What do United Airlines and footballer David Beckham have in common? Disastrous leaked emails. In these recent cases, the leaked emails appear to be legitimate, though Beckham claims some of the leaked emails were “doctored.” But how do we know that leaked email messages discussed in news stories and tabloid columns are actually authentic?
United Airlines’ PR Nightmare
United Airlines’ CEO Oscar Munoz appears to have dug himself into a deep hole when his leaked email to employees was published, describing his perspective on a recent incident in which an elderly paying passenger was violently dragged off a United flight to make room for standby crew. In this leaked email, Munoz appeared to blame the 69-year old doctor who was dragged off a UA flight, calling him “disruptive” and “belligerent” and suggesting that United Airlines did nothing wrong. His unapologetic stance contributed to some calling this one of “the worst corporate gaffes ever”, referring to how the airline’s lack of sympathy for the victim invited boycotts and widespread protests around the world and throughout social media.
In this case, the leaked email turned out to be authentic. However, it would have been extremely easy for a criminal to forge an email from Munoz and then leak it to the media. If the fake email creates a bad enough impression when initial media reports come out, it could bring down UAL’s stock price just long enough for an investor to cover a short position or buy shares at an artificially low price. This market manipulation is clearly illegal, but because it could be difficult to trace the culprit or beneficiaries of such manipulation, it is a plausible scenario.
Knighthood Not Happening for Beckham
Earlier this year, British soccer superstar David Beckham was the victim of embarrassing email leaks that purportedly demonstrated the extreme measures he took in the hopes of receiving a knighthood from Queen Elizabeth. These emails were so embarrassing that it is difficult to believe they were actually real – in fact, Beckman claims some were doctored and others were taken out of context. Messages also revealed that Beckham refused donation requests from UNICEF, even though he was expected to donate while serving as a UNICEF ambassador. The emails were not hacked from Beckham directly, but from the server of his close friend, a public relations executive. The irony!
In this case, the leakers tried to blackmail Beckham for £1 million. Regardless of whether Beckham’s claims that some of the emails were faked are true, one can easily understand why the leakers would have an incentive to fake email content. The more damaging the email content, the greater their asking price when blackmailing. The beauty of this scam, from the scammer’s perspective, is that there is no practical way to prove Beckham didn’t send those emails.
Spoofing – So Simple, it’s Scary
Creating an email that appears to be from someone else is called spoofing. And it’s incredibly easy to do. There are step-by-step instructions available online. You’ll need access to an open mail relay, an SMTP server that can create emails that appear to be sent from any server including www.wellsfargo.com, www.united.com or www.bbc.com. Next, you can create a message and target the recipients. If sending a spoofed email to a single known recipient isn’t enough, you can perhaps guess the workgroup email addresses within a company by studying the syntax of known corporate email addresses. With a little luck and persistence, you can send a spoofed email message to the entire marketing, sales or finance department of a target company. Note, we are NOT suggesting that you try any of this — we are merely illustrating how easy it is to do.
Spoofing is also a key part of Business Email Compromise (BEC) attacks also known as “spear phishing” or “whaling” (when targeting company executives or wealthy individuals). This threat involves the use of imposter emails to lure target recipients into wiring funds to bank accounts controlled by Internet criminals.
An Ounce of Prevention
The best way to prevent email leaks is to encrypt your messages and require a password for your recipient to open them. That way, the messages stay encrypted in the recipient’s inbox. If your emails are not easily accessible by hackers, or if you can show that you typically don’t send sensitive information in plain text, cybercriminals are likely to move on to their next target.
Although it is difficult to prove that a fake email didn’t really come from you, sometimes providing evidence of what you did send can help (if it contradicts what the fake email says). Send your important correspondence with RMail, and you’ll automatically receive a Registered Receipt™ email record proving every critical detail of your email correspondence, including fact of delivery, time of delivery, and exact message content.
If you or your business is at risk of being targeted with a BEC or whaling attack involving the use of spoofed “imposter” emails, consider using RMail’s anti-whaling imposter protection feature, which alerts you when an email you’ve received might be an imposter email.