We may earn affiliate commissions for the recommended products. Learn more.

Email spoofing: what is it and how to stop it?


More likely than not, you’ve been a target of email spoofing at least once in your life. That’s because email spoofing targets everyone, from an individual to a multi-billion dollar company.

In this article, you’ll find everything you need to know about email spoofing - what it is, the reasons behind it, and how to deal with it.

Use a secure email provider

email-spoofing

What is email spoofing?

Email spoofing is the act of sending emails with a forged sender address. It tricks the recipient into thinking that someone they know or trust sent them the email. Usually, it’s a tool of a phishing attack, designed to take over your online accounts, send malware, or steal funds.

Spoofed email messages are easy to make and easy to detect. However, more malicious and targeted varieties can cause significant problems and pose a huge security threat.

Email spoofing scheme

Reasons for email spoofing

The reasons for email spoofing are quite straightforward. Usually, the criminal has something malicious in mind, like stealing the private data of a company. Here are the most common reasons behind this malicious activity:

  • Phishing. Almost universally, email spoofing is a gateway for phishing. Pretending to be someone the recipient knows is a tactic to get the person to click on malicious links or provide sensitive information.
  • Identity theft. Pretending to be someone else can help a criminal gather more data on the victim (e.g. by asking for confidential information from financial or medical institutions).
  • Avoiding spam filters. Frequent switching between email addresses can help spammers avoid being blacklisted.
  • Anonymity. Sometimes, a fake email address is used to simply hide the sender’s true identity.

Dangers of email spoofing

Email spoofing is incredibly dangerous and damaging because it doesn’t need to compromise any account by bypassing security measures that most email providers now implement by default. It exploits the human factor, especially the fact that no person double-checks the header of every email that they receive. Besides, it’s incredibly easy for attackers and requires almost no technical know-how to do it on a basic level. Not to mention the fact that every mail server can be reconfigured to be identical or almost identical to slip by.

How do hackers spoof your email address?

Email spoofing is possible by forging email syntax in several methods of varying complexity. They also differ in which part of the email the attacker will be forging.

Here’s what variation you could encounter when surfing the web.

Spoofing via display name

Display name spoofing is a type of email spoofing, in which only the email sender’s display name is forged. Somebody can do this by registering a new Gmail account with the same name as the contact you want to impersonate. Mind you, the mailto: will display a different email address. If you’ve ever received an email from Jeff Bezos asking you to loan some money – you’ve encountered an example of spoofing via display name.

display name email spoofing

This type of email will also bypass all spoofing security countermeasures. It won’t get filtered out as spam, because it’s a legitimate email address. This exploits user interfaces built with ease of use in mind – most modern email client apps don't show metadata. Hence, display name spoofing is very effective due to the prevalence of smartphone email apps. Often, they only have space for a display name.

Spoofing via legitimate domains

Suppose the attacker is aiming at higher believability. In that case, he may also use a trusted email address in the From header, such as “Customer Support Specialist” . This means both the display name and email address will show misleading information.

This attack doesn’t need to hijack the account or penetrate the targeted company’s internal network. It only uses compromised Simple Mail Transfer Protocol (SMTP) servers that permit connections without authentication and allow you to manually specify the “To” and “From” addresses. Using shodan.io, we can identify 6,000,000 SMTP servers, many of which are guaranteed to be vulnerable. Besides, the attacker can always set up a malicious SMTP server himself.

The situation is dire because many enterprise email domains aren’t using any countermeasures for verification. Still, there are some techniques that you could use to protect your domain – more on that later.

