Email spoofing comes from the word spoof, which is basically another word for falsified. An email has been spoofed when the sender deliberately alters parts of the email to make the message appear as though the email sender, sends emails as someone else. Usually a spoofed email address will contain personal information such as the sender’s name or email address and the body of the message are formatted to appear as if they are from a legitimate source.
A spoofed message can appear to be sent from a coworker, a bank, a family member or any number of seemingly trustworthy sources. A good spoof is quite convincing and will look like any other email that you would normally receive. This is why email phishing remains one of the leading causes of business email compromises.
What are the reasons behind why people spoof email?
An email is usually spoofed as part of a phishing attack
A spoofed email may also be used to dishonestly market an online service or sell you a product that turns out not to be real. The goal of the email is to trick the recipient into making a damaging statement or releasing sensitive information, such as a password. If for example you’re receiving bounced email returned to you for messages that you did not send, this could be the result of spoofing.
How to Identify a spoofed message
It is imperative that all email users understand that emails that appear to be sent from colleague’s or friends can possibly be forged emails. This is the case when scammers will alter different sections of an email to disguise who the actual sender of the message is.
A user may be able to recognize a email spoofing attempt by hovering over the senders email address to see it in fact the expected email address. With some devices, this level of diligence may not be sufficient to view sender addresses and it will be necessary to open the email headers of a message to view data on email protocols.
Examples of properties with the email that are spoofed:
FROM email@example.com (This will appear to come from a legitimate source on any spoofed message and may make it through spam filters on receiving server)
REPLY-TO This can also be spoofed, but a lazy scammer will leave the actual REPLY-TO address. If you see a different sending address here, the email may have been spoofed.
RETURN-PATH This can also be spoofed, but a lazy scammer will leave the actual RETURN-PATH address. If you see a different sending address here, the email may have been spoofed.
SOURCE IP address or “X-ORIGIN” address. This is typically more difficult to alter but it is possible to alter the IP of the mail server.
These first three properties can be easily altered by using settings in your Microsoft Outlook, Gmail, Hotmail, or other email software. The fourth property above, IP address, can also be altered, but usually requires more sophisticated user knowledge to make a false IP address convincing on a smtp server.
In this example, it appears that the recipient has received a message from their office assistant, requesting money. The subject line should alert you immediately. This user should contact their assistant through another form of communication to confirm that they did not send this message. Next, you will want to discover who actually sent the message by opening the message headers.
From: field shows the message being sent from “Assistant” firstname.lastname@example.org. However, we can also see that the
REPLY-TO: field lists email@example.com. That is a clear cut example of a spoofed message. You will want to Blacklist any address you find in the
REPLAY RETURN-PATH, and SOURCE IP field that is not an address/IP you normally receive mail from. For more information on viewing and understanding email headers, please see View email headers in Webmail.
How to fight email spoofing
The first line of defense against this abuse is user education, If a user receives a spoofed message, please advise them to do the following.
- Blacklist any address/IP listed in the REPLY-TO, RETURN-PATH, or SOURCE IP found within the email headers that you have determined to be fraudulent. See Blacklist addresses, domains, and IPs in Webmail for instructions.
- Immediately change the password of your email account if you or your users provided that information at any point.
- Alert other employees within your business of the situation.
- Talk to your email administrator about enabling sender policy framework (SPF), DKIM and a DMARC policy on your email domain.
Spoofing is possibly the most frustrating abuse issue to deal with, simply put, because it cannot be stopped.
Spoofing is similar to hand-writing many letters, and signing someone else’s name to it. This makes tracing or tracking the activity extremely difficult.
If you are an individual and looking to report an abusive email, we recommend reporting email abuse. Our anti-abuse specialists will process the complaint and take the necessary remediation steps.