E-mail spoofing can throw you off guard

Private equity players and corporate honchos are now taking the cyber attack route to clinch classified data pertaining to prospective deals from competitors. Security experts believe e-mail spoofing is being used to fish out information like valuations, and bids and tender documents are being employed to gain an upper hand. “Mail spoofing occurs in all sectors — banking, pharma, biotech, stock markets or IT. But mostly, it’s being used to hurt someone financially,” says cyber lawyer Pavan Duggal. ET spoke to people across segments, but no one was willing to discuss specific cases or names Here’s how it works. If you are a CEO bidding for a large acquisition, your competitor may lay his hands on sensitive deal data by faking your e-mail address. In e-mail spoofing, the sender’s address in the e-mail header is altered so as to appear as if the mail originated from a different source. So, a genuine-looking communication — bearing the mail ID of the CXO or persons acting on the deal — is shot to an investment banker asking for critical data or a re-evaluation with certain clauses attached. Generally, private equity firms or investment bankers privy to the deal are attacked with such mails.
It’s very easy to spoof a mail. “Fake mail IDs can be made through four means,” says Captain Raghu Raman, CEO, Mahindra Special Services Group. One can visit sites like mail.com and choose a domain name of choice. Second, by changing the ‘From, Return-Path and Reply-To’ fields, one can make the e-mail appear to be from a different source. Third, one can stop mails during transition, make changes and then route them to a particular destination. Else, mails coming from a particular ID can also be routed to another ID. Lastly, a hacker can send a mail such as admin@companyname.com asking to reply back with certain information.
“Not only mails, but text messages are also being spoofed. Very recently, I received a message bearing a spoofed name which did not exist in my phone book,” says Srikiran Raghavan, regional head, RSA Security.
Interestingly enough, wives are also using mail spoofing to get divorce. A Delhi-based woman recently accessed sex sites from fake IDs of her husband and used it as a prelude to file a divorce case. The matter is sub judice.
But experts offer a way out. To prevent mail spoofing, the IT infrastructure should use PKI (public key infrastructure) that provides for trusted third party verification of user identities during exchange of mails, they say. Under the current IT laws, cyber spying may land you in jail for two years with a fine of up to Rs 2 lakh. “In the IPC, it comes under crimes relating to cheating and falls under Section 415-420. But sadly, under both the IT Act and the IPC, the crime is bailable,” a senior lawyer said.