Spoofing via lookalike domains

Suppose a domain is protected, and domain spoofing isn’t possible. In that case, the attacker is most likely going to set up a lookalike domain. In this type of attack, the fraudster registers and uses a domain that is similar to the impersonated domain, e.g.”@doma1n.co” instead of”@domain.co”. This change could be minimal enough not to be noticed by an inattentive reader. It’s effective because when exactly was the last time you bothered to read an email header?

lookalike domain email spoofing

Using a very similar domain, which also bypasses spam checks due to being a legitimate mailbox, the attacker creates a sense of authority. It might be just enough to convince its victim to reveal their password, transfer money, or send some files. In all cases, email metadata investigation is the only way to confirm whether the message is genuine. However, it’s sometimes plain impossible to do on the go, especially with smaller smartphone screens.

How to stop email spoofing?

The reality is that it's impossible to stop email spoofing because the Simple Mail Transfer Protocol, which is the foundation for sending emails, doesn't require any authentication. That's the vulnerability of the technology. There are some additional countermeasures developed to counter email spoofing. Still, the success rate will depend entirely on whether your email service provider implemented them.

Most trusted email providers use additional checks:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication
  • Reporting & Conformance (DMARC)
  • Secure/Multipurpose Internet Mail Extensions (S/MIME).

These tools work automatically, and when used effectively, they immediately disregard spoofed messages as spam.

As an ordinary user, you can stop email spoofing by choosing a secure email provider and practicing good cybersecurity hygiene:

  • Use throwaway accounts when registering in sites. That way, your private email address won't appear in shady lists used for sending spoofed email messages in bulk.
  • Make sure that your email password is strong and is complex enough. That way, it will be harder for cybercriminals to get into your account and send misleading messages to your contacts.
  • Inspect the email headers, especially when someone asks to click on a link. Spoofed emails made by talented attackers can be identical to the genuine ones. They can seem indistinguishable even if you're a long-time user.

How to protect yourself from email spoofing?

If you got an email from yourself with ransom threats, the first step is to stop and collect yourself. We’ve already touched on how easy it is to spoof an email. Panicking is playing into the attacker’s hands. What you’ll need to do then is to investigate the email header and check for the IP addresses, SPF, DMARC, DKIM validations. This will clear out whether the email came from your own account. If the validation fails, there’s nothing to worry about. If the email truly came from your own inbox, you need to act fast and take all precautions to protect your email and your identity.

Identifying email spoofing

Incidentally, it’s incredibly easy to identify email spoofing. Aside from the obvious red flags, you only need to look at the full email header. It contains all the critical components of every email: From, To, Date and Subject. Also, there will be metadata on how the email was routed to you and where it came from. Most likely, it will also contain the verification results your internet service provider used to check if the sender’s server had the proper authorization to send emails using that domain.

How you check this data heavily depends on the service you’re using and will only work on a desktop. For Gmail, you’ll need to click three vertical dots next to the reply button and select “Show Original” from a drop-down list. For other services that you may be using, you can check this list.

Here’s an example of a spoofed email that I sent to myself pretending to be a billionaire. In this case, the email filter caught it labeling it as spam, so it didn’t appear in my primary mailbox. I had to find it in the spam folder. Big yellow warning aside, you’ve got to admit, it looks pretty realistic.

spoofed email header

Suppose I would have picked a lower-profile domain of a lesser-known company with fewer methods to verify. Well, there is still a lot that you can check. If you go to “Show Original“, you can see that SPF is indicated as SOFTFAIL, and DMARC is indicated as FAIL. This is enough to call out the email as spoofed. Some poorly maintained domains do not keep their SPF records up to date, failing validation.

spoofed email metadata

If you want to go deeper down the rabbit hole, at the code level, you’ll see that Received: from, and Received-SPF domains do not match, as well as the IP addresses. This is a clear example of email spoofing. Remember, if IP addresses don’t match and SPF validation fails, this isn’t a genuine email. It doesn’t also hurt to check whether the Return-Path is the same as the sender’s email address.

Real-world examples of email spoofing

Several years ago, all Seagate employees received emails impersonating their CEO requesting their W-2 forms. Most employees believed that it was a genuine internal business email and, unbeknownst to them, leaked their annual wages.

