of everyone, if purely for practicality. “…we all need to process a large volume of email every day and suspicion slows this process down.” Fraudsters also know this. Here are Brian Pinnock’s guidelines to staying safe from fraudulent email:

  • – Don’t trust the displayed address of the sender. As explained above, it’s easy to spoof it.
  • – Even if email is addressed to you, it does not mean it is legitimate.
  • – Hover your mouse over any links to check if the address looks problematic.
  • – Be suspicious if an email contains a link to log on or update details on any website. Correspondence from financial sites like banks or the revenue service (SARS) can be fake.
  • – Phone the sender to confirm that the transaction is legitimate, if the contents of the email reference a transaction you would not normally conduct or receive.
  • – Don’t necessarily trust two factor authentication. This too can be fake.
  • – Avoid clicking on links in emails that have not been checked by e-mail security systems.
  • – Avoid opening attachments in emails that have not been checked by e-mail security systems.


Latest Issue :

May-June 2022