Do you know, there has been an increase in malicious emails by 341% in the first half of 2024? This includes a rise in email spoofing, email impersonation, phishing, and other message-based attacks.
It is a well-known case of a cybersecurity breach. Hackers today use a variety of techniques to get unauthorized access and harm you. One of the commonly used techniques is email spoofing. The attacker forges the email address to access recipients' sensitive information (bank account information, user credentials, etc.). Unfortunately, the fake email address might look so authentic that you may fall prey to such emails.
To help you avoid such mishaps, you must read this guide. In this guide, we will uncover how email spoofing works, its detection, and how to take immediate action against it.
What is email spoofing?
Email spoofing is a cyberattack in which someone tampers with the email header (sender details) and tricks the recipient into thinking it has come from a known or credible source. It is often used to carry out phishing or scams by forging the sender's details for several unethical reasons.
The email can be spoofed for the following purposes:
To get sensitive information such as social security numbers and bank account information by inserting a deceptive link in the email.
To deploy malware to use a victim's email account to spread the infection further.
To hack your email address and send phishing emails pretending to be you.
To breach a company's communications circle to get high-value information. This can include CEO imitation or pretending to be a vendor with a fake invoice to start activities like wire transfers.
What are the impacts of email spoofing?
Email spoofing can have significantly adverse impacts on organizations. Listed below are some of them:
1. Reputational damage: Spoofed emails can harm the reputation of organizations. If your organization falls victim to email spoofing, your recipients unintentionally interact with the spoofed emails and in turn get scammed. It can erode trust, damage relationships, and adversely affect the credibility of your organization.
2. Data breaches: Spoofed emails can be used to gain unauthorized entry into sensitive systems, networks, or accounts. By deceiving recipients into sharing their login credentials or clicking on harmful links, attackers can compromise data security, steal confidential information, or take control of vital assets. Organizations may also face legal consequences or regulatory fines because of this.
3. Financial loss: Email spoofing can cause a significant financial burden on an organization. The 2021 Cost of Phishing Study conducted by Ponemon Institute revealed that phishing costs have tripled since 2015, increasing from $3.8 million in 2015 to $14.8 million in 2021.
Some of the significant phishing costs are as follows:
Employee productivity decreases as they spend more time dealing with the consequences of phishing scams. Employee productivity losses become costlier to the organization, increasing from $1.8 million in 2015 to $3.2 million in 2021.
Email is the method of choice for delivering 94% of malware. The cost of resolving malware infections has doubled the total cost of phishing. In addition, the costs due to non-containment of malware almost doubled from an average of $3.1 million in 2015 to $5.3 million in 2016.
The average cost of Business Email Compromise (BEC) exploits was $5.96 million in 2021. BEC happens when the attacker targets employees within an organization and gets access to the organization's funds or data.
These additional costs can damage and hinder the growth of your organization.
4. Operational disruption: Spoofing can disrupt normal business operations at the organization. Employees leave their jobs due to a loss of trust in the organization. Customer churn rate increases as well. This leads to confusion and miscommunication within the organization and with clients and adversely affects the organization’s business.
Spoofing vs phishing
Phishing is a type of cyberattack where attackers impersonate a legitimate entity to steal sensitive information (like financial information), through fraudulent emails or websites.
It is considerably different from spoofing. Let’s look at some of the differences between them:
| Activity | Spoofing | Phishing |
|---|---|---|
| Purpose | The main purpose is to acquire identity information. | The main purpose is to steal confidential information. |
| Scope | It is a broader technique used in various attacks. | It is a specific type of attack focused on information theft. |
| Severity | While it is a type of scam, it is not considered fraudulent because here the user’s email address or phone number is not stolen but imitated. | It is considered severe and fraudulent since it involves information theft. |
| Examples | Email Spoofing, IP Spoofing, URL Spoofing, etc. | Phone Phishing, Clone Phishing, etc. |
Email spoofing vs email impersonation
Spoofing is also often related to email impersonation. However, there are some differences. Let's take a look.
