An email lands in your finance team's inbox. It's from you, the CEO, with an urgent request to wire funds to a new supplier. The email address looks right, your signature is there, and the tone is spot on. The only problem? You never sent it. This is a classic example of spoofing, a cyberattack where criminals disguise their communication to look like it's from a trusted source. Here are a few strategies you can use to protect your small business.
1. Implement Email Authentication Protocols
One of the most powerful technical defenses against email spoofing is to implement authentication standards. These protocols work together to verify that an email is actually from the person or organization it claims to be from.
-
SPF (Sender Policy Framework): SPF allows you to create a list of authorized mail servers permitted to send emails on behalf of your domain. When a recipient's server receives an email, it checks the SPF record to see if the sending server is on that list.
-
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is encrypted and unique to your domain. The receiving email server can use a public key to verify that the email hasn't been tampered with in transit.
-
DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC tells receiving email servers what to do if an email fails SPF or DKIM checks—either quarantine it, reject it, or let it through. It also provides reports, giving you visibility into who is sending email from your domain.
Setting up these protocols can seem technical, but many email hosting providers offer guides or support to help you configure them correctly.
2. Train Your Employees To Be Skeptical
Your employees are your first line of defense. No amount of technology can protect against human error if your team isn't trained to spot the red flags of a spoofing attempt. Regular security awareness training should be a non-negotiable part of your business operations. Cover these key areas:
-
Urgency and Pressure: Teach employees to be wary of emails that create a sense of extreme urgency or pressure them to bypass standard procedures.
-
Unusual Requests: Instruct them to question requests that seem out of the ordinary, such as wiring money to a new bank account or sharing confidential data via email.
-
Check the "From" Address: Show them how to inspect the sender's full email address, not just the display name. Attackers often use addresses that are slightly different (e.g., ceo@yourcompnay.com instead of ceo@yourcompany.com).
-
Beware of Links and Attachments: Remind your team to hover over any links to see the actual destination URL before clicking and to never open attachments from unknown or suspicious senders.
3. Establish A Verification Process
To counter requests for sensitive actions, create a mandatory verification process that relies on a different communication channel. For example, if an employee receives an email from the "CEO" asking for an immediate wire transfer, your policy should require them to verify the request in person or by calling the CEO at a known, trusted phone number.
Do not use the contact information provided in the suspicious email. This step can prevent significant financial loss. This process should be documented and communicated to all relevant team members, especially those in finance and HR.
4. Secure Your Website With SSL/TLS
If you have a business website, especially one that collects user information or processes payments, it's crucial to secure it with an SSL/TLS certificate. This certificate encrypts data exchanged between a user's browser and your website, which makes it difficult for attackers to intercept.
More importantly for spoofing, it provides a visual cue of trust: the padlock icon and "https://" in the browser's address bar. Train your employees and encourage your customers to always look for these indicators before entering any sensitive information on a website. This helps protect them from falling for spoofed, non-secure versions of your site.
5. Use Multi-Factor Authentication (MFA)
Multi-factor authentication adds a necessary layer of security to your accounts. Even if a spoofing attack tricks an employee into revealing their password, MFA can prevent the attacker from gaining access.
MFA requires a user to provide at least two verification factors to log in. This typically includes something they know (a password), something they have (a code from a smartphone app or a physical security key), and/or something they are (a fingerprint or facial scan). Enforce MFA across all critical business systems, including email, financial software, and cloud storage accounts.
Quikstone Capital Solutions has officially reached its 20th anniversary, a moment that reflects two decades of dedication to supporting small businesses across the country. If you need cash for your business, contact us today. We have only one goal: to help your business succeed.
