GovTransfer Email Checker
Ever received an email and questioned the legitimacy of the requestor? Have you ever done your research and found out it was an impersonator (bad actor)?
Receiving requests from a bad actor can be quite unsettling. Who were they really? What did they intend to do with the files they requested? Are they sending requests to other agencies that might not be as diligent in their research? These attempts to appear legitimate are a common form of phishing and are categorized as a social engineering attack.
Government agencies have methods by which they attempt to verify requestors. We’ll highlight some of the common methods below and show you why they aren’t individually effective. The lack of options available and the risk posed by a mistake are the driving forces for us building GovTransfer.
6 Ways agencies attempt to verify senders/requestors
1. Checking the requestor’s domain from their email address
One of the common ways a government entity will verify requestors was by looking at the domain in the requestor’s email address. Matching this against the primary website of the requestor’s organization is an effective method, but has its limitations.
Beware of a redirect! The domain of an email address is the part that comes after the @ in an email address. If you copy/paste that into a browser, it will often take you to that organization’s website. Use extreme caution if your web browser resolves to a different domain. For example, let’s say you receive a request from dstarsky@baycitypd.com. You copy “baycitypd.com” into your browser, but you land on cityofbaycity.org. The switching of domains is what’s called a redirect. Redirects are very common and often used for legitimate reasons. Police departments commonly have their own domain for sending/receiving emails, but they still use the city’s domain and website. If you see a redirect happen, don’t necessarily rule them out, but don’t simply trust them because you landed on their website either. In this case, you’ll need to do some more digging.
2. Reviewing the display name on the email
When you send an email, depending on your email client, the display name is what shows up instead of the full email address. You can pick any name you want for your display, there is no verification or requirement for it to be ‘correct’. Be sure to always look at the underlying email address.
3. Require Letterhead
Another strategy is to compel requestors to send their requests on letterhead for authenticity. Bad actors do not need to break a sweat before faking a letterhead. Many organizations have posted official documents on their website using their organization’s letterhead. A public records request to the organization will likely be returned on letterhead. Even if the requestor does send their request on official letterhead, do you actually have anything to compare it against? Requiring letterhead does little to stop bad actors and creates an additional burden for your legitimate requestors.
4. Direct phone calls
Direct phone calls are the best method, but also the most time-consuming. This approach will work if you are sure that it is the actual organization’s phone number you’re calling. So, first and foremost, find out the correct phone number of the organization. DO NOT trust the phone number in the email. The main drawback to this method is having to work your way through the phone tree.
5. Requests via teletype
We might be dating ourselves a bit here, but some organizations still rely on teletype for verification. While effective for verification, the drawback here is that the users of this system are few and dwindling.
6. Request an ORI number
For requests from Law Enforcement Agencies, it is common to require the requestor to provide their ORI number. Please! Please! Please don’t trust this method. Unfortunately, these numbers are now available using a simple Google search. Requiring an ORI number will not stop a bad actor.
Bonus Tip
With the way email was built, it is actually possible to send an email from anyone else’s email address. Crazy, right? It’s true. If/when the person responds, the imposter won’t get the email, but this can still be used against you.
Imagine receiving an email from a legitimate email address, one that you know and trust. Moments later, your phone rings and the caller/sender (imposter) references the email that they just sent you. You know the email address and the domain, so naturally, you trust the caller. This scenario could be the start of a very sophisticated social engineering attack. From here, the attacker may ask you to send the records to a different email address or suggest that you upload the files to a ‘secure’ link provided in the email.
Conclusion
1. Never trust the phone number provided in the requestor’s email.
Take a moment to find the phone number through a different, trusted source.
2. Never trust the display name in the requestor’s email.
Bad actors are experts at what they do; they can set the display name on their emails to depict the name of the organization they intend to impersonate.
Don’t be quick to conclude that a requestor is authentic by looking at their name in the email. Instead, take out time to verify the actual email address apart from the name displayed on the email.
3. Beware the redirect!
Again, a redirecting domain doesn’t mean that it’s a bad actor, but certainly don’t trust them just because it resolves to a legitimate website/domain.
Alert GovTransfer about Bad actors
Lastly, if you carried out the previous check correctly, but you are still in doubt about a requestor, send us an email at phishing@govtransfer.com and we’ll investigate the email for free. Please include as much information as you feel comfortable providing. We will carry out a thorough investigation and provide you with a timely response.
If you get an email and you know that it’s a bad actor, let us know about that too (phishing@govtransfer.com)! We’ll notify our subscribers to be on the lookout and ban the domain from GovTransfer.