Email impersonation is a form of phishing attack in which a cybercriminal pretends to be a legitimate person, typically through email, to trick the recipient into taking actions that benefit the attacker. The goal is to make the recipient think they are communicating with a trusted figure, like a company executive or a coworker, prompting them to perform certain actions. In attacks involving impersonated email accounts, the attacker creates an email address that closely resembles a legitimate one (e.g., billgates@micr0soft.com, with a zero instead of an 'o' in the domain name).
In contrast, email spoofing is a technique used to make an email look like it is coming from a different sender. It involves a technical process where the attacker modifies an email’s headers so the receiving email client displays a false email address (the sender’s email address is “fraud@cybercrime.com,” but the recipient sees “billgates@microsoft.com” in their inbox). The attacker forges the “From” address in the email header to create the illusion that it is from a trusted source. Email spoofing techniques can be used in email impersonation.
Hence, email spoofing requires some technical know-how whereas in email impersonation, the attacker just needs to secure a domain that looks like it could belong to a legitimate business. Both methods aim to deceive recipients into taking actions that benefit the attacker.
How is an email spoofed?
Before we discuss the email spoofing process, you need to understand the email transmission process:
When the sender hits send the email, the email is transmitted to the recipient server via Simple Mail Transfer Protocol (SMTP). The initial transfer provides two pieces of address information:
● MAIL FROM or Envelope address: The Mail From (MFrom) is the sender's address that isn't visible to the users unless they check the source of the email. It is the same address where undeliverable message notices or bounces are sent.
● RCPT TO: It specifies where to deliver the email and is not visible to the user. But it can be included in the headers as part of the "Received:" header.
How does the attacker carry out email spoofing?
The attackers can carry out email spoofing with a working SMTP server as follows:
Once an email message is composed, the attacker can forge fields within the message header, such as the From, Reply-to, and Return-path fields.
When the user gets the email, it appears to come from a known source, while in reality, it had been sent by the attacker.
It is possible to forge these addresses because SMTP does not provide a way to authenticate addresses.
3 ways of email spoofing
The attacker can carry out spoofing in three different ways, which are as follows:
1. Spoofing via legitimate domain
This involves inserting the organization's domain being spoofed into the From header, making it difficult for the user to differentiate a fake email from a real one.
Under this, the spoofers only use compromised SMTP servers that allow connections without authentication and make them manually specify the 'To' and 'From' addresses. Besides, they can also do this by setting up a malicious SMTP server themselves.
2. Spoofing via lookalike domain
Spoofing via a lookalike domain is similar to domain impersonation. Here the spoofer needs to set up a domain similar to the organization being spoofed.
For example, they might have a domain @doma1n.co instead of @domain.co, which is the exact domain of the organization. However, the difference in both domains could be minimal, so that it might go unnoticed by the recipient.
This form of spoofing is effective because users don't typically bother to read an email header.
The attacker creates a sense of authority using a similar domain, bypassing spam checks due to a legitimate mailbox. However, it might be just enough to convince its victim to reveal their password, transfer money, or send some files.
3. Spoofing via display name
The display name is the sender's details that appear in the From section of your emails. Only the email sender's display address is forged in display name spoofing.
Often, mailbox providers hide the sender's address and show only the sender's name to make the email look less cluttered. This allows attackers to substitute the sender address with a spoofed address. Such attacks work because:
Individuals often look at the sender's name and ignore the sender's address.
DKIM signature and SPF often authenticate only the display name; the authentication systems see the message as legitimate.
An example of email spoofing via display name might look like this:
Now that you know how an email can be spoofed, let's take a look at how we can recognize if an email is spoofed.
How to recognize if an email is spoofed
Recognizing email spoofing requires a proactive approach and attention to detail. There are two major sections of an email that you should pay attention to. Let's see what things you should check in each section:
1. Analyze the email header
Check the 'From' email address, not just the display name. Whenever you get an email, hover over the contact name and look at the email address. They should match or be pretty close.
For the points below, you need to go to the source of the email and then look for the following in the email header:
Return path
Received file
Reply-To header
Look for disconnects between email addresses, display names, etc. The email address should match the original email address in each field. If it doesn't, then the email is likely spoofed.
2. Analyze the email content
Assess the emails giving you urgent deadlines and asking you for your personal information.
Check emails with generic greetings like "Dear customer" instead of your name. Also, in case of suspicion, copy and paste the email content into a search engine. In most cases, text used in the most common phishing attacks are already reported on the Internet.
Look for inconsistencies in the email signature and if the information in the email signature does not align with what is known about the sender, it can be a spoofed email.
Hover over the links of the email; do not click on them. A small box should show you the URL to which the link will take you.
How to prevent email spoofing attacks
You can't stop email attacks but you can take precautions so that you don’t end up becoming a victim of such scams. Let’s take a look at the two main types of precautions.
Technical precautions
Listed below are the best practices you can follow to prevent email spoofing and impersonation:
1. Set up email authentication protocols
Various email authentication protocols have been developed to safeguard against email spoofing. These protocols ensure that email addresses and email content are not tampered with. If emails have failed any of them, then the chances are that the email is spoofed. You can check the pass/fail status by checking the source of the email.
Let's discuss how each of these works:
- SPF
The Sender policy framework (SPF) allows a mail domain owner to restrict the IP addresses that send messages from this domain and lets the recipient's mail server check that the domain owner authorizes the sender's IP address. For this, SPF uses a Domain Name System(DNS) record that checks the legitimacy of the domain.
- DKIM
DomainKeys Identified Mail (DKIM) is like a stamp on mail, a digital signature that ensures email content is not tampered with. The sender attaches a private key compared to a public key published in DNS for your domain.
- DMARC
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is the final authentication that checks the domain in the From header against an SPF and DKIM-validated domain. If either DKIM or SPF authentication passes, DMARC will also PASS.
2. Deploy spam filters
You can enhance your email security by using spam filters for detecting viruses, blank senders, etc. Basic spam filters limit the number of suspicious emails that get through to users’ inboxes. These filters help you to detect spoofed emails and block emails from known spoofed email addresses.
3. Use anti-malware software
Anti-malware software identifies and blocks suspicious websites and detects spoofing attacks thus stopping the spoofed email from ever reaching your inbox. Make sure to keep your anti-virus and anti-spyware software as well as your firewall updated.
4. Conduct reverse IP lookups for sender verification
With a reverse IP lookup, you can verify the original sender. You can use any online reverse lookup tools to identify the domain name associated with the IP address. If the IP address is a mismatch from where the email supposedly came from, the email is spoofed.
💡 Related guide: What is Reverse DNS Lookup and How Does it Work
Non-technical precautions
Educate employees by conducting cybersecurity awareness training. You can teach them about the key characteristics of phishing and spoof emails.
If you’re an organization, conduct mock phishing scenarios and drills to prepare your employees to deal with such scams.
Be sure of the attachments you download, even if they appear from a known source.
Don’t send sensitive data (Social Security numbers, credit card numbers, etc.) via email.
Call the original sender before replying or even opening the message when an email appears suspicious.
Check where the link in the email is leading you to. Once you land on the website, check if there are any inconsistencies in the webpage to identify if it's a fake page.
Conclusion
Email spoofing attacks have severe consequences for the individual and the organization. As we discussed above, phishing costs have tripled in the past six years, and even though there are authentication protections such as SPF, DKIM, and DMARC; spoofing and impersonation are on the rise.
To combat them, we need to be more vigilant while conducting work via emails and ensure to not open or click on any suspicious email because that one click might cost us a lot.
