What is email spoofing, how does it work, and why is it so dangerous to your company? We’ll explain everything you need to proactively stop attackers from spoofing your email address.
Email Spoofing: What Is It?
Email spoofing is when a fraudster forges an email header’s ‘From’ address to make it appear as if it was sent by someone else, usually a known contact like a high-level executive or trusted outside vendor.
This kind of identity deception is widely used in phishing and spam attacks to help boost the open rate and efficacy of malicious emails. In many email attacks, embedded links lead to phishing sites designed to swipe sensitive information or login credentials from recipients. Others contain malware-laden attachments, or employ social engineering to bamboozle well-researched targets out of money in spear phishing or business email compromise (BEC) scams.
These crimes often involve the use of lookalike domains and domain spoofing, though display name spoofing is the most common method of identity deception in email-based impersonation scams, employed in two-thirds of all attacks.
How Email Spoofing Works
In order to spoof an email, all a fraudster needs to do is set up or compromise an SMTP server. From there, they can manipulate the ‘From’, ‘Reply-To’, and ‘Return-Path’ email addresses to make their phishing emails appear to be legitimate messages from the individual or brand they're impersonating.
This identity deception is made possible by the fact that SMTP—the Simple Message Transfer Protocol used by email systems to send, receive, or relay outgoing emails—lacks a mechanism for authenticating email addresses. It's also exacerbated when exploited through popular cloud-based email platforms, such as Gmail and Microsoft Office 365.
Because of their ubiquity and the precipitous volume of emails distributed by these and other email platforms, phishing attacks launched from cloud email accounts are far less likely to be detected and blocked than those sent from a lookalike domain.
Effects of Email Spoofing
Financial: Fraudulent emails being sent that appear to come from a legitimate, trusted source, such as spam, costs businesses every year worldwide. When these scams lead to a data breach, the global average cost is $4.9 million, which is a 10% increase over last year and the highest ever, according to IBM & the Ponemon Institute's 2024 Cost of a Data Breach Report. And all of this is before any regulatory fines, which can range in the millions.
Reputational: If your customers start receiving emails that appear to come from your company but contain malicious links or simply lack credulity, they may begin to think twice about doing business with you. If they fall victim to a scam impersonating your company or one of its executives, the damage can be catastrophic to brand reputation, and ruinous for professional relationships across the industry.
Security: Usernames, passwords, and bank information are all personal credentials that can be stolen when email fraud occurs. If someone else has this information, they can then go into your system or account and get even more access to sensitive customer data, IP, or business plans.
How To Spot a Spoofed Email
Being able to identify a spoofed email can stop employees from clicking malicious links or putting company information at risk. Phishing awareness training can help employees recognize key characteristics to look out for, which include:
- Mismatched "From" address and display name: While the display name may look legitimate at first glance, comparing it with the email "From" address can reveal a mismatch that can signal fraud.
- "Reply-to" Header that doesn't match the source: If the reply-to address doesn't match the sender address or the domain the email purports to be coming from, there's a good chance it’s a spoofed email.
- Message content that's out of the ordinary: Even if the email appears to come from a known and trusted source, unsolicited messages or requests for information or directions to open an attachment should be viewed with suspicion.
What To Do If Your Own Email Accounts Have Been Spoofed
It's also possible to check to see if your own email address is being spoofed. If someone has stolen your email address and is using it in their email spoofing attacks, you will probably have undelivered email notifications in your inbox.
If this is the case, running a virus scan on your computer will help verify that there are no viruses currently on your computer. If the scan finds viruses, then your account might be compromised. In this event, it's likely that fraudsters aren't spoofing your email—they're using your actual email account to launch email attacks.
REPORT. . .REPORT. . .REPORT! Many organizations empower employees to report suspect emails to the security operations center (SOC) at the push of a button. If this kind of reporting mechanism is not in place, contact the IT department to ask about proper reporting procedures.
How to Prevent Email Spoofing Attacks
While phishing awareness training and employee reporting tools are critically important to spotting both inbound attacks and signs of outbound impersonation, they won't be enough on their own.
So how can you better protect against spoofed emails that target your employees? And how do you prevent your own brand and its employees from being impersonated in email attacks against your customers and other businesses and individuals?
Inbound Spoofing Attacks
The best defense against spoofed emails that target your company is to stop them from ever reaching employees in the first place.
- Traditional email security controls including those built into cloud-based email systems will detect and block the vast majority of incoming emails containing malicious links or attachments.
- Identity-based protection, such as that offered by Cloud Email Protection, blocks more sophisticated email attacks, phishing schemes, and BEC scams no matter their source–including those launched from cloud platforms or compromised accounts.
- Employee training and reporting is more important than ever because with fraudsters always looking for new ways to bypass your defenses, you’ll want your employees to be a knowledgeable last line of defense in case they open even one spoofed email that hasn't been blocked is yet to be identified and removed by automated phishing response technologies.
Outbound Email Impersonation
There are standard email authentication protocols that can help protect companies and their employees from having their email spoofed in attacks against customers and the general public.
- Sender Policy Framework (SPF) enables organizations to specify which IP addresses are approved to send emails on their behalf. During an SPF check, receiving servers query the DNS records associated with your sending domain to verify that the IP address used to send the email is listed in the SPF record. If it isn’t, the email will fail authentication.
- DomainKeys Identified Mail (DKIM) uses asymmetric encryption to generate a public and private key pair, with the public key published in a record set up in a domain’s DNS. It works by affixing a digital signature linked to a specific domain name to each outgoing email message. When receiving servers receives an email with such a signature in the header, the server asks the sending domain’s DNS for the public key TXT record. Using the public key, the receiving server will be able to verify whether the email was actually sent from that domain.
- Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication standard that works as a policy layer for SPF and DKIM to help email receiving systems recognize when an email isn’t coming from a company’s approved domains, and provides instructions to email receiving systems with email on how to safely dispose of unauthorized email.
- Automated DMARC deployment tools such as Fortra DMARC Protection enable enterprises to accelerate the often cumbersome and costly process of deploying DMARC across large email ecosystems spanning thousands of domains by automating the entire process. Our solution also helps secure defensive domains and proactively identifies attacks from lookalike domains and cloud platforms, supporting rapid remediation with takedown vendor