Email spoofing is a type of scam in which criminal hackers trick people into thinking a message has come from a legitimate source.
According to Proofpoint, 3.1 billion spoofed emails are sent every day, with attacks costing businesses $26 billion (about £18.8 billion) since 2016.
The goal of email spoofing is similar to phishing, as fraudsters attempt to obtain sensitive information from the recipient or get them to download a malicious attachment.
However, instead of simply imitating the email address of a trusted source, spoofed emails manipulate the way emails are delivered.
How email spoofing works
Email spoofing is possible because of the way email providers send and deliver messages.
When someone sends an email, it doesn’t simply go from the person who created the message to the intended recipient. Rather, it goes through an SMTP (Simple Mail Transfer Protocol) server configured in the client software.
You can think of this process like a sorting office for physical post. The SMTP takes an incoming message and routes it to the relevant email server, which then directs it to the relevant user inbox.
This gives criminal hackers the opportunity to input a bogus address in the ‘Sent’ field, because the SMTP doesn’t have a process to authenticate this information.
As such, attackers can make it look as though the email has been delivered from someone else.
In the next section, we look at how this process works in practice.
An example of a spoofed email
Below is an example of what someone might see when they receive a spoofed email:
There is nothing here that reveals the true nature of this message. The ‘From’ field displays the address provided by the scammer – but crucially, this is not necessarily the email address from which the message originated.
Only by investigating the email header (sometimes known as the envelope) can you tell if the ‘From’ field has been manipulated. This information isn’t typically displayed on email clients, and will require you to look in your settings.
In most versions of Outlook, you can do this by double-clicking the message to get it to open in a separate window, then selecting ‘File’ and ‘Properties’.
You’ll be presented with a long string of information, but within that you should see something that looks like this:
You can see here that, although the message says it’s from the employee’s boss, there is a different address in the reply field. When the recipient responds, the message isn’t going to ‘firstname.lastname@example.org’ but to ‘email@example.com’.
This is a big clue that the original email address has either been forged or compromised.
A bogus email address won’t always be as easy to spot, however. You may well encounter the same technique as standard phishing attacks, with the attacker replicating the email address of a genuine organisation.
In this example, the sender might register the email domain ‘conpamy.com’ – transposing the ‘n’ and the ‘m’.
This can be tricky to spot, and it’s why organisations should adopt SPF (Sender Policy Framework).
SPF is a security protocol that works alongside DMARC (Domain-based Message Authentication, Reporting and Conformance) to detect malware and phishing attacks.
It does so by comparing the IP address from which the email was sent to the address in the ‘From’ field.
If you’ve implemented SPF, the email header will contain a string of text that looks like this:
You can see that this message failed the test, because the client’s IP is not permitted to send messages from the company domain.
Implementing SPF helps flag suspicious emails and reduces the burden on employees to spot scams.
However, for it to work, the domain holder (which in most circumstances will be your organisation) must configure a DNS TXT entry specifying all IP addresses authorised to send email on behalf of the domain.
How to protect against email spoofing
Technical solutions such as SPF can help protect organisations from email spoofing. They can be implemented alongside spam filters and anti-malware software to give you the best chance of flagging suspicious messages before they reach employees’ inboxes.
However, these tools are never foolproof, and scammers are always finding clever ways to bypass security mechanisms.
As such, you must ensure that employees are trained to detect and respond appropriately to suspicious emails.
Phishing emails always contain clues that can help you spot their true nature. You can find out what the signs of a scam are by enrolling on our Phishing Staff Awareness Training Programme.
This 45-minute course uses examples like the one in this blog to explain what phishing scams look like and how they attempt to trick you.
We’ll show you what to look out for and the steps you should take to avoid falling victim.
The course is updated quarterly with the latest scams and tactics, helping you stay on top of the threat landscape.