What Is Email Spoofing?

Email spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they know or trust. In spoofing attacks, the sender forges email headers so that client software displays the fraudulent sender address, which most users take at face value. Users don’t realize the sender is forged unless they inspect the header more closely. If it’s a name they recognize, they’re more likely to trust it. So they’ll click malicious links, open malware attachments, send sensitive data, and even wire corporate funds.

Email spoofing is possible due to how email systems are designed. The client application assigns a sender address to outgoing messages, so outgoing email servers cannot identify whether the sender address is legitimate or spoofed.

Recipient servers and antimalware software can help detect and filter spoofed messages. Unfortunately, not every email service has security protocols in place. Still, users can review each message’s email header to determine whether the sender address is forged.

Email spoofing has been an issue since the 1970s due to how email protocols work. It started with spammers who used it to get around email filters. The issue became more common in the 1990s, then grew into a global cybersecurity issue in the 2000s.

Security protocols were introduced in 2014 to help fight email spoofing and phishing. Since then, many spoofed email messages are now sent to user spamboxes or are rejected and never sent to recipient inboxes.

Email spoofing aims to trick users into believing the email is from someone they know or trust—in most cases, a colleague, vendor, or brand. Exploiting that trust, the attacker asks the recipient to divulge information or take some other action.

A typical email client (such as Microsoft Outlook) automatically enters the sender address when a user sends a new email message. But an attacker can programmatically send messages using basic scripts in any language that configures the sender address to a chosen email address. Email API endpoints allow a sender to specify the sender address regardless of whether the address exists. And outgoing email servers can’t determine whether the sender’s address is legitimate.

Outgoing email is retrieved and routed using the Simple Mail Transfer Protocol (SMTP). When a user clicks “Send” in an email client, the message is first sent to the outgoing SMTP server configured in the client software. The SMTP server identifies the recipient domain and routes it to the domain’s email server. The recipient’s email server then routes the message to the right user inbox.

For every “hop” an email message takes as it travels across the internet from server to server, the IP address of each server is logged and included in the email headers. These headers divulge the true route and sender, but many users do not check headers before interacting with an email sender.

The three major components of an email are:

• The sender address
• The recipient address
• The body of the email

Another component often used in phishing is the Reply-To field. The sender can configure this field and use it in a phishing attack. The Reply-To address tells the client email software where to send a reply, which can be different from the sender’s address. Again, email servers and the SMTP protocol do not validate whether this email is legitimate or forged. It’s up to the user to realize that the reply is going to the wrong recipient.

As an example of email spoofing, an attacker might create an email that looks like it comes from PayPal. The message tells the user that their account will be suspended if they don’t click a link, authenticate into the site, and change the account’s password. If the user is successfully tricked and types in credentials, the attacker can authenticate into the targeted user’s PayPal account and steal the user’s money.

To the user, a spoofed email message looks legitimate because many attackers use elements from the official website to make the message more believable. Here’s an email spoofing example with a PayPal phishing attack:

More complex attacks target financial employees and use social engineering and online reconnaissance to trick a targeted user into sending money to an attacker’s bank account. Here’s an example of a forged email:

Notice that the email address in the From field is Bill Gates (b.gates@microsoft.com). There are two sections in these email headers to review. The “Received” section shows that the email was originally handled by the email server email.random-company.nl, which is the first clue that this is a case of email spoofing. But the best field to review is the Received-SPF section—notice that the section has a “Fail” status.

While spoofing scams continue to become increasingly elaborate, particular signs and cues can help you identify a spoofing email.

• Check the email header: The email header contains information like the date, subject line, recipient’s and sender’s names, and email address. Check to see if the email address appears from a legitimate source and that the name and other details match up.
• Look for disconnects between email addresses, display names, etc.: An email address that doesn’t match the sender’s display name is a telling sign of a spoofed email, especially if the domain of the email address looks suspicious.
• Assess the email content: Spoofed emails often contain alarming or aggressive messaging to provoke a sense of urgency and impulsiveness. If the tone of the subject line and email content is tailored to scare you or alarm you, then it likely is a spoofed email.
• Be watchful for emails requesting personal information: Spoofed emails are often used in conjunction with phishing scams, where fraudsters impersonate brands or identities to get your personal information.
• Avoid clicking links or downloading attachments: If you receive an email that appears suspicious or is from an unknown sender, do not click links or download attachments.
• Copy and paste the content of an email message into a search engine: Chances are that text used in a common phishing attack has already been reported and published on the Internet.
• Look for inconsistencies in the email signature: If the information in the email signature, such as the telephone number, does not align with what is known about the sender, it may be a spoofed email.

