A Few Ways to Mitigate Email Spoofing
Spoofing
The majority of our phishing attacks begin with spoofing or impersonation, where an attacker sends and email pretending to be someone else. Sometimes these are sloppy, other times they are incredibly professional and polished. People fall for both the sloppy ones and the polished ones. Common examples include:
An email from schoolprincipal@gmail.com requesting that you buy a visa gift card and send them the card number and pin via email
An email impersonating you sent to your schools payroll/bookkeeping folks requesting a change to your direct deposit information
A few ways to mitigate spoofing:
1) Not publicly posting staff email addresses. This isn't always a popular choice, but using external messaging systems like your school's LMS instead of publicly posting email addresses VASTLY decreases your attack surface. It's up to your district to decide if the reward of posting addresses is greater than the risk of attack it presents.
2)Adding a bold header to all mail entering your system from outside your domain.We used to post a very dainty "warning" at the bottom of emails from external senders, but it was seldom noticed. We've since start going big and bold. There was zero cost to implement this using mailflow rules in our email server, but the payoff is huge. It also gives users power and confidence by knowning when to be skeptical.(More details on can be found under the "Mail Rules" tab)
3)Restrict student email accounts to internal sending and receiving only.This is another simple way to reduce attack surface. This is also achieved through a simple mail flow rule, and we make this sort of "closed campus" setting our default. Over time, there may be external sites students need to receive email from (College Board is a common example around ACT time), but this are easy to manage as exceptions in the mail flow rule.
4)Configure mail security protocols.This will take some research, but implementing SPF, DKIM, and DMARC in your mail system makes it hard for attackers to forge emails and makes it easy for you to block their arrival. These aren't very intuitive to set up (especially if you have a lot of subdomains), but there is ample documentation online for setting up for Google and Microsoft mail systems.
SPF - Sender Policy Framework: Configuring SPF hardens your DNS servers to restrict who can send mail using your domain, thus helping prevent spoofing.
DKIM - DomainKeys Identified Mail: Configuring DKIM insures the contents of your mail messages aren't tampered with
DMARC - Domain-based Message Authentication, Reporting, Conformance: DMARC ties SPF and DKIM together, and also force the "FROM:" header in an email to match the sender's domain. Even though this greatly reduces spoofing, it's configured in less than 10% of colleges and universities (citation needed).
5)Block Logins from Unauthorized Countres.This isn't strictly a spoofing concern, but it could prevent trouble if an account is breached. In a average 24-hour period in my district, 16% of login attempts come from countries outside the US. Without this restriction, we could potentially have 16% of our logins coming from attackers who've compromised user credentials. While this should be a basic feature, this is sometimes a premium feature for depending on mail services (looking at you, Microsoft).
6)If your email provider has scanning services, use them.In addition to making sure there are policies configured and enabled to scan for and quarantine phishing emails, take a look at these. Get a feel for what types of phishing emails are coming to your folks and work it into your Security Awareness training. If possible, also give users a way to report Phishing emails themselves, and if your platform has an option to review those user-flagged messages, do it! Also, try to remember to give out pats on the back to teachers who are vigilant in reporting phishing. If your platform doesn't have this ability, Knowbe4 offers a free Phish Alert button. Sure, you'll be stuck talking to a very persistent rep, but it's a solid tool and easy to implement and use. Plus, my rep there is a good dude, so I don't mind when he bugs me.
7)Prevent auto-forwarding of emails to external domains.Some tech-savvy users may complain about this one, but preventing auto-forwarding of emails outside of your domain can help stop the bleeding when an account compromise has occurred. I've observed multiple times when a user has had an account compromise and changed their password, but because the attacker set up a mail forwarding rule to send copies of all their mail to the hackers email they've continued to leak sensitive information. Creating a mailflow rule to stop this is an easy way to stop this. As a bonus, if your mail admin account is set up to receive notifications for forwarding, seeing an attempt at setting up forwarding could help tip you off to a compromised account.(More details on can be found under the "Mail Rules" tab)