Multimedia messaging giant Snapchat was also hit by email spoofing when their worker leaked his colleague’s payroll information. An unidentified worker received a letter from the CEO. Since the used email seemed legitimate enough, the person complied with the request.

FAQ

Comments

Robert Fouts
prefix 1 month ago
Now and then I do a backcheck on the spam emails by entering only the information to the right of the "@" sign. Sometimes there is nothing there, sometimes a huckster will try to sell me the domain for $3,837 (probably a county property tax assessor?), while others will bring up a website, often in France or Germany. I once tracked down a particularly nasty virus which appears to have originated as some government currier device that permits the reading of an email or file but once, then locks up unless you have access to the original utility. All the bad guys did was very slightly change the coding so that it became infectious enough to lock down an entire computer. I emailed the host in a foreign country, described the situation and their part in it, described a horrific scenario just outside of their gates (No physical damage), and I haven't heard much about the virus since.

On my own site I do my own simple coding with all extensions safe and "inhouse." I keep my original offline and update by overwriting at the server. Everything I put out, I also hardcopy. I assume that bad people (including the government) are getting in. Maybe they can also learn a lesson.
Sue
prefix 2 months ago
Some of my contacts have received emails from me a few months ago. I changed my password since. Now one of them has said he received another email from me. Have I been hacked should I change my password again? Should I be concerned or should they?
Cybernews Team
prefix 2 months ago
Hi Sue, thanks for the question. If your contacts can confirm that the unauthorized emails are coming from your account, the issue is likely on your end. Depending on which email client you use, you should be able to add two-factor authentication to your account. If that's available, change your password once more (make sure it's complex and long, includes numbers, symbols, and upper/lower-case letters) and set up 2FA using SMS, biometric data, or other available options to make sure that no one besides you can log into your account. Hope this helps.
Sara Render
prefix 5 months ago
useful article. Lots of my friends have been getting spoofed emails using my identity. Can they protect themselves by clicking on the email address and blocking the sender?
Cybernews Team
prefix 5 months ago
Hi Sara, we're happy you found the article helpful! Unfortunately, blocking senders doesn't work when dealing with scammers because they rarely use the same email address for more than one mass spam email attack. So, even if you block the scammer once, if they have an email address in their database, they're likely to continue bombarding it from different accounts. Hope this answers the question.
DMS
prefix 6 months ago
Helpful info and a bit depressing to know there is not much one can do, once the horse has bolted, other than scrap your email address and start over with a new one i guess, which is a huge pain for some. These malicious acts are destroying and already have in many ways the value of emails.
Bring back Faxes ......
Patricia DeWitt
prefix 8 months ago
Excellent information, many thanks. Is there a danger for the people who were addressed using a spoofed email account? This would be spoofing by display name.
Cybernews Team
prefix 8 months ago
Yes, there is a danger for the people who were addressed using a spoofed email account, even if it is spoofing by display name only. This is because attackers can use spoofing to trick people into revealing personal information or clicking on malicious links. For example, an attacker could spoof the email address of a bank or credit card company and send an email to the victim asking them to update their account information. So, even if spoofing by display name is not as dangerous as some other types of spoofing, it still should be taken seriously. Hope this helps!
Henry Drake
prefix 3 years ago
Why do so many email services not allow the incredibly simple and easy to implement option of displaying the "real" email address only and never the "display name"? This would cut down 100% instantly on "display name" type spoofing? It would cost near zero to implement, and I can't think of any downside for the email provider - it would seem like a no-brainer. I have zero need to ever see anyone's stupid "display name". If I don't know their real email address I'm not going to open it anyway. This just seems like such an easy solution I can't understand why it's not implemented. Sure, I can turn it on in my email client, but it's completely missing from most web interfaces.
JNR Management
prefix 3 years ago
I read the full article and found it very informative. It provides complete information about email spoofing and the ways to stay protected from it.
Leave a Reply

Your email address will not be published. Required fields are markedmarked