Did you know that during the 2018 U.S. presidential elections, the email accounts of four senior NRCC aides were hacked, and thousands of emails were collected by hackers over several months?
It is a well-known case of a cybersecurity breach. One of the other kinds of cybersecurity attacks is email spoofing. The attacker forges the email address to access recipients' sensitive information. Unfortunately, the address might look so authentic that you may fall prey to such emails.
To help you avoid such mishappening, we have written this guide. We will discuss how email spoofing works and how you can identify and safeguard against it.
Table of contents
What is email spoofing?
Email spoofing is a cyberattack in which someone tampers with the email header (sender details) and tricks the recipient into thinking it has come from a known or credible source. It is often used to carry out phishing or scams by forging the sender's details for a number of unethical reasons.
The email can be spoofed for the following purposes:
- Get sensitive information such as social security numbers and bank account details by inserting a deceptive link in the email.
- Deploy malware to use a victim's email account to spread the infection further.
- Hack your email address and send phishing emails pretending to be you.
- Breaching a company's communications circle to get high-value info. This can include CEO imitation or pretending to be a vendor with a fake invoice to start activities like wire transfers.
Get a sample AMP email in your inbox
Experience the power of interactivity right now
How does email spoofing work?
Before we discuss the email spoofing process, you need to understand the email transmission process:
When the sender hits send the email, the email is transmitted to the recipient server via Simple Mail Transfer Protocol (SMTP). The initial transfer provides two pieces of address information:
● MAIL FROM or Envelope address: The Mail From (MFrom) is the sender's address that isn't visible to the users unless they check the original source of the email. It is the same address where undeliverable message notices, or bounces, are sent. Thus, it is also known as the Return-Path address, Envelope-Sender address, and the bounce address.
● RCPT TO: It specifies where to deliver the email and is not visible to the user. But, it can be included in the headers as part of the "Received:" header.
If the recipient mail server doesn't find anything wrong with these two, it will generate a Data command.
After getting the command, the client launches the delivery of the email contents line by line, starting with the header:
How does the attacker carry out email spoofing?
The attackers can carry out email spoofing with a working SMTP server.
- Once an email message is composed, the attacker can forge fields within the message header, such as the From, Reply-to, and Return-path.
- When the user gets the email, it appears to come from a known source, while in reality, it had been sent by the attacker.
It is possible to forge these addresses because SMTP does not provide a way to authenticate addresses. Although protocols and methods (which we'll discuss later) have been developed to combat email spoofing, adopting those methods has been slow.
What are the different types of email spoofing?
The attacker can carry out spoofing in three different ways, which are as follows:
1. Spoofing via legitimate domain
This involves inserting the organization's domain being spoofed into the From header, making it difficult for the user to differentiate a fake email from a real one.
Under this, the spoofers only use compromised SMTP servers that allow connections without authentication and make them manually specify the 'To' and 'From' addresses. Besides, they can also do this by setting up a malicious SMTP server themselves.
2. Spoofing via lookalike domain
Spoofing via a lookalike domain is more complicated as the spoofer needs to set up a domain similar to the organization being spoofed.
For example, they might have a domain @doma1n.co instead of @domain.co, which is the exact domain of the organization. However, the difference in both domains could be minimal, so that it might go unnoticed by the recipient.
This form of spoofing is effective because users don't typically bother to read an email header.
The attacker creates a sense of authority by using a similar domain, bypassing spam checks due to a legitimate mailbox. However, it might be just enough to convince its victim to reveal their password, transfer money, or send some files.
3. Spoofing via display name
The display name is the sender's details that appear in the From section of your emails. Only the email sender's display address is forged in display name spoofing.
Often mailbox providers hide the sender's address and show only the sender's name to make the email look less cluttered. This allows attackers to substitute the sender address with a spoofed address. Such attacks work because
- Individuals often look at the sender's name and ignore the sender's address.
- DKIM signature and SPF often authenticate only the display name; the authentication systems see the message as legitimate.
An example of email spoofing via display name might look like this:
What are the impacts of email spoofing on organizations?
Email spoofing can cause a significant financial burden on an organization. The 2021 Cost of Phishing Study conducted by Polemon institute revealed that phishing cost has tripled since 2015, increasing from $3.8 million in 2015 to $14.8 million in 2021.
The phishing cost includes additional costs which can damage and hinder the growth of your organization. Some of the significant phishing costs are as follows:
- Employee productivity decreases as they spend more time dealing with the consequences of phishing scams. Employee productivity losses become costlier to the organization, increasing from $1.8 million in 2015 to $3.2 million in 2021.
- Organizations are encountering an average of 5.3 compromises in their credentials over the past 12-month period.
- The average cost of credential compromise not contained is $2.1 million and has increased significantly from $1 million in 2015.
- The cost of resolving malware infections has doubled the total cost of phishing. In addition, the costs due to non-containment of malware almost doubled from an average of $3.1 million in 2015 to $5.3 million in 2016.
- The average cost of Business Email Compromise (BEC) exploits was $5.96 million in 2021. BEC happens when the attacker targets employees with access to an organization's funds or data.
- Ransomware is a sophisticated malware that blocks victims' access to their files. The total cost of ransomware in 2021 was $5.66 million, with an average attack rate of 17.6%.
How to recognize spoofing attacks?
There are the following ways you can recognize whether the email is spoofed or not:
● Analyze the email header
Check the 'From' email address, not just the display name. Whenever you get an email, hover over the contact name and look at the actual email address. They should match or be pretty close.
For the below points, you need to go to the original source of the email and then look for the following in the email header:
- Return path
- Received file
- Reply-To header
The email address should match the original email address in each field. If it doesn't, then the email is likely to be spoofed.
Check out our guide to learn more about email headers and how to prevent spoofing attacks.
● Analyze the email content
- Be sure to not click on the links; instead, hover over them. A small box should show you the URL to which the link will take you.
- Identify any grammatical or spelling errors.
- Do not click on any attachments from unfamiliar sources.
- Don't engage with the email if the email asks you about personal information such as usernames, passwords, or account numbers.
- Email content contains information about deadlines or expiration dates.
- Urgent deadlines prompt you to ask for your personal information.
- Generic greetings like "Dear customer" instead of your name.
Another way to detect spoofed emails - Authentication protocols
Various email authentication protocols have been developed to safeguard against email spoofing. These protocols ensure that email addresses and email content is not tampered with. If emails have failed any of them, then the chances are that the email is spoofed. You can check the pass/fail status by checking the original source of the email.
Let's discuss how each of these works:
✅ Sender Policy Framework (SPF)
The SPF allows a mail domain owner to restrict the IP addresses that send messages from this domain and lets the recipient's mail server check that the domain owner authorizes the sender's IP address. For this, SPF uses a Domain Name System (DNS) record that checks whether the email is coming from a legitimate domain or not.
However, SPF only checks the MailFrom address, so that it won't safeguard against only the header form or display name spoofing.
Related guide: What Is a DNS Record and How Do They Work in Emails
✅ DomainKeys Identified Mail (DKIM)
DKIM is like a stamp on mail, a digital signature that ensures email content is not tempered. The sender attaches a private key compared to a public key published in DNS for your domain. But, DKIM does not directly prevent abusive/malicious behavior.
✅Domain-based Message Authentication, Reporting, and Conformance (DMARC)
DMARC is the final authentication that checks the domain in the From header against an SPF and DKIM validated domain. If either DKIM or SPF authentication passes, DMARC will also PASS.
Get this pre-send checklist to hit send with confidence
An interactive checklist to send error-free emails
What actions can you take to prevent spoofing attacks?
You can't stop hackers from sending spoofed messages, but you can learn various tips to identify and prevent email spoofing:
- Educate employees via conducting awareness training and mock phishing scenarios. You can teach them about the key characteristics of phishing and spoof emails.
- Make sure to keep your anti-virus and anti-spyware software and your firewall updated.
- Be careful while opening or downloading email attachments, even if they appear from a known source.
- Improve your email security by deploying spam filters for detecting viruses, blank senders, etc.
- Try not to send sensitive data (Social security numbers, credit card numbers, etc.) via email.
- Encrypt your and your organization's sensitive and personal information.
- Call the sender before replying or even opening the message when an email appears suspicious but comes from a legitimate business or person.
- Look out for URL redirects and pay attention to subtle differences in the website content.
Related guide: How To Detect Phishing Emails And Safeguard Against Them.
Email spoofing attacks have severe consequences for the individual and the organization. As we discussed above, phishing costs have tripled in the past six years, and even though there are authentication protections such as SPF, DKIM, and DMARC, spoofing is on the rise.
To combat them, we need to be more vigilant while conducting work via emails and ensure to not open or click on any suspicious email because that one-click might cost you a lot.
What you should do next
Hey there, thanks for reading till the end. Here are 3 ways we can help you grow your business:
Talk to an email expert. Need someone to take your email marketing to the next level? Mailmodo’s experts are here for you. Schedule a 30-minute email consultation. Don’t worry, it’s on the house. Book a meet here.
Send emails that bring higher conversions. Mailmodo is an ESP that helps you to create and send app-like interactive emails with forms, carts, calendars, games, and other widgets for higher conversions. Get started for free.
Get smarter with our email resources. Explore all our knowledge base here and learn about email marketing, marketing strategies, best practices, growth hacks, case studies, templates, and more. Access guides here.