Email spoofing: What is it, its dangers, examples, and protection?

Jorge Felix  - Cybersecurity Expert
Last updated: November 7, 2023
Read time: 9 minutes Disclosure
Share

Email spoofing is an annoying strategy employed by hackers. It makes a false email look authentic by meddling with its metadata. This article explains all you need to know about it in detail.

We have some bad news for you. We’re pretty sure that you’ve been emailed spoofed at least once. Email spoofing goes after everybody, targeting private individuals and big corporations alike.

So let’s see your case. Have you ever found a genuine message in your inbox, but you couldn’t be sure? Let’s say it was from somebody you know. But then it had a link asking you to do something out of character. So you must choose to click or not to click; that is the question.

And if you followed the link, everything seemed even weirder. This is the doubt the sender wants you to have. It opens the possibility for the hacker that you will follow the link and then the instructions on the target webpage. And then, you fell for it. Hopefully, when you saw the link’s target, you realized that it wasn’t legitimate after all and did nothing to compromise your security. But a lot of people do. And that’s what email spoofing is.

This article will tell you everything you need to know about email spoofing. Learn what it is, why people do it, and how to fight it successfully.

So what is email spoofing, anyway?

Email spoofing consists of sending an email with a fake sender address. This spoofing type aims to make the recipient think the message in question comes from a trusted source. It’s often associated with phishing attempts, which are strategies hackers use to squeeze sensitive information from otherwise sensible persons.

It’s not so hard to tell a spoofed email from a genuine one. However, their malicious nature, coupled with a lack of vigilance on the user’s part, can turn them into serious security risks.

Why are people spoofing emails?

The motivation that drives email spoofing is no mystery. It’s a criminal tool. A malicious actor adopts it as a resource to steal private data of all types. Here are the most frequent reasons for email spoofing:

  • Identity theft. Pretending to be a trustworthy agent can help a criminal persuade the recipient to give away enough data to steal his identity.
  • Phishing. This is the most common reason for spoofing emails. It’s an effective way to start a phishing attack. The goal is to make the recipient follow a malicious link in which he will be persuaded to surrender essential data.
  • Bypassing spam filters. Nobody likes being blocklisted, and spammers are always fighting back, so their messages keep reaching us.
  • Anonymity. Email spoofing can be a way to hide identity.

Why email spoofing poses a risk

Email spoofing is a risk for individuals and organizations. The damage it can do is that it doesn’t need to break into a system, guess a password, or bypass the usual security measures in any network or email delivery system.

Instead, the hacking attack relies on the human being as the weakest link in the chain, especially if you can make them doubt. And this is a powerful thing for hackers. It’s the idea behind social engineering and why a man like Kevin Mitnick became such a successful hacker.

And the danger multiplies with the frequency. You don’t need to be a computer wizard to do email spoofing. That allows many more wrongdoers to try it and many more attacks of this kind to exist.

How can they spoof my email address?

Email spoofing

Email protocols are among the most rudimentary ones in the digital age. The protocol has a syntax, and the spoofer can abuse that syntax to forge an email. Moreover, it comes in many flavors. Each has different complexity and attacks another part of the email.

Display name

The only forged part of the “display name spoofing” is the sender’s name. This can be quickly done by registering a new Gmail account with the name of the contact you intend to subvert. But beware of this: the “mail to:” field will display another email address. Did you ever get that email from Jeff Bezos asking you for a bit of pocket money? There’s your example.

This method has the advantage that it can bypass most security countermeasures. In addition, it looks normal, so the spam filters treat it accordingly.

The age of phone mail apps helps this method’s success because it has little space to show metadata. Consequently, it only shows the display name and helps its credibility.


Legitimate domains

So let’s now think about a different hacker who wants to look even more credible. They don’t concentrate on the display name but on the “From” header. So how about “Customer Support Agent.” In this case, the deceit includes the display name and the email address, so it needs more vigilance to detect.

Achieving this effect doesn’t need vulnerating the targeted domain’s network. SMTP servers allow promiscuous connections from the exterior if they’re compromised or misconfigured. That’s enough to set the address by hand. If you visit shodan.io, you’ll find a list of millions of SMTP servers. Many of them are vulnerable in this exact way. And if your hacker is savvier, he can set up his SMTP server.


Lookalike domains

There are domains you can’t spoof. They are protected. Hackers can’t use them to attack you. But they can choose a domain name that looks so similar that you won’t notice it’s fake unless you are attentive. Think about spelling doma1n instead of the domain, and you’re on the right track. The lesser the difference, the greater the effectiveness. After all, who really reads every email header with that much attention?

These domains will also sip through the spam filters because they tend to look clean.

The technique works well enough that some users will end up giving up a password or sending some money, files, or sensitive documents. Unfortunately, you need to see the metadata in detail to know what’s going on for sure, and you can’t always do that, especially on mobile devices.


So how do you stop email spoofing?

Well, the answer to the question is: you can’t. We’re sorry to tell you that email spoofing is here to stay. The reason is that the SMTP protocol, which is so old, doesn’t require authentication. It’s a legacy technology that hasn’t moved to the next generation and remains vulnerable in that way.

However, the fact that you can’t eliminate email spoofing from the world doesn’t mean that you can’t fight it and minimize the damage it can do. A competent email admin will deploy some countermeasures that can go a long way in prevention.

For instance, the most reliable email providers have additional checks in place besides SMTP, such as Sender Policy Framework, Secure/Multipurpose Internet Mail Extensions, Reporting and Conformance, Domain-based Message Authentication, and DomainKeys Identified Mail among them. These tools can identify spoofed emails and eliminate them when they work in tandem.

And what can you do as an average user? You can have good email hygiene by adopting the following practices:

  • Use disposable emails when you register new accounts. This prevents your temporary private email from showing up in fishy email lists. Unfortunately, these are the lists that spoofers use as a starting point.
  • Choose good passwords. Hackers can’t use your email address to send fake emails if they can’t access it. So use strong passwords and make their life impossible.
  • Read an email’s headers. The devil is in the details. There are expert spoofers out there who can make a fake email look completely kosher unless you look closely at the metadata. Vigilance is your friend.
  • Use unique passwords. Each of your accounts must have a unique password, period. Use a password manager if you must.
  • Change your password regularly. Yes, it’s inconvenient. It’s also necessary.
  • Enable 2FA. Two-factor authentications in your email account make it much harder to hack.

Protection from email spoofing

Imagine that you get an email threatening you and asking for a ransom. And now, imagine that you are the sender. We could probably agree quickly that you didn’t send that message. So the first thing you need to do is to keep your wits about you. Remember, spoofing is easy. Panic leads to doubt, and doubt is the attacker’s goal. It’s the doubt that makes you vulnerable. 

So take a deep breath and start thinking. Your first order of business is to look at the email header closely. Look for IP addresses. Also, look for the validations in the protocols we mentioned earlier (DKIM, DMARC, etc.) This will let you discard your account as the message’s source. If there is no validation, there’s nothing that should worry you. However, there’s a chance that your inbox really sent that email, and that’s when you need to worry. So do everything you must to protect your identity and email.

How to identify spoofed emails

It’s time for some good news: Knowing when an email is spoofed is elementary. First, look at the full email header. All the vital metadata is there. Things like From, To, Date, Subject, and the path it followed through mail servers around the net are all there. If any verification happened along the way, the results would be there too.

The correct way to look at this data depends on your email provider, and you must use a desktop computer. If you’re using Gmail, like many of us, find the three vertical dots beside the reply button. Click them, and pick “Show Original.” Other vendors and privacy-friendly Gmail alternatives have different methods.

Email spoofing examples from the real world

In March 2016, Seagate staff received an email pretending to be from their CEO requesting their W-2 forms. Unfortunately, the employees mistook it for an official internal business email and inadvertently leaked their yearly salaries.

A Snapchat worker also leaked his colleague’s payroll data after being hit by email spoofing. CEO wrote to an unidentified employee. The worker complied with the request since the email seemed legitimate.

Conclusion

It is becoming increasingly common for threat actors to impersonate a reputable organization or individual via email spoofing to obtain confidential information. The good news is that there are effective ways to protect yourself against email spoofing. And luckily, you don’t need to break a break either to stop it.

FAQs

The key to email spoofing is to choose one of the fields in an email’s metadata and change it manually. Another key in email spoofing is the weakness in SMTP servers which do not authenticate every message they process.

Spoofing comes in three flavors: Display names, domain names, and lookalike domains.

The hacker aims to deceive the recipient into giving up some sensitive information.

You can spoof an account without hacking it or usurping its use. When the account is hacked, the hacker has complete control over it. In addition, the emails sent are genuine in that they originate in your account. When spoofing is happening, the account is still safe. The spoofed emails look like they come from there, but they originate elsewhere.

Not much you can do. Make sure your actual account remains safe, set a good password, and ensure it won’t get hacked in the future.

Share this article

About the Author

Jorge Felix

Jorge Felix

Cybersecurity Expert
236 Posts

Jorge Félix (Mexico City, 1975). Theoretical physicist specialized in Cosmology and Superstring Theory. He's been a writer on scientific and technological issues for more than 23 years. Has ample experience and expertise in computer technology and a keen interest in digital security issues.

More from Jorge Felix

Comments

No comments.