Cybercrime is borderless. Just like marketing teams use location-based targeting to create a deeper connection with customers through content personalization, cybercriminals adjust their attacks to exploit their victims’ fears. Organizations can, however, turn the tables relying on geolocation-enabled cybersecurity strategies that make use of IP geolocation threat intelligence.

3 Ways to Use IP Geolocation Intelligence to Thwart Location-Based Threats

Knowing where possible attacks come from is an effective way to block threats. IP address filtering can help organizations:

1. Filter Unwanted Emails

Many cybercriminals launch attacks via email. Since it’s possible to trace emails’ IP address source, at least to some extent, IP geolocation can be used as a measure of trustworthiness.

Let’s consider an example. Suppose an employee receives an email soliciting a company donation to COVID-19 victims. It can’t hurt to be extra cautious, given the many phishing and other scams related to pandemic.

The email originated from the IP address 47[.]91[.]169[.]15. A check against your IP address blacklist is the first step to verify that the email didn’t come from a known dangerous source. If not, it may still be worth checking it against an IP geolocation intelligence database since it’s a solicitation email.

In this hypothetical example, let’s say the email address’s domain is tuduitu[.]com with IP address 47[.]91[.]169[.]15. Querying this IP address via IP Geolocation Lookup showed that it’s connected to several domains, including q3yey[.]net, sdsxdermyy[.]com, tencredit[.]net, tuduitu[.]com (our supposed email source), and www[.]mwme[.]com[.]cn.

While a Threat Intelligence Platform (TIP) analysis of the IP address deemed it safe to access, we exerted due diligence to query each of the related domains anyway. We found that sdsxdermyy[.]com and tuduitu[.]com had ties to suspicious activities.

2. Verify Financial Transactions

Cybercriminals mimic the domains of well-known financial institutions and payment processors to scam victims. Using ingenious social engineering tactics, scammers often lead victims to phishing pages where they end up giving away their credentials. In this context IP geolocation may help prevent fraud and identity theft.

Let’s say that your company received an email claiming to be from its bank. A U.K. organization may, for instance, receive a message from an individual with the IP address 74[.]208[.]4[.]200 claiming to be from Zenith Bank (the company’s financial partner). As with our example earlier, you can check if the IP address indeed belongs to Zenith Bank. An IP Geolocation API query would reveal that 74[.]208[.]4[.]200 is connected to a single domain—mout[.]gmx[.]co.

A TIP query for the domain would show that it is owned by 1&1 Mail & Media GmbH based in Germany. That is odd for a bank like Zenith, which is headquartered in Nigeria. The WHOIS record analysis also showed no signs that the domain is related to the said bank.

Additionally, a TIP query for the IP address shows that 74[.]208[.]4[.]200 has ties to suspicious activity. That said, it may not be a wise move to continue communicating with the individual behind the said email.

3. Avoid Falling Prey to Invoice Scams

Scammers often target big organizations with fake invoices. Let’s say that your company obtains hardware supplies from a manufacturer in China. It’s thus normal for you to receive a monthly invoice for your orders. And that would likely mean you have their IP addresses on record.

Now, suppose a member of your finance team received an invoice supposedly from that manufacturer requesting payment. A check of your network log showed that the email came from the IP address 195[.]78[.]93[.]222.

A comparison with the supplier’s known IP addresses would probably result in a red flag. But just to be sure, you can use IP Geolocation API for verification. Our query revealed that the IP address is from the Ukraine. That is indeed surprising as the manufacturer is based in China.

A deeper dive, such as a web search for more details on 195[.]78[.]93[.]222, would also tell you that the IP address has been reported 113 times for malicious activities. By discontinuing communications with and consequently blocking access to 195[.]78[.]93[.]222, your company probably dodged a potential entanglement with a scammer.

As this post shows, knowing where messages come from is one way to avoid dealings with malicious entities. Simple IP geolocation queries can reveal a lot about a message sender’s whereabouts and intentions, and help organizations avoid threats that come from unknown locations. IP geolocation products include lookup, API, and databases from different providers.