When in doubt, refrain from opening any unknown or suspicious emails. Spoofing email or not, a people-minded, user-focused approach is key to mitigating costly social engineering attacks.

Email clients configured to use SPF and DMARC will automatically reject emails that fail validation or send them to the user’s spam box. Attackers target people and businesses, and just one successfully tricked user can lead to the theft of money, data, and credentials.

It’s no wonder that email spoofing has become a commonly exploited avenue for cyber-attackers. Consider the following statistics:

• 3.1 billion domain spoofing emails are sent per day.
• More than 90% of cyber-attacks start with an email message.
• Email spoofing and phishing have had a worldwide impact costing an estimated $26 billion since 2016.
• In 2019, the FBI reported that 467,000 cyber-attacks were successful, and 24% were email-based.
• 91% of bait emails are sent via Gmail, with just 9% coming from other sending domains. (Source: https://blog.barracuda.com/2021/11/10/threat-spotlight-bait-attacks/)
• The average scam tricked users out of $75,000.

A common attack that uses email spoofing is CEO fraud, also known as business email compromise (BEC). In BEC, the attacker spoofs the sender’s email address to impersonate an executive or owner of a business. This attack usually targets an employee in the financial, accounting, or accounts payable departments.

Even smart, well-intentioned employees can be tricked into sending money when the request comes from someone they trust—especially an authority figure. Here are just a few high-profile examples of costly spoofing scams:

• The Canadian City Treasure was tricked into transferring $98,000 from taxpayer funds by an attacker claiming to be city manager Steve Kanellakos.
• Mattel was tricked into sending $3 million to an account in China, but it was lucky enough to claw back the money when the defrauded financial executive confirmed that CEO Christopher Sinclair did not send the email message.
• The Crelan bank in Belgium was tricked into sending attackers €70 million.

In addition to having a discerning team with an eye for suspicious emails, specific tools and technologies can help prevent email spoofing from becoming a threat.

• Secure email gateway: A secure email gateway can help protect against email spoofing by filtering out suspicious messages and blocking messages from known spoofed email addresses.
• Implement email authentication protocols: Implement Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols work together to authenticate emails and prevent email spoofing.
  • Sender Policy Framework (SPF) is a security protocol set as a standard in 2014. It works with DMARC (Domain-based Message Authentication, Reporting and Conformance) to stop malware and phishing attacks.
  • SPF can detect spoofed emails, and it’s become common with most email services to combat phishing. But it’s the domain holder’s responsibility to use SPF. To use SPF, a domain holder must configure a DNS TXT entry specifying all IP addresses authorized to send email on behalf of the domain.
  • With this DNS entry configured, recipient email servers look up the IP address when receiving a message to ensure that it matches the email domain’s authorized IP addresses. If there is a match, the Received-SPF field displays a PASS status. If there is no match, the field displays a FAIL status. Recipients should review this status when receiving an email with links, attachments, or written instructions.
• Use a secure email provider: Choose a secure email service provider that uses advanced security measures to protect against email spoofing and phishing attacks. For example, ProtonMail is a widely known and free-to-use secure email provider.
• Use email filters: Simple email filters limit the number of suspicious emails that get through to users’ inboxes. Email filters help detect and filter spoofed messages and block messages from known spoofed email addresses.
• Educate users: Train your people to identify and avoid spoofing attacks. Share ways to identify suspicious emails that should be reported before opening.

These are just some of the most common email security solutions that organizations use to better protect themselves from email spoofing and other types of cyber attacks.

Email Protection by Proofpoint is a comprehensive security solution that enables organizations to detect and block both known and emerging email threats, including spoofing, phishing, and other forms of social engineering.

Some of the key features that make Proofpoint’s Email Protection a number-one ranked email security solution include:

• Machine learning: Leverages machine learning to detect and block advanced email threats, including phishing, BEC, and email fraud.
• Domain protection: Protects against domain spoofing and fraudulent emails using trusted domains. It stops fraudulent emails at the Proofpoint gateway while protecting your organization’s reputation.
• Multilayered detection: Uses multilayered detection techniques, including signature-based detection and dynamic analysis, to prevent known and unknown threats.
• Secure email gateway: Deployable as a cloud service or on-premises, Proofpoint provides a secure email gateway that helps organizations defend against threats while ensuring business continuity and email compliance.

Learn more about Proofpoint Email Protection and how to make your email impenetrable against unauthorized users and advanced cyber threats. Contact Proofpoint to learn more about its world-class suite of cybersecurity products and solutions.