Email Security Blog

What is Email Spoofing & How to Stop Attackers From Posing as You

Armen Najarian December 15, 2020 Email Security

What is email spoofing, how does it work, and why is it so dangerous to your company? We’ll explain everything you need to defend your company and your customers.

Email Spoofing: What Is It?

Email spoofing is when a fraudster forges an email header’s ‘From’ address to make it appear as if it was sent by someone else, usually a known contact like a high-level executive or trusted outside vendor.

This kind of identity deception is widely used in phishing and spam attacks to help boost the open rate and efficacy of malicious emails. In many email attacks, embedded links lead to phishing sites designed to swipe sensitive information or login credentials from recipients. Others contain malware-laden attachments, or employ social engineering to bamboozle well-researched targets out of money in spear-phishing or business email compromise (BEC) scams.

These crimes often involve the use of lookalike domains and domain spoofing, though display name spoofing is the most common method of identity deception in email-based impersonation scams, employed in two-thirds of all attacks.

Typical scenarios include fraudsters impersonating an employee in emails sent to payroll seeking a change in direct deposit details before the next pay period, or posing as a senior executive requesting W2 information on employees. Increasingly, they involve cybercriminals masquerading as a trusted outside vendor.

In this post, we’re going to cover how email spoofing works, its effects, protecting against these attacks and more.

How Email Spoofing Works

In order to spoof an email, all a fraudster needs to do is set up or compromise an SMTP server. From there, they can manipulate the ‘From’, ‘Reply-To’, and ‘Return-Path’ email addresses to make their phishing emails appear to be legitimate messages from the individual or brand they’re impersonating.

This identity deception is made possible by the fact that SMTP—the Simple Message Transfer Protocol used by email systems to send, receive, or relay outgoing emails—lacks a mechanism for authenticating email addresses. It’s also exacerbated when exploited through popular cloud-based email platforms such as Gmail and Office 365.

Because of their ubiquity and the precipitous volume of emails distributed by these and other email platforms, phishing attacks launched from cloud email accounts are far less likely to be detected and blocked than those sent from a lookalike domain.

Effects of Email Spoofing

Financial: Fraudulent emails being sent that appear to come from a legitimate, trusted source lead to nearly $1 billion in business losses worldwide. When these scams lead to a data breach, the cost to US businesses now averages $8.6 million per incident, according to Ponemon’s 2020 Cost of a Data Breach Report. And all of this is before any regulatory fines, which can range in the millions.

Reputational: If your customers start receiving emails that appear to come from your company but contain malicious links or simply lack credulity, they may begin to think twice about doing business with you. If they fall victim to a scam impersonating your company or one of its executives, the damage can be catastrophic to brand reputation, and ruinous for professional relationships across the industry.

Security: Usernames, passwords, and bank information are all personal credentials that can be stolen when email fraud occurs. If someone else has this information, they can then go into your system or account and get even more access to sensitive customer data, IP, or business plans.

How To Spot a Spoofed Email

Being able to identify a spoofed email can stop employees from clicking malicious links or putting company information at risk. Phishing awareness training can help employees recognize key characteristics to look out for, which include:

Mismatched “From” address and display name: While the display name may look legitimate at first glance, comparing it with the email “From” address can reveal a mismatch that can signal fraud.

“Reply-to” Header that doesn’t match the source: If the reply-to address doesn’t match the sender address or the domain the email purports to be coming from, there’s a good chance it’s a spoofed email.

Message content that’s out of the ordinary: Even if the email appears to come from a known and trusted source, unsolicited messages or requests for information or directions to open an attachment should be viewed with suspicion.

What To Do If Your Own Email Accounts Have Been Spoofed

It’s also possible to check to see if your own email address is being spoofed. If someone has stolen your email address and is using it in their spoofing attacks, you will probably have undelivered email notifications in your inbox.

If this is the case, running a virus scan on your computer will help verify that there are no viruses currently on your computer. If the scan finds viruses, then your account might be compromised. In this event, it’s likely that fraudsters aren’t spoofing your email—they’re using your actual email account to launch email attacks.

Reporting Suspicious Emails

Many organizations empower employees to report suspect emails to the security operations center (SOC) at the push of a button. If this kind of reporting mechanism is not in place, contact the IT department to ask about proper reporting procedures.

How to Protect Against Spoofing Attacks

While phishing awareness training and employee reporting tools are critically important to spotting both inbound attacks and signs of outbound impersonation, they won’t be enough on their own.

So how can you better protect against spoofed emails that target your employees? And how do you prevent your own brand and its employees from being impersonated in email attacks against your customers and other businesses and individuals?

Inbound Spoofing Attacks

The best defense against spoofed emails that target your company is to stop them from ever reaching employees in the first place.

  • Traditional email security controls including those built into cloud-based email systems will detect and block the vast majority of incoming emails containing malicious links or attachments.
  • Identity-based protections such as Agari Phishing Defense™ block more sophisticated email attacks, phishing schemes, and BEC scams no matter their source–including those launched from cloud platforms or compromised accounts. Others, like and Agari Phishing Response™, automatically detect and remove email attacks that do manage to evade early detection.
  • Employee training and reporting is more important than ever because with fraudsters always looking for new ways to bypass your defenses, you’ll want your employees to be a knowledgeable last line