Email spoofing is a type of cyberattack in which a threat actor sends messages with a fake sender’s email address.
In email spoofing, attackers can make it seem like an email is sent by a familiar person such as a colleague, partner, or manager. Spoofing is the process of manipulating the from: field to create the impression that the email is coming from a certain individual.
Spoofers can sometimes create an email address that seems authentic by replacing just one or two letters in a company name, such as “Arnazon” instead of “Amazon,” or other letter switches that are difficult to notice.
Email spoofing is a tactic designed to collect personal information and data from online users, take over their online accounts, deliver malware, or steal funds. According to some studies, targets tend to open an email that looks like a genuine one and seems to be from a trustworthy sender.
Spoofed email messages, for the most part, are either deleted or redirected to the spam folder. The problem starts the second a victim is tricked into opening an email and clicking on the malicious link that installs malware into their system.
Even though the majority of spoofed emails are easy to spot and can be addressed by simply deleting them, some varieties can have serious consequences.
The motivations behind email spoofing are simple. Typically, an attacker will use this tactic to acquire sensitive information such as SSNs, financial details, and so on. Many hackers do this for various reasons, but the most common is to obtain access to personal information.
Here are some other reasons for email spoofing:
Email spoofing is used for malicious activities such as:
Email spoofing is possible because of limitations in SMTP (Simple Mail Transfer Protocol), a technology responsible for allowing emails to be sent from one person to another.
SMTPs limitation is that it doesn’t verify if the email address in the “From” field is genuine.
Normally, even your computer could act as an SMTP server and send spoofed emails. However, Internet Service Providers have caught on to this tactic, so they block port 25, which is the one responsible for sending emails. But there’s an easy way around this.
If a malicious hacker wants to spoof an email, all he has to do is use any of the free online Simple Mail Transfer Protocol server services, write up the email, and then type in his desired email address in the “From” field and then click send. Or, he might use a dedicated program for email spoofing.
It doesn’t matter if he doesn’t actually own the email address since the SMTP server won’t bother verifying it.
However, if the person who received the email replied, then the reply would go to the inbox of the real owner of the address, not the malicious hacker. That doesn’t matter much to the spoofer, as long as you click the link or do the action requested in the initial email.
This won’t help every time. But will at least weed out malicious hackers that use a similar email address to the one they attempt to impersonate. For instance, they might use help@faceb00k.com or even stranger derivations.
Gmail is a secure email service provider that offers a useful and easy-to-use feature that lets you see if the email is genuine or not. All you have to do is to open up the email, and then click on the dropdown arrow underneath the sender’s name.
Next, look at the mailed-by and signed-by fields. If they are present, then there’s a high chance the email is genuine.
If there’s a mailed-by field, then it means the email was secured using SPF, if there’s a signed-by field, then the email was signed by DKIM. We’ll do a really quick overview of DKIM and SPF a bit later on. Most banks and major companies will go to great lengths to ensure their infrastructure is safe, so they will have these verification methods in place to counteract email spoofing.
Yahoo also offers an easy (if not as clean and elegant as Google) to check if an email message is legit, and coming from the real source. First, enter the email that interests you, and then click on the “Actions” button, represented by the 3 dots. Next, click on “View Raw Message”.
Next, you will be taken to a different page that has lots and lots of writing in notepad font. If you can’t find them easily, we suggest you press the search button and look for the following mentions:
If both these are a “pass”, then the email is legit.
This takes advantage of the fact that replies to spoofed emails are sent to the real owner, not the spoofer. Mind you, the email has to be identical to the real one.
For example, the malicious hacker impersonates the email of your good friend Andrew Bob: andrew@company.com. He sends you an email message asking for a $50,000 loan. You know from past experiences that’s actually his real email, so you send him a reply asking if the request is real. This reply goes into Andrew Bob’s inbox and not the spoofers.
If he replies and says yes, you’ll have to think if Andrew Bob can ever hope to repay you $50,000 dollars, or if his account got hacked. If he says he never requested $50,000 dollars from you, then it’s highly likely someone spoofed his email account.
However, if the email address is andrew@c0mpany.com (notice the 0 in “company”), then your reply will land in the malicious hacker’s inbox. For this reason, it’s extremely important to check if the email address is genuine or not.
Simply being aware that it’s possible for someone to fake an email address should be enough to make you suspicious of spoofed emails allegedly coming from friends, relatives, or work colleagues.
Having someone else spoof your company’s email address is bad for business, either because of losses or brand damage. Fortunately, there are a few measures you can take to prevent email spoofing, even for smaller sites belonging to bloggers or SMBs.
Short for Sender Policy Framework, SPF checks if the email sender’s domain name (the @gmail.com part) comes from a designated set of servers and IPs that can send emails from that domain.
The SPF will first check the email domain and after that the IP address of the device that sent it. If the sending device wasn’t authorized, then the email failed the SPF check, marking it as “fake”. The email client of the receiver will then read this “fake” marking, and either block the email or send it into the spam folder.
However, if the receiver hasn’t properly set up his email client, he will miss the “fake” sign, and allow the email message to go through.
This security method will signature stamp emails coming out of your domain with a public key published in the DNS. This signature acts as a seal of proof that the details in the “From” section are legitimate and haven’t been tampered with.
Unfortunately, DKIM has its weaknesses as well. For instance, a malicious attacker can use only the signed part of the email (the “From” section), and then attach malicious content to the unsigned part of the email. He then sends it over to the target. This is basically a classic replay attack.
DMARC is short for Domain-based Message Authentication, Reporting and Conformance (yes, it’s a huge mouthful). It aims to combine the best of SPF and DKIM into one single protocol and then adds extra functionality such as monitoring emails, quarantining them, and rejecting messages.
Employee training on email spoofing, like many cybersecurity measures, helps create a shield against cyberattacks that may circumvent technical defenses. It’s essential to invest time in educating your staff on how to distinguish genuine emails from spoofed ones. Then, run additional tests to determine who is still vulnerable to an email spoofing attempt. This will help make sure that all your employees have the information needed to act accordingly if they receive a spoofed email.
Email spoofing attacks can also affect your clients. That’s why consistent company branding in your marketing emails is crucial to avoid successful spoofing attacks. When your clients can easily identify a genuine email message from your organization, they will be able to recognize an email spoofing campaign.
An added benefit to implementing the above security features is that email clients will have more trust in your domain. Since you cut down on spammers and impersonators, email providers such as Gmail or Yahoo understand that messages coming out of your domain are the real deal, so there’s a smaller chance of sending them to the spam folder.
Email spoofing is a remarkably efficient approach that more and more threat actors employ in order to gain personal information by impersonating a reputable organization or individual in digital communication. The great news is that there are many actions you can take to help protect your business from email spoofing.
Heimdal has developed two email security software aimed against both simple and sophisticated email threats: Heimdal Email Security, which detects and blocks malware, spam emails, malicious URLs, spoofed emails, and phishing attacks, and Heimdal Email Fraud Prevention, a revolutionary email protection system against employee impersonation, fraud attempts – and BEC, in general.
For example, you may want to consider Heimdal Security’s Heimdal Email Fraud Prevention, the ultimate email protection against financial email fraud, C-level executive impersonation, phishing attacks, insider threat attacks, and complex email malware. How does it work? By using over 125 vectors of analysis and being fully supported by threat intelligence, it detects phraseology changes, performs IBAN/Account number scanning, and identifies modified attachments, malicious links, and Man-in-the-Email attacks. Furthermore, it integrates with O365 and any mail filtering solutions and includes live monitoring and alerting 24/7 by our specialists.