What is email spoofing, and why is it so risky for your business? According to the FBI’s Internet Crime Report, close to 30,000 email spoofing attacks were reported in 2020, with losses of almost $217M. While some spoofing scams can be identified by their targets, many sophisticated schemes cannot.
In our guide to email spoofing, we’ll go over how spoofing works, how to identify spoofed emails, and how to protect your company from fraud.
Read about a real-life spoofing caper involving Microsoft and Google email credentials.
What is Email Spoofing?
Email spoofing happens when an email sender’s address is made to appear like it was sent by someone else, like a coworker, supervisor, or vendor. This type of phishing attack tricks targets into thinking they received an email from someone they trust, making them more likely to share sensitive data or click links that lead to malicious websites.
Typically a hacker will impersonate an employee to gain access to sensitive information, like W2 files or direct deposit details. However, cybercriminals also pose as known outside vendors to conduct more sophisticated phishing attacks.
The effects of email spoofing can be quite drastic for companies. Here are three reasons why spoofing is bad for business:
- Compromised security: The highest cost of email spoofing is the theft of sensitive data, like login credentials and bank information. With this data, a fraudster can quickly enter your accounts to gain access to even more personal information, corporate data, or even intellectual property. Hackers often sell this sensitive data online, meaning others can use your compromised data before you even realize you were scammed at all.
- Reputational damage: If your clients start to get emails that appear to come from your organization but contain malware or malicious links, they might reconsider working with you. If they fall victim to a phishing scam that impersonates your business or one of its employees, the damage to your brand could cost your company its reputation and professional relationships.
- Financial cost: Email spoofing has resulted in nearly $1 billion in business losses worldwide. Sometimes email fraud leads to a data breach, which now costs an average of $4.2 million per incident. In addition, email spoofing typically results in regulatory fines which can exceed millions of dollars if the fraud leads to a data breach or ransomware attack.
How Does Email Spoofing Work?
The primary mechanism behind spoofing is forging email syntax, which a hacker can do in several ways.
First, a hacker must set up an SMTP server or compromise an existing one. Then they can change the “From,” “Reply-To,” and “Return-Path” email address to disguise their messages as legitimate communications from the person or brand they are impersonating.
But why is it so easy to spoof emails? Simple Mail Transfer Protocol (SMTP) does not have a way to authenticate email addresses. In fact, with SMTP, you can manually change the “To” and “From” addresses, which is a critical element of spoofing.
With techniques like domain spoofing and lookalike domains, cybercriminals can deploy attacks that include malware, links to malicious websites, or seemingly legitimate requests for payment or money transfers.
Like any phishing attack, email spoofing uses social engineering to manipulate the target into sharing sensitive information. These techniques often involve stressing a task's urgency and creating a sense of fear that prevents the recipient from thinking clearly.
Types of Email Spoofing
Email spoofing is used in many kinds of phishing scams, from broader schemes to targeted attacks against specific companies and executives.
Here are three types of spoofing you should be aware of:
Legitimate Domain Spoofing
Legitimate domain spoofing is when the domain being spoofed is inserted into the “From” header. This simple technique disguises a fake email as a legitimate one without the recipient realizing it.
The following mail authentication methods were created to verify that an email was sent from the stated address.
- SPF (Sender Policy Framework) allows a mail domain owner to limit how many IP addresses can send email messages from a domain. SPF also enables the mail server to verify if the sender’s IP address is on the approved list. Instead of checking the “From” header like a user would, SPF validates the sender’s domain found in the SMTP envelope.
- DKIM (DomainKeys Identified Mail) adds a digital signature, known as a private key, to every outgoing message linked to a specific domain name. The server that hosts the domain holds the public key to authenticate this signature every time it's used. However, scammers can send fake emails without a DKIM signature.
- DMARC (Domain-Based Message Authentication, Reporting, and Conformance) checks the domain in an email’s “From” header to verify if it is a DKIM-SPF-authenticated domain. If the message fails authentication, DMARC can provide instructions on safely disposing unauthorized messages.
Lookalike Domain Spoofing
More sophisticated email spoofing attacks register new domains with names similar to the target organization’s. This method is complicated because the scammer needs to buy a specific domain, set up an email address, and add DKIM/SPF signatures and DMARC authentication. However, this also makes it more difficult for users to identify an email as fraud.
- Primary lookalike spoofing is when a domain name looks similar to the impersonated organization. For example, “Facebook” might be spelled as “Faceboook” with the hope that the recipient won’t notice. However, with some training, you can spot misspelled domains.
- Unicode spoofing is when an ASCII character in the domain name is replaced with a similar-looking character from the Unicode set. Languages with non-Latin characters (like the Cyrillic alphabet) use Unicode characters converted into ASCII characters to display the Latin alphabet. Using Unicode characters in their domain name, hackers can disguise the fake domain’s appearance when converted into ASCII characters.
Display Name Spoofing
Like Gmail and Outlook, many email clients hide the sender’s email address and show only the display name to streamline your inbox. Unfortunately, this means that fraudulent senders can use a fake display name without showing their email address.
Because this is most likely an actual email address, it is already protected by DKIM and SPF signatures so that the message will appear legitimate.
- Ghost spoofing is when a fraudster changes their display name to that of the person or company being impersonated, including the spoofed email address. For example, the display name might be “Apple email@example.com” when a legitimate email from Apple would have just “Apple” as its display name.
- AD (Active Directory) spoofing does not specify the spoofed email address as part of the name. However, the fake address features the person’s name being impersonated. Some scammers prefer this method because these messages can bypass typical spam filters.
How to Detect a Spoofed Email
By training your employees on how to detect a spoofed email, you can better protect your business from phishing attacks. Here are three common indicators of spoofing:
- The “From” address and display name don’t match: Although the display name might look legitimate, if you compare it with the “From” address and it doesn’t match, that is a sign of email spoofing.
- The “Reply-To” header doesn’t match the source: If the “Reply-To” address doesn’t match the supposed sender address or domain, then the message is likely fraudulent.
- The message content is unusual: Even if the email appears to come from a trusted source, unexpected messages (such as a request for sensitive information or an unsolicited attachment) should be opened with caution or reported directly to your IT department.
Guard Against Email Spoofing With Armorblox
Email spoofing has been around for decades, and it isn’t going away anytime soon. However, with cybersecurity vigilance and modern email security software, you can mitigate the impact that spoofing attacks could have on your business.
At Armorblox, we use advanced technology like machine learning and natural language understanding to analyze thousands of signals, learn different communication patterns, and prevent threats before they cause harm.
To learn more about how Armorblox protects against email spoofing, take a 5-minute product tour below.