Email fraud

A fraudster managed to email his way out of prison. Article here.

The amount of trust that a lay person puts into emails today is quite alarming. Emails were first used in the 70s, when everyone knew everyone else on the network and trust was less of an issue that it is today. There used to be a "yellow pages" book which contained the names and email addresses of everyone in the world just like a phone directory. Needless to say, such a thing is unimaginable today.

I like to use the analogy of actual addresses to explain domain names and emails to the layperson. If you look at the URL bar above, the domain name for my website is limbenjamin.com. Registering a .com address is analogous of renting a house and having a physical address. If a house is not available for rent/sale, then you cannot own that physical address, this is similar to domain names as well, since limbenjamin.com is already taken, no one else can register that name if I decide not to sell or abandon it.

There are certain domains that are well known such as google.com, whitehouse.gov. Similarly, there are certain addresses which are well known such as "10 Downing Street". Registering a name similar to google.com like goggle.com/goog1e.com is very simple as long as it has not been taken, only costs like $10/year. It is equivalent to renting a house at "10 Drowning Street" or "10 Dawning Street" if it exists. Therefore, it is important to make sure that the domain matches character for character as you would for a physical address.

Spoofing of emails has a physical manifestation as well. There is nothing stopping me from printing a letter with an official letter head and putting "10 Downing Street" as the return address before dropping it off at a mailbox. Similarly, I can easily send out an email purportedly from obama@whitehouse.gov, gmail will place it straight in your inbox, not your spam folder. Well, technically there is Sender Policy Framework (SPF) which prevents the abovementioned from happening but only a few domains use it and whitehouse.gov is not one of them.

In conclusion, email is simply not a secure mode of communication. Even if you have verified the domain name, it is still possible for someone to send out an email from a spoofed address. Organizations should look towards using SPF to protect against spoofed emails while users should practice 2-way communication. When you reply a message, it goes to the real obama@whitehouse.gov. Hopefully, someone there will respond and tell you that he did not send out the initial message.