email spoofing

Email spoofing is a form of cyber attack in which a hacker sends an email that has been manipulated to seem as if it originated from a trusted source. Email spoofing is a popular tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a known sender. The goal of email spoofing is to trick recipients into opening or responding to the message.

Why email spoofing is important

Although most spoofed emails can be easily detected and can be remedied by simply deleting the message, some varieties can cause serious problems and pose security risks. For example, a spoofed email may pretend to be from a well-known shopping website, asking the recipient to provide sensitive data, such as a password or credit card number.

Alternatively, a spoofed email may include a link that installs malware on the user's device if clicked. A common example of business email compromise (BEC) involves spoofing emails from the chief executive officer (CEO) or chief financial officer (CFO) of a company requesting a wire transfer or internal system access credentials.

Reasons for email spoofing

In addition to phishing, attackers use spoofed email for the following reasons:

  • Hide the fake sender's real identity.
  • Bypass spam filters and blocklists. Users can minimize this threat by blocklisting internet service providers (ISPs) and Internet Protocol (IP) addresses.
  • Pretend to be a trusted individual -- a colleague or a friend -- to elicit confidential information.
  • Pretend to be a reliable organization -- for example, posing as a financial firm to get access to credit card data.
  • Commit identity theft by impersonating a targeted victim and requesting personally identifiable information (PII).
  • Damage the sender's reputation.
  • Launch and spread malware hidden in attachments.
  • Conduct a man-in-the-middle (MitM) attack to seize sensitive data from individuals and organizations.
  • Obtain access to sensitive data collected by third-party vendors.

What's the difference between phishing, spoofing and domain impersonation?

Cybercriminals often use spoofing as part of a phishing attack. Phishing is a method used to obtain data by faking an email address and sending an email that looks like it is coming from a trusted source that could reasonably ask for such information. The goal is to make victims click on a link or download an attachment that will install malware on their system.

Spoofing is also related to domain impersonation, in which an email address that is similar to another email address is used. In domain impersonation, an email may come from an address such as [email protected], while, in a spoofing attack, the fake sender's address will look genuine, such as [email protected].

How email spoofing works

Email spoofing can be easily achieved with a working Simple Mail Transfer Protocol (SMTP) server and common email platform, such as Outlook or Gmail. Once an email message is composed, the scammer can forge fields found within the message header, such as the FROM, REPLY-TO and RETURN-PATH addresses. When the recipient gets the email, it appears to come from the forged address.

This is possible to execute because SMTP does not provide a way to authenticate addresses. Although protocols and methods have been developed to combat email spoofing, adoption of those methods has been slow.

How to tell if an email has been spoofed

If a spoofed email does not appear to be suspicious to users, it likely will go undetected. However, if users do sense something is wrong, they can open and inspect the email source code. Here, the recipients can find the originating IP address of the email and trace it back to the real sender.

Users can also confirm whether a message has passed a Sender Policy Framework (SPF) check. SPF is an authentication protocol included in many email platforms and email security products. Depending on users' email setup, messages that are classified as "soft fail" may still arrive in their inbox. A soft fail result can often point to an illegitimate sender.

Display name spoofing forges the email display name
In display name spoofing, a hacker forges a recognizable display name.

For more details, learn about the techniques professional security researchers use to identify phishing and email spoofing.

9 best ways to stop email spoofing

Users and businesses can prevent email spoofers from accessing their systems in a variety of ways.

1. Deploy an email security gateway

Email security gateways protect businesses by blocking inbound and outbound emails that have suspicious elements or do not meet security policies a business puts in place. Some gateways offer additional functions, but all can detect most malware, spam and phishing attacks.

2. Use antimalware software

Software programs can identify and block suspicious websites, detect spoofing attacks and stop fraudulent emails before they reach user inboxes.

3. Use encryption to protect emails

An email signing certificate encrypts emails, allowing only the intended recipient to access the content. In asymmetric encryption, a public key encrypts the email, and a private key owned by the recipient then decrypts the message. An additional digital signature can ensure the receiver that the sender is a valid source. In environments without broad encryption in place, users can learn to encrypt email attachments.

4. Use email security protocols

Infrastructure-based email security protocols can reduce threats and spam by using domain authentication. In addition to SMTP and SPF, businesses can use DomainKeys Identified Mail (DKIM) to provide another layer of security with a digital signature. Domain-based Message Authentication, Reporting and Conformance (DMARC) can also be implemented to define the actions that should be taken when messages fail under SPF and DKIM.

5. Use reverse IP lookups to authenticate senders

A reverse IP lookup confirms the apparent sender is the real one and verifies the email's source by identifying the domain name associated with the IP address.

Website owners can also consider publishing a domain name system (DNS) record stating who can send emails on their domain's behalf. Messages are then inspected before the email body is downloaded and can be rejected before causing any harm.

6. Train employees in cyber awareness

On top of software-based anti-spoofing measures, businesses must encourage user caution, teaching employees about cybersecurity and how to recognize suspicious elements and protect themselves. Simple educational programs can equip users with email spoofing examples and give them the ability to spot and handle spoofing tactics, along with procedures to follow when a spoofing attempt is discovered. Training should be ongoing so that the materials and methods can be updated as new threats emerge.

7. Watch out for possible spoofed email addresses

The email addresses users communicate with are often predictable and familiar. Individuals can learn to watch out for unknown or odd email addresses and to verify an email's origin before interacting with it. Attackers often use the same tactics multiple times, so users must remain vigilant.

8. Never give out personal information

In many situations, even if spoofed emails get into an inbox, they only cause real damage when a user responds with personal information. By making it a common practice never to divulge personal information in emails, users can significantly limit the effects email spoofing could have.

9. Avoid strange attachments or unfamiliar links

Users should also steer clear of suspicious attachments and links. As a best practice, they can examine every element of an email, looking out for telltale signs, like misspellings and unfamiliar file extensions, before going ahead and opening a link or attachment.

Other common email security threats include malware delivery, phishing and domain spoofing. Learn more in "The top 3 email security threats and how to defuse them."

This was last updated in March 2021

Continue Reading About email spoofing

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing