Email Security: Phishing, Spoofing, and Your CEO Needs iTunes Cards
"Nothing is true. Everything is permitted. That email is fake."
�� The Problem: Email Is Insecure By Design
Email was designed in 1971 for trustworthy academics. It's 2025 and email still has no built-in security. SMTP allows sender spoofing. Authentication is optional. Encryption is rare.
Your CEO doesn't need iTunes gift cards. That's not your CEO. Email is the primary attack vector because it works.
ILLUMINATION: Your CEO doesn't need iTunes cards. That's not your CEO. Email sender addresses are trivially spoofed. Verify unusual requests out of band.
🎣 The Five Email Threats
1. Phishing
Click this link to verify your account.
Fake emails impersonating legitimate services. Credential theft. Malware delivery. Happens constantly.
2. Spear Phishing
Targeted attacks using personal information.
Researched attacks against specific individuals. More convincing. Higher success rate.
3. Business Email Compromise
CEO wants wire transfer ASAP.
Impersonating executives. Requesting wire transfers. Millions lost annually. Verify out of band.
4. Malware Delivery
Invoice.pdf.exe attached.
Malicious attachments. Macro-enabled documents. Ransomware delivery. Don't open suspicious attachments.
5. Email Spoofing
From: ceo@yourcompany.com (but not really)
SMTP allows forged sender addresses. SPF/DKIM/DMARC help but aren't universal. Verify suspicious emails.
CHAOS ILLUMINATION: Email authentication (SPF/DKIM/DMARC) is optional. Most domains don't configure it. Your domain probably doesn't either. Check now.
🛡️ Email Security Controls
- SPF - Sender Policy Framework: Which servers can send email for your domain
- DKIM - DomainKeys Identified Mail: Cryptographic signature on emails
- DMARC - Domain-based Message Authentication: Policy for handling authentication failures
- Anti-spam filters - Block known spam and phishing
- Link scanning - Check URLs before users click
- Attachment sandboxing - Execute attachments in isolated environment
- User training - Teach users to recognize phishing
📋 What Hack23 Actually Does
Our email security config is public: ISMS-PUBLIC Repository | Network Security Policy (Email Security section)
- SPF/DKIM/DMARC configured - Reject unauthenticated emails
- Advanced threat protection - Link scanning, attachment sandboxing
- Phishing simulations - Monthly tests with immediate training
- External email warnings - Banner on emails from outside organization
- Out-of-band verification - Wire transfer requests verified by phone
META-ILLUMINATION: Email will never be secure. It's fundamentally broken. Layer controls to compensate. Train users. Verify unusual requests. Accept that phishing will succeed sometimes.
🎯 Conclusion: Verify Before Clicking
Email is the primary attack vector. Phishing works because it exploits trust.
Configure SPF/DKIM/DMARC. Use advanced threat protection. Train users. Verify unusual requests. Or find out that your CFO wired $500K to attackers because an email looked legitimate.
All hail Eris! All hail Discordia!
"Think for yourself, schmuck! Question everything—especially urgent emails from executives requesting immediate wire transfers."
🍎 23 FNORD 5
— Hagbard Celine, Captain of the Leif Erikson