How Do Startups Fall Victim to Spoofing Attacks? | EasyDMARC

    How Do Startups Fall Victim to Spoofing Attacks?

    Billions of gigabytes of information are generated every day.  According to statistics, in 2020, 44 zettabytes of data were generated in digital form per day. Certainly, in the midst of information pollution, people need to be more careful about what information they consume.

    306 billion emails are sent daily!

    Of course, in a world full of data, the only thing we need to master is filtering this huge amount of information every day, so as not to miss out on the most important ones. Sometimes, we don’t have enough filtering and we don’t have enough time to analyze everything. This is where the problem arises and our ignorance can be a great opportunity for spoofing and phishing attacks. Therefore, in our reality email protection and security is getting more and more actual, and here comes DMARC – Domain-based Message Authentication, Reporting & Conformance. What is DMARC? It is specially created to help you deal with the problem.

    Ok, back to the main topic. Today, I am going to tell you a story about how I was on the verge of being scammed in my previous workplace. At that time, we didn’t know what DMARC was and how to ensure the authenticity of an email.

    How did the spoofer try to target me?

    Our team just launched our startup in 2019. Having achieved results in the local market, we set the course for a global launch. We started to implement the application in various projects and digital platforms. At that time, our company’s mailbox was literally exploding with the flow of emails. One day, we received an email from one of the Venture Capital companies (at least we thought so then). A very diligent guy with a pretty good speech contacted and informed us that “xyz” VC is interested in our startup and learned about us from the Gust Platform. We were introduced to that platform and everything seemed normal. In particular, they asked us to send a pitch deck. Definitely, we sent them our pitch deck and started learning about that company. What have we done?


    Let’s take a look at what happened, step by step:

    • First, like everyone else, we looked at the “From address” “[email protected]”.
    • So, this gave us information that the main domain is first positive result. We entered the website and found it to be a VC company with a pretty good portfolio.
    • We searched for the sender’s personal information to find out who has contacted us from that company: the second result – positive. The contact person was the head of the finance department.
    • Then, we tried to understand whether that company was represented in Gust Platform? Actual result – yes, it was.

    In general, everything seemed to be fine and the company that contacted us really existed. So, we continued negotiations. After a couple of emails, they informed us that they are ready to invest in our company. They sent us a couple of documents that needed to be signed for further cooperation. Fortunately, all the papers were carefully checked by our lawyers, and in fact, no dangerous lines were found. After signing all the documents, they told us that we need to insure the investment. Investment insurance “cost” a couple of thousand dollars.

    Since one of our co-founders was an insurance specialist, he completely abandoned the contract, as he said that we couldn’t pay for investment insurance, as this type of insurance doesn’t really exist. So, we then realized that we are actually dealing with a spoofer.

    What actually happened?

    Our company received an email from one of the Venture Capital company’s domains. We checked the “Header From” address.

    Thus, if the company were to secure their email and use SPF DKIM DMARC, the likelihood that we would encounter this problem should be lower. Here is an ultimate guide on how to implement DMARC with EasyDMARC.

    As a matter of fact, startups are also targeted by spoofers. Nevertheless, there is a key point in this story that we should pay attention to.

    Final Thoughts

    According to statistical data, 305 million startups are created annually. Most of them are actively looking for investments, and they are small teams with no legal or financial support. However, it is mandatory to know for real investors the history and financial stability of the company, which is why recommend investing in start-ups with reputable investment platforms. So, for the cases I have mentioned above, it is more likely they can be easily attacked by fraudsters. Thus, startups must be careful when dealing with “tempting offers”.

    Tips for Startups To Prevent Spoofing Attacks

    So, let us give you some tips when you are on the verge of making a decision to prevent spoofing attacks.

    • Carefully read the From Address;
    • Verify if the domain exists;
    • Review the content of the website;
    • Check the domain, whether the domain has SPF, DKIM, DMARC, if not, it is suspicious.

    On the other hand, investment companies must care about their email security and protection,  because they can harm not only their reputation but also a number of startups. Here is a step-by-step guide on how to set up DMARC, how to check SPF records, and how to set up and check DKIM records.

    Contact us today and let us take care of your online safety! 

    Be protected and stay safe!

    Technical Help

    Author: John Woodberg