Email spoofing is used in spam and phishing attempts to trick users into thinking a communication came from someone or something they know or can trust. The sender forges email headers in spoofing attacks, so client software shows the false sender address, which most users believe at face value. Users will see the bogus sender in a message unless they study the header more closely. They are more likely to trust a name they know. As a result, they’ll click on fraudulent sites, open virus attachments, transfer personal information, and even wire money.
How it Works
The purpose of email spoofing is to deceive people into thinking the email is from someone they know or can trust, which is usually a colleague, vendor, or brand. Then, the attacker takes advantage of such trust by asking the recipient to reveal information or do some other action.
An attacker might create an email that appears to come from PayPal as an example of email spoofing. The message warns the user that their account will be suspended if they do not click a link, authenticate on the site, and change their password. If the user is deceived and inputs credentials, the attacker now has access to the targeted person’s PayPal account and might potentially steal money.
More sophisticated assaults target financial staff and rely on social engineering and online surveillance to dupe a user into paying millions of dollars to an attacker’s bank account. A faked email message appears real to the recipient, and many attackers include components from the official website to make the message more credible.
When a user sends a new email message using a standard email client (such as Microsoft Outlook), the sender address is automatically input. However, an attacker can send messages programmatically using basic scripts in any language that configure the sender address to the desired email address. The sender address can be specified in an email API endpoint regardless of whether the address exists. Outgoing email servers also have no way of knowing if the sender’s address is accurate.
The Simple Mail Transfer Protocol (SMTP) retrieves and routes outgoing emails. When a user selects “Send” in an email client, the message is initially sent to the client software’s outbound SMTP server. The SMTP server recognizes the receiving domain and forwards the message to that domain’s email server. The message is then routed to the correct user mailbox by the recipient’s email server.
The IP address of each server is logged and provided in the email headers for each “hop” an email message takes as it travels over the Internet from server to server. Many consumers do not check DKIM records or headers before connecting with an email sender, although they reveal the genuine route and sender.
The Reply-To field is another common phishing component. This field can potentially be customized by the sender and utilized in phishing attacks. The Reply-To address, which can differ from the sender’s address, instructs the client email software where to send a reply. Email servers and the SMTP protocol, once again, do not verify if this email is genuine or fraudulent. It is up to the user to notice that the reply is being sent to the incorrect person.
There are two sections to look through in these email headers, who initially handled the email. For example, the email server email.random-company.nl is the first hint that this is a case of email spoofing, according to the “Received” section. However, the best field to examine is the Received-SPF part to see its rating.
In 2014, the Sender Policy Framework (SPF) was established as a standard. To thwart malware and phishing attacks, it works with DMARC (Domain-based Message Authentication, Reporting, and Conformance). SPF can detect faked email, and most email services now use it to combat phishing. However, it is the domain owner’s responsibility to implement SPF.
Commonality of Attacks
It isn’t easy to count the amount of faked emails sent and received every day. First, however, we may look at how many spoofing-related cybercrime instances are recorded each year. The yearly report of the Internet Crime Complaint Center (IC3) of the United States Federal Bureau of Investigation (FBI) is an excellent place to start. The IC3 reported in 2020 that:
- The IC3 received 28,218 spoofing complaints (up from 25,789 in 2019).
- Over $216.5 million was lost as a result of spoofing complaints.
Note that events involving faked phone numbers are included in the IC3’s definition of “spoofing.” However, we already know that email is the starting point for 96% of phishing assaults. There are several examples of destructive email spoofing efforts, and the COVID-19 pandemic has made it easier than ever for fraudsters to dupe unsuspecting victims.
For example, in October 2021, a threat actor was discovered spoofing Philippine government email addresses and sending false communications concerning COVID-19 to shipping, manufacturing, and energy companies. Now that you know what email spoofing is and how dangerous it can be keep reading to find out how to protect yourself against it.
Reasons Email Spoofing
Cybercriminals may impersonate a sender’s address for a variety of reasons, including:
- Conceal Identity Of The Sender: Creating an anonymous email address can also be accomplished. However, this is usually done as a larger cyber-attack or scam.
- Avoid Blacklists For Spam: Spammers will utilize spoof email addresses to get around spam filters. This risk is reduced because you can block specific IP addresses or ISPs.
- Pretend To Be Someone You Can Trust: Scammers use email spoofing to pose as a friend or colleague requesting money from you.
- Pretend To Be A Reputable Company: Phishing pages meant to access bank accounts and credit card details can be found in spoof emails from financial organizations.
- To Smear The Sender’s Reputation: Email spoofing can be used to smear the reputation of an organization or individual.
- To Commit Identity Theft: The attacker can impersonate the victim’s email account and request access to personally identifiable information (PII).
- To Distribute Malware: Spoofing the email address increases the likelihood that the receiver will open the email and any attachments that may contain malware such as WannaCry ransomware. Anti-malware software and network security are critical components of any cyber security strategy.
- A Man-In-The-Middle Attack: As part of a sophisticated man-in-the-middle assault, cyber thieves may use email spoofing to steal your company’s vital information or trade secrets as part of corporate espionage.
- Get Access To Your Sensitive Information: Your vendor risk management and third-party risk management frameworks must include email security. If your vendors have access to client information, preventing email spoofing is just as critical for them as it is for you. Third-party and fourth-party risks include email spoofing, so be sure to invest in supplier risk management software.
How to Protect Yourself
Some malicious email messages make it into users’ inboxes even with email protection. However, there are numerous actions you may take to avoid becoming a victim of email spoofing, whether you’re a financial decision-maker or someone who uses personal email at work:
- Never click a link to get to a website that requires authentication. Always enter the official domain into your browser and authenticate there.
- Because the processes for viewing email headers vary depending on the email client, seek up how to view email headers for your inbox program first. Then, open the email headers and check for a PASS or FAIL response in the Received-SPF part of the headers.
- Enter the contents of the email into a search engine. The text used in a typical phishing attempt has already been disclosed and published on the Internet.
- Be wary of emails from an official source with poor spelling or language—open attachments from unknown or dubious senders with caution. Emails promising wealth—or anything else that seems too good to be true—are almost certainly a hoax.
- Be wary of emails that make you feel rushed or threatened. Phishing and BEC attempt to bypass recipients’ inherent skepticism by implying that something horrible will happen if they don’t act promptly. Instead of clicking on the link in the email, go to the website directly through your browser.