>

Glossary Home

What will I learn?

  1. What is email spoofing?
  2. How does email spoofing work?
  3. How to identify spoofing?
  4. Email spoofing types
  5. Example of spoofed email
  6. How to prevent email spoofing?

Glossary Home

Spoofing

What is email spoofing?

Spoofing is defined as the technique used by email fraudsters to trick recipients into opening potentially unsafe messages by forging certain contents in the header of the email. The recipient believes that the email had originated from a trusted sender and follows the steps given in the message leading to unexpected outcomes (such as account compromise, loss of personal data, etc.).

How does email spoofing work?

Emails use the Simple Mail Transfer Protocol (SMTP) to send messages across the internet. When a user sends an email, the message might travel between multiple servers before it reaches the intended recipient. Since SMTP does not have a built-in mechanism to authenticate the legitimacy of the email's source, cybercriminals can easily spoof the identity of the sender by modifying certain fields of the email.

Below are some of the fields which a spammer forges:

  • From - This is the email address which the recipients see when they receive an email. Users tend to open the message if the "From" address appears to be a trusted sender/ domain.
  • Reply-To - The "Reply-To" field specifies the email address to which the replies should be redirected to. Spammers add their preferred email address so that they get a response when a user replies to the spoofed email.
  • Return path - This is the email address to which the bounce messages are sent.

Attackers modify one or more of the above fields thereby forcing the recipients to make a mistake. The users will never know the real identity of the sender unless they inspect the original email header.

How to identify spoofing?

Spoofed emails often appear to have come from a legitimate source, but in reality, contain dangerous links or attachments such as a malware. It is therefore important that users stay vigilant and identify spoofed emails. Below are a few tips with which email spoofing can be identified:

  • Investigate the email header.
  • Observe discrepancies between the display name and the actual email address.
  • Skim through the email content for any sense of urgency.
  • Look for formatting inconsistency and grammatical errors.
  • Contact the sender and ensure the trustworthiness of the email before you click on URLs or download attachments.

Types of email spoofing

Email spoofing can take many forms:

  • Display name spoofing - The attacker fakes the identity or display name of a person that the email recipient might trust.
  • Domain spoofing - If the recipient has subscribed to emails from a trusted domain, the attackers can impersonate the domain to deceive them.
  • Look-alike domain spoofing - In this case, a domain mentioned in the email address is used to deceive the recipient visually by sending emails from a similar domain. For example, if the letter 'o' in the domain address is replaced with a '0', the recipient is visually tricked into believing that the email is from a trusted source.

Example of spoofed email

While there are many email spoofing instances, the example shown below is the most common which many users come across. The sample email shown below urges the recipient to reset his password.

Email spoofing

If an email is suspected as a spoofed, inspect the headers and view the original header information and look for any discrepancies such as display name spoofing, break in header chain etc. The images that follow are classic examples of how to identify spoofed emails using the header information.

Breakage in header chain

Identifying a spoofed email

Display name spoofing

Identifying a spoofed email

Note: The example is given only as a reference to guide users to stay vigilant about email spoofing. Actual email spoofing attempts can differ from case to case.

How to prevent email spoofing?

Certain email security protocols help administrators safeguard their domain from cybercriminals. If these protocols are not configured in the mail servers, there is no check on the sender's authentication and the domain is highly susceptible to attacks like email spoofing, phishing, spam, and other cybercrimes.

These protocols are:

  • Sender Policy Framework (SPF
  • DomainKeys Identified Mail (DKIM
  • Domain-based Authentication Reporting and Conformance (DMARC

In addition to configuring the email authentication protocols, follow some of the best practices given below to protect your organization's users from being a victim of spoofed emails.

Email security solution

Subscribe to an email security solution and set-up appropriate email filters, anti-spam policies, etc. Having stringent policies ensures your emails can be validated and marked as spam even before it reaches the recipient's inbox.

Inspect the email headers

Encourage recipients to check the email headers which provide the actual details of the sender, recipient, return-to path, etc. This information is used by the email servers to send the emails to the correct email address.

User education sessions

You organization's users are the first line of defence when it comes to email security. Conduct periodic user education sessions on the consequences of email spoofing and other cyberattacks.