Email spoofing is when a scammer uses a familiar company or individual to trick recipients into thinking that the email they’ve received is from a trusted source. Typically, these emails have bad intentions and can lead to personal and professional security issues.
These days, it’s common for spoofers to fabricate sender addresses to trick recipients into opening emails – maybe even replying.
Most spoofed emails are simply a nuisance. However, more and more malicious varieties are popping up, and these can cause serious problems – even real security threats, in some cases.
Read on to discover everything you need to know about email spoofing and the different ways you can protect yourself.
Table of Contents
- How long has email spoofing been around?
- How email spoofing works
- Why is email spoofing such a big deal?
How to Protect Yourself From Email Spoofing
- Stay sharp
- Call to confirm
- Organize your inbox
- Use antivirus software
- Regularly change your passwords
- Report spoofing attempts
- Implement Sender Policy Framework (SPF)
- Use Domain Key Identified Mail (DKIM)
- Set up and implement DMARC
Let’s get to it!
How Long has Email Spoofing Been Around?
Email spoofing has been around since the early 70s, but only became common in the 1990s. By the 2000s, it had grown into a major global cybersecurity issue.
Phishing, which is similar to spoofing, has been around equally as long. The main difference between spoofing and phishing is that phishing scams involve some kind of bait to lure victims in so they might click malicious links, or provide sensitive information.
How Email Spoofing Works
Email spoofers use specialized tools to edit mail headers. This allows them to fabricate the sender’s email address, thereby making the message seem as if it was created by a legitimate sender.
Although the majority of mail clients and services today can detect spoofed emails, there are plenty of businesses that still rely on outdated email software, and this leaves them at risk of email spoofing.
The reason email spoofing is possible is that simple mail transfer protocols (SMTP) don’t provide mechanisms for address authentication.
Luckily, there are some mechanisms and authentication protocols for email addresses that have been developed in an effort to combat email spoofing.
However, the adoption of such mechanisms has been slow, which is surprising considering that spoofing and phishing tactics are on the rise, as evidenced by the image below.
Here’s an Example of How Spoofing Works
Keep in mind that for email spoofing to work, the sender needs to forge a sender address that misleads the recipients as to the origins of the message.
For instance, someone might receive an email that purports to be from a well-known e-commerce seller, asking the recipient to divulge personal information, such as a credit card number or password.
The fake email might even instruct the recipient to click on a link within the message for a one-time-offer (OTO) or something like that. This is especially prevalent for products that cost quite a bit of money like PLR courses or other high-ticket items. But the link would just be to download and install malicious software on the email recipient’s device.
Another common type of phishing that is typically used in business emails involves spoofing emails that are supposedly from the CFO or CEO of a company that works with suppliers in different countries, requesting that the supplier’s wire transfers should be sent to another payment location.
Below are some screenshot examples of different types of spoof emails:
Example #1: This is an example of display name spoofing, which is significantly easier to pull off than email spoofing.
Example #2: This is an example of a spoofed email that attempts to get recipients to click the links by making it seem as if the email is from PayPal.
Why is Email Spoofing Such a Big Deal?
Email spoofing is such a big deal because it gives the spoofer the power to accomplish their nefarious goals either by using your name or at great cost (financial, reputation-wise, etc.) to you.
Although, right now, email spoofing is most commonly known for phishing purposes, there are many reasons why someone might send emails with a forged sender address.
- Avoiding spam block lists
When someone is flagged as a spammer, they are typically blacklisted very quickly. For most people in such a situation, a simple solution is to switch email addresses so they can once again reach targeted inboxes.
- Hiding their true identity
Sometimes this is the main goal of an email spoofer. However, if hiding their true identity is the sender’s only intention, then there are much easier ways to do so, such as registering an anonymous email address.
- Pretending to be someone who’s known to the recipient
This is a more likely reason for email spoofing, and spoofers might employ this tactic in order to gain access to sensitive information or personal assets.
Email spoofers might also pretend to be someone from a business or brand that is in a relationship with the recipient in order to gain access to personal data such as credit card details, or bank login details.
These are just a few of the reasons why someone might send spoofed emails. Yet another (albeit less likely) reason is that the sender might be trying to attack the character of the assumed sender and tarnish their image.
Or, the spoofing could be done as a way to commit identity theft by getting access to the victim’s health care or financial accounts, and so on.
The bottom line is, it’s clear to see why email spoofing is such a big deal. And with the stats showing that nearly 45% of all emails sent daily are either spam or spoof emails, you can see why it’s important for you to learn how to protect yourself from such situations.
9 Tips to Protect Yourself from Email Spoofing
Although statistics like the one mentioned above make it seem as if there’s no hope of evading the cybercriminals who create spoof emails, the good news is there are certain email spoofing warning signs that you can watch out for, as well as steps you can take to protect yourself against email spoofers.
Below, I’ve listed 9 of the most effective tips to keep spoof emails out of your inbox.
Tip #1 – Stay Sharp
One of the best things you can do to protect yourself from spoofing attacks is to remain vigilant against common types of email spoofing.
For instance, look out for warning signs, such as:
- URL typos
- Forced urgency
- Generic greetings
- Strange attachments
- Generic email domains
- Mistakes and inconsistencies
- Requests for personal information
In addition to making it a habit to scan emails for the warning signs listed above, another simple way to identify email spoofing is by manually checking email headers.
For instance, in Gmail, you can click the down arrow next to “Reply”, and then select “Show Original”. Copy the text on the page and paste it into a message header tool like this one to see if the return path for the email is the same as the sender’s email address.
Also, avoid opening attachments that you were not already expecting to receive, particularly if they come with abnormal file extensions.
By keeping an eye out for things such as these, you make it less likely that you will be fooled into revealing information to a scammer.
Tip #2 – Call to Confirm
Being on your guard may not always be enough to protect you from spoofers. If you receive a suspicious email, another thing you can do to protect yourself is to call the company to confirm whatever is being required of you.
For instance, if you’re prompted by someone to download webinar software, you may want to contact them directly to confirm this is needed.
Employers and companies typically have all the information on you that they need. They will likely never email you to request things like credit card information, user credentials, and so on.
So, if you receive such an email, it’s best to call the sender directly to confirm if it is, indeed, them asking you to submit personal information.
Make sure you use the number listed on the real or official website. Manually enter the company’s URL in your browser and check for any signs of website spoofing before taking any information off of the website.
Tip #3 – Organize Your Inbox
By keeping your inbox organized, you’ll make it less likely that spoofed emails will actually succeed. One reason why spoofing email addresses is so effective is that people keep their inboxes disorganized.
This is not surprising when you consider that over 319 billion emails are sent and received each day (of which, as previously mentioned, nearly half are spam).
When recipients find dozens of emails in their inboxes from unknown addresses on a daily basis, sooner or later they stop paying any attention to the details, which results in a higher number of successful spoofing instances.
One way to avoid this is to keep your inbox neatly organized. You can easily use a smart inbox organizer app to make the process effortless. You will also be able to easily bundle your emails together for convenient viewing and automatically unsubscribe from unwanted subscriptions.
Such an app will also make it easy to block malicious senders with a simple click and prevent them from reaching your inbox.
Tip #4 – Use Antivirus Software
One of the most effective ways to protect yourself against email spoofing is to use antivirus software, like Avast that includes multiple advanced features for real-time threat detection.
There are many other effective antivirus software options to choose from, but whichever one you go with, make sure that it has a web shield and email shield to protect you against phishing emails, spoofed emails, and spoofed websites that cybercriminals love to create.
Tip #5 – Regularly Change Your Passwords
If email spoofers somehow manage to get your credentials, there isn’t much they’ll be able to do with them if you already have new passwords.
Make sure you regularly change your passwords and create strong passwords that are impossible for others to guess.
You can use a password manager to store them securely.
Tip #6 – Report Spoofing Attempts
It’s important to report any spoofing attempt, whether by email or on a website. After all, if something like this happens to you, you’d want others to let you know, wouldn’t you?
So, if you receive a spoofed email, let the sender know that they have been spoofed, and in doing so, you might help prevent future attacks.
Most companies have a page on their website where you can easily report any security issues such as spoofing.
Tip #7 – Implement Sender Policy Framework (SPF)
As a website owner, the sender policy framework (SPF) allows you to publish a DNS record that explicitly states which service can send emails on your domain’s behalf.
Although a bit complex to implement, this is an effective email authentication mechanism that will help protect you against spoofers by identifying the machines that are authorized to send emails on behalf of your domain or host.
It does so by including additional records in existing DNS information which then allows recipients to confirm that the IP address sending the email is allowed to do so on behalf of the “envelope from” email address.
This confirmation takes place before the actual body of the email is downloaded, which makes it possible to reject any email from a spoofer long before it can do harm.
Tip #8 – Use Domain Key Identified Mail (DKIM)
Although SPF can be quite effective for deterring email spoofing, it’s often not enough when used on its own. Another method you can use to thwart cybercriminals is to implement domain key identified mail (DKIM).
This is a sort of digital “signature” used for signing outgoing email messages and validating incoming ones to help detect email spoofing.
This method involves using cryptographic keys to sign specific pieces of a message. It’s designed to prove that the outgoing email was actually sent from your domain and that it didn’t get modified in transit.
This method helps you establish greater trust and prevents email spoofers from sending outgoing messages on your domain.
Tip #9 – Set up and implement DMARC
DMARC (short for Domain-based Message Authentication, Reporting, and Conformance) is an emerging umbrella standard that gives the sender an option to let the receiver know if the email is protected by SPF/DKIM, and the actions they can take when dealing with any emails that fail authentication.
It is an email authentication, policy, and reporting protocol that uses both of the previously mentioned technologies (SPF and DKIM) to provide information pertaining to the email domain, such as its alignment, failures, compliance, etc.
Although not yet widely adopted, this technology works effectively for deterring spoofers, and it has the added benefit of making it a lot less likely that your emails will be marked as spam.
Wrap Up: Never Fall Prey to Spoofed Emails
As long as we have email, we will always have email spoofing. That’s just an unfortunate fact!
But, there are increasingly more effective ways to protect yourself and your business against cybercriminals who are desperate to get their hands on your personal and financial information – as well as that of your customers.
Use the tips in this article to make sure that you never fall prey to spoofed emails.
This post was written by Ron Stefanski