email spoofing

Email Spoofing: What is It and How to Protect Yourself

Last updated on February 4, 2021

Email spoofing is a way of duping recipients into thinking a message came from a sender they know. It’s most often used in phishing attacks or spam rollouts to collect personal information, like credit card numbers and private passwords.

The sender essentially creates a fake email header that shows a fraudulent sender address in the recipient’s inbox. For users that don’t scrutinize every email they get, spoof emails can easily go under the radar with recipients believing they are from a legit, trustworthy person or company.

Core email protocols rarely have built-in authentication methods to determine what is and isn’t a fraudulent email, which means it’s easy enough for spammers to slip through the cracks.

Read on to find out how it works an how users can protect themselves against potential attacks in the future.

How Email Spoofing Works

The most common form of email spoofing is a sender pretending to be someone else. Often, they imitate a well-known retail business that’s asking for information like clarification of a password or a credit card number.

Alternatively, recipients might be sent a link to click to take advantage of a too-good-to-be-true deal. In reality, when the user clicks the link, malware is automatically downloaded and installed onto their device which can be used to extract personal information at a later date.

At best, being a victim of email spoofing is a nuisance. At worst, it can lead to identity theft and expensive fraudulent payments.

So how is something so bad still allowed to happen?

It’s made possible because the Simple Mail Transfer Protocol (SMTP) doesn’t actually provide a valid way to authenticate email addresses. There has been some evolution in this department over the years to help combat activities like email spoofing, but the adoption rate is slow, and spoofers are quick to switch things up if there’s a whiff of getting caught.

Here’s how it usually goes.

The spoofer generally finds a server with an open SMTP port, which means their fraudulent email address will pass the very lax (or, in most cases, non-existent) authentication process. If they’re particularly savvy, they can even set up their own email server that requires no authentication at all. This is particularly common in cases centered around CEO and CFO fraud.

The attacker will simply register a domain that could easily be confused for the real company they want to impersonate. For example, they might change a single letter in the original domain or add a suffix to the end of it. Again, for email users that don’t scrutinize every single message in their inbox, it can be hard to detect a minor difference like this.

Main Purposes for Email Spoofing

Obviously, the end goal of email spoofing is usually to obtain some kind of personal information, like a password, credit card number, or social security number. But there are a few other reasons that attackers might run an email spoofing campaign.

They might want to:

  • Hide their true identity (although there are far easier ways to do this, like simply creating an anonymous email address)
  • Pretend to be someone the recipient knows or trusts so they feel more comfortable handing over personal information
  • Avoid spam block lists so they can land directly in a recipient’s inbox rather than in their spam folder
  • Impersonate someone from a business the recipient knows or already has a relationship with, again to secure personal information like login details
  • Shine a negative light on the sender they are pretending to be
  • Commit identity theft

It’s safe to say that there are really no good reasons for email spoofing to take place. Those that are pretty harmless can often be carried out in a different way to get the results the sender wants to achieve.

Protecting Yourself from Email Spoofing

After reading this, you probably want to secure your emails and protect yourself from potential email spoofing – we don’t blame you.

Common giveaways that an email isn’t legit include:

  • misspelt domain name
  • unprofessional, over-familiar or threatening language
  • poorly constructed email
  • branding and logos that don’t look quite right
  • attempts to pressure you into doing something
  • an offer that sounds too good to be true
  • the lack of a proper email signature with full contact information

If you look up the domain in the email address and the company has nothing to do with whatever this email talks about, that’s another clear sign that the email address has been spoofed, too. If in doubt, err on the side of caution.

For the most part, the majority of email providers are pros at identifying spam emails and potential spoofing activities, and they usually end up in your spam folder.

Keep An Eye Out For Suspicious Emails

Email spoofing is a common fraudulent activity, simply because it’s so easy for attackers to get through authentication barriers.

If targeted, it can cause damage to both the recipient and the company the sender is impersonating and can lead to identity theft and credit card fraud. Avoid becoming the victim of email spoofing by tapping into the above frameworks and keeping your eye out for emails that look suspicious.