email spoofing

Contributor(s): Peter Loshin

Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a popular tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate or familiar source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation.

Although most spoofed emails can be easily detected and require little action other than deletion, the more malicious varieties can cause serious problems and pose security risks. For example, a spoofed email may pretend to be from a well-known shopping website, asking the recipient to provide sensitive data such as a password or credit card number. Alternatively, a spoofed email may include a link that installs malware on the recipient's device if clicked. One type of spear phishing attack used in business email compromises involves spoofing emails from the CEO or CFO of a company requesting a wire transfer or internal system access credentials.

While email spoofing is most popularly used to execute phishing attacks, a cybercriminal may also use this technique to avoid spam email blacklists, commit identity theft or tarnish the image of the impersonated sender.

How email spoofing works

Email spoofing can be easily achieved with a working Simple Mail Transfer Protocol (SMTP) server and mailing software like Outlook or Gmail. Once an email message is composed, the scammer can forge fields found within the message header such as the FROM, REPLY-TO and RETURN-PATH addresses. After the email is sent, it will appear in the recipient's mailbox that appears to come from the address that was entered.

This is possible to execute because the SMTP does not provide a mechanism for addressing authentication. Although email sender authentication protocols and mechanisms have been developed to combat email spoofing, adoption of those mechanisms has been slow.

Email spoofing

How to tell if an email has been spoofed

If a spoofed email does not appear to be suspicious to the user, it is likely it will go undetected. However, if the user does sense something is wrong, they can open and inspect the email source code. Here, the recipient can find the originating IP address of the email and trace it back to the real sender.

Another sign to look for is a soft-failed Sender Policy Framework (SPF) check, a protocol defined in RFC 7208 that provides a solution to authenticating email senders. If an email soft-failed this protocol, something fishy may have been detected but it was still allowed to deliver.

How to stop email spoofing

To prevent becoming a victim of email spoofing, the following practices should be put into place:

  • Keep antimalware software up to date.
  • Do not share private or financial information through email.
  • Turn spam filters on to the strongest settings, or use tools like Gmail's Priority Inbox.
  • Avoid clicking suspicious links or downloading suspicious attachments.
  • Never enter sensitive information into links that are not secure.
  • Learn how to open and read email headers for signs of email spoofing.
  • Conduct reverse IP lookups to verify the real sender.
  • Audit email accounts to see how they respond to SPF and DMARC
This was last updated in April 2019

Continue Reading About email spoofing

Dig Deeper on Email and messaging threats