What Is Email Spoofing? How It Works and How To Prevent It

Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.

This guide explores how to prevent email spoofing attacks by creating awareness and increasing recognition of spoofed emails, allowing individuals and businesses to defend themselves against this type of targeted attack.

Spoofing remains one of the most common forms of online attack, with 3.1 billion domain spoofing emails delivered per day. To complete the scam, a spoof email sender creates an email address or email header to trick the recipient into believing the message originates from a trusted contact.

The well-known fact that email protocols lack built-in authentication makes email spoofing a favorite tactic of cybercriminals worldwide. It’s also one of the easiest online attacks to perform since it requires little technical experience.

The ultimate goal of sending from a spoofed email address is to trick the recipient into opening the message and either clicking a link or responding to its contents. The sender relies on impersonation to complete their scam, with the goal of encouraging the recipient to interact with its malicious content—whether by entering credentials into a site, sending money directly to the attacker, or downloading malware to their computer, among other nefarious acts.

Not all spoofing incidents are serious. However, more harmful spoofed email communications can cause significant damage. Some of the more serious risks associated with spoofing include:

• Malware insertion

• Identity theft

• Access to personal/business assets

• Spam filter avoidance

• Reputational damage

• Financial losses

Regardless of the goal of the attacker, spoofing can cause serious damage and disruption to organizations. Understanding how these attacks function is the first step to preparing an email spoofing prevention strategy.

Phishing through spoofing attacks requires little technical expertise, particularly because Simple Mail Transfer Protocol (SMTP), the standard communication protocol for emails, has no procedure for authenticating email addresses.

However, organizations have options at their disposal to overcome this dangerous flaw in SMTP. Various tools have emerged to combat spoofing, but industries have been slow to embrace widespread adoption. As a result, organizations on the receiving end of these emails need to be prepared to block them before they can become harmful.

The simplest way to create a spoofed email is for an attacker to find a mail server with an open SMTP port. SMTP includes minimal protections, so an open port offers an easy way for attackers to begin a spoofing campaign. More intelligent attackers may even create a separate email server entirely. There have been notable incidents of attackers committing executive impersonation and CEO fraud in using this method, racking up billions of dollars in losses.

Attackers may also create emails with similar names to the organizations or individuals they wish to spoof. Ordinary users may not realize they’ve received a spoofed email due to the similar formatting of the two addresses. A common example includes replacing “O” with “0” or “l” with “1”.

Email spoofing isn’t a particularly sophisticated type of attack, but it’s undoubtedly effective. Those unfamiliar with how to spot a spoofed email are far more vulnerable to falling for these attacks than those who’ve done their research.

Attackers use a variety of tools to accomplish their goals. To more effectively cloak the deception, attackers may set their sights on a target and carry out reconnaissance through research. Typically, a combination of personal and publicly available data will form the basis of a focused spoofing campaign.

Other vital tools attackers use for email spoofing include:

• SMTP Server: Most SMTP servers are purchased through reputable web hosting companies. Sometimes, attackers may install the server on their own system using port 25.

• Mailing Software: This is used to send out emails. PHP Mailer is a popular option because it uses an open-source PHP library and is easily accessed.

These two tools are all an attacker needs to begin a spoofing campaign, which is why 91% of all successful cyberattacks begin with a simple email message. With their target acquired and everything in place, all an attacker has to do is compose an email in PHP Mailer and enter whatever address they want to target in the “From” field. And because it’s so easy, an attacker can send out thousands of spoofed emails per day, increasing the chances that at least a few people will respond.

Figuring out how to stop email spoofing isn’t rocket science; you just need to know what to look for. The majority of spoofing campaigns attempt to extract personal information or install malware by utilizing common household names, known executives, or friendly vendors, encouraging recipients to click a link in the email or download an attachment. If you know how to recognize a spoofed email, you know not to fall for their tricks.

For example, one of the most common types of spoofing campaigns involves PayPal. The spoofed email will claim that the receiver’s account has been suspended, and they need to click on the link in the email to resolve the issue. The email looks official, almost exactly like an email from PayPal would.

But when the user clicks the link, their PayPal username and password will be stolen through the fake domain. When this PayPal account is associated with a business, these consequences are even more dire.

Other examples of popular phishing campaigns include:

• Credit Card Confirmation: This type of campaign sends messages to thousands of consumers claiming that their credit card information may have been compromised. These emails include a link for the user to “confirm” their credit card details.

• Wire Transfer Request: The victim receives an urgent email from the CEO or other executive requesting a wire transfer to a known partner. Due to the urgency of the email, the victim transfers the funds to the partner, not realizing that they’ve fallen victim to spoofing.

• Tech Support Request: An employee receives an email from their corporate IT department asking them to install a piece of software. The email looks real, but when the employee acts, they’re actually injecting ransomware directly into the company network
  

The consequences of falling victim to a spoofed email address attack can be devastating. Sensitive information such as passwords, bank account numbers, and Social Security numbers (SSNs) can be used to commit identity theft and fraud.

Some examples of the more dire consequences of email spoofing include:

• Loss of revenue

• Decline in customer confidence

• Credit card fraud

• Utility fraud

• Dark web leaks

It’s safe to say that victims of spoofing can see their business operations upended completely, which is why knowing how to stop spoofing emails is essential for protecting data. Some small businesses who have suffered from a spoofing attack have taken years to recover from the fallout financially, simply because they opened an email or clicked on a link a little too quickly. And even those larger companies can see dire consequences, often resulting in drops in stock prices and loss of consumer confidence.

Because many organizations do not have email spoofing protections in place to prevent their email addresses from being spoofed, businesses that receive these emails must remain vigilant and prevent spoofed messages from slipping through the cracks.

Although modern email providers use intelligent spam detection procedures to automatically eliminate most spoof messages, committed attackers bypass these traditional filters.

Figuring out how to stop email spoofing on Gmail and Outlook requires a new type of email security platform that can detect these scams. Organizations should also consider security awareness training, which can help employees recognize when they might have received a spoofed email, and react to it appropriately.

There are several methods used to recognize a coordinated phishing campaign. Often, spoofed messages are simple enough to spot. For example, if you receive an email from Bill Gates or a Nigerian prince, it’s quite obvious that this is a scam.

But for the more believable spoofs, such as the PayPal example discussed earlier, look at the email headers. For example, pay close attention to the display name, ensuring it matches the email domain, and that it looks like the domain name you expect to receive email from.

Finally, always be wary of any message that attempts to create a sense of urgency. Every request for wire transfers, gift cards, or sensitive information should be double-checked and confirmed via another source, such as chat or phone call, before sending the requested money or documentation.

Due to the lack of built-in address authentication inherent within SMTP, several frameworks have been developed to overcome this vulnerability.

These frameworks are vital for defending against a spoof email address campaign. The most popular options include:

• SPF (Sender Policy Framework): Automatically checks whether an IP is authorized to send emails from a specific domain.

• DKIM (Domain Key Identified Mail): Signs all outgoing messages with two cryptographic keys. DKIM also validates incoming messages.

• DMARC (Domain-Based Message Authentication, Reporting, and Conformance): DMARC allows the sender to inform the receiver that the email has been protected by SPF/DKIM protocols.

All organizations should have these protections in place, but research shows that a majority do not. As a result, recipients must take action to prevent these attacks from bypassing their security infrastructure. In addition, employees should remain vigilant and wary of requests for money or personal information.

Other best practices include:

• When a link is present and credentials are requested, manually type in the domain and access any accounts from there rather than clicking on any email links.

• Take the time to raise awareness about email spoofing. Businesses can do this by creating security awareness training programs for employees, particularly during Cybersecurity Awareness Month.

• Copy and paste email contents into a popular search engine like Google. Chances are that others have reported the same email as a scam already.

• Avoid opening attachments from suspicious senders.

While the consequences of falling victim to spoofing can be grim, a commitment to prevention can beat back the vast majority of phishing campaigns.

Spoofing campaigns are rarely given the same attention as ransomware or other high-profile attacks. However, they deserve additional awareness, as they lead to billions of dollars in losses globally for individuals and businesses.

Thankfully, spoofing is a relatively simple attack to thwart. For example, Abnormal Integrated Cloud Email Security is capable of spotting all types of spoofed emails, including uncommon signs other security solutions miss. Using hundreds of thousands of signals, including DMARC and SPF, Abnormal can stop email spoofing attacks before they reach inboxes, alongside dozens of other attack types.

Automated anti-spoofing solutions are critical for any organization looking to mitigate and prevent damage caused by this form of cyberattack. With the right solution in place—one that uses a behavioral data science approach to understand the normal and stop the abnormal—you can be sure that your organization is protected from all types of email spoofing.

To learn more about how Abnormal prevents email spoofing, request a demo today.