Definition

email spoofing

Contributor(s): Peter Loshin

Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a popular tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate or familiar source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation.

Although most spoofed emails can be easily detected and require little action other than deletion, the more malicious varieties can cause serious problems and pose security risks. For example, a spoofed email may pretend to be from a well-known shopping website, asking the recipient to provide sensitive data such as a password or credit card number. Alternatively, a spoofed email may include a link that installs malware on the recipient's device if clicked. One type of spear phishing attack used in business email compromises involves spoofing emails from the CEO or CFO of a company requesting a wire transfer or internal system access credentials.

While email spoofing is most popularly used to execute phishing attacks, a cybercriminal may also use this technique to avoid spam email blacklists, commit identity theft or tarnish the image of the impersonated sender.

How email spoofing works

Email spoofing can be easily achieved with a working Simple Mail Transfer Protocol (SMTP) server and mailing software like Outlook or Gmail. Once an email message is composed, the scammer can forge fields found within the message header such as the FROM, REPLY-TO and RETURN-PATH addresses. After the email is sent, it will appear in the recipient's mailbox that appears to come from the address that was entered.

This is possible to execute because the SMTP does not provide a mechanism for addressing authentication. Although email sender authentication protocols and mechanisms have been developed to combat email spoofing, adoption of those mechanisms has been slow.

Email spoofing

How to tell if an email has been spoofed

If a spoofed email does not appear to be suspicious to the user, it is likely it will go undetected. However, if the user does sense something is wrong, they can open and inspect the email source code. Here, the recipient can find the originating IP address of the email and trace it back to the real sender.

Another sign to look for is a soft-failed Sender Policy Framework (SPF) check, a protocol defined in RFC 7208 that provides a solution to authenticating email senders. If an email soft-failed this protocol, something fishy may have been detected but it was still allowed to deliver.

How to stop email spoofing

To prevent becoming a victim of email spoofing, the following practices should be put into place:

  • Keep antimalware software up to date.
  • Do not share private or financial information through email.
  • Turn spam filters on to the strongest settings, or use tools like Gmail's Priority Inbox.
  • Avoid clicking suspicious links or downloading suspicious attachments.
  • Never enter sensitive information into links that are not secure.
  • Learn how to open and read email headers for signs of email spoofing.
  • Conduct reverse IP lookups to verify the real sender.
  • Audit email accounts to see how they respond to SPF and DMARC
This was last updated in April 2019

Continue Reading About email spoofing

Dig Deeper on Email and messaging threats

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

How do you determine whether or not a suspicious email has been spoofed?
Cancel
I want to learn how to do email spoofing so that i can learn better ways of avoiding criminals as a person who has future interest in Intelligence
Cancel
I typically look at the email address and subject line before opening the email.  Generally I know my audience and a strange subject line with a known person (or vise versa) will be an immediate trigger.  Once I open the email I look for the real email address and note if there is a mismatch.  If the spoofed email address does not match the real email address then I immediately delete.  If they have really done their homework to get through those gates then I look at the body of the message and invariably it falls apart here (but only 1% need make it this far).  A scare tactic sends up a red flag, bad spelling or grammar sends up a red flag, a link that does not resolve to something familiar will not get me clicking on it.  Odd messaging or asking for personal information will go to the blocked sender area.  But if everything passes muster and I still suspect foul play I will send an email from the purported sender to ask if they actually sent me that.
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close