Email phishing using domain spoofing

In January 2023, one of our clients reported that a scammer had registered a similar looking domain as that of our client and was using this spoofed domain to send fake invoices to our client’s clients with the scammer’s bank account details. 

As an example assume client’s website had the word ‘group’ in it like sapnagroup and the scammer had registered the same name, with ‘o’ and ‘u’ in group being switched around. i.e. with ‘gruop’ instead of ‘group’. This type of attack is called ‘Email Phishing’ using ‘Typosquatting’ where scammers register misspelled versions of your domain name and exploit it either for website traffic or email spoofing.

On checking we found out that the domain was recently registered and that the whois details were masked. We advised the client to report the phishing domain to the domain registrar.

What can one do to prevent this?

Unfortunately, there isn’t a way to stop domain spoofing in email. Companies can add more verification to the emails they send via DMARC, DKIM, and other protocols, but external parties can still send fake emails using their spoofed domain without this verification.

Users should be more cautious and scrutinize the email addresses for any extra letters or numbers. Particularly look for characters that are easily mistaken for others, such as lowercase Ls and capital Is. This becomes even more important if the email is related to payments, as you may be tricked into making a payment to the scammers account.

Users should also ideally use verbal confirmation on important actions like change of bank information instructions given on invoice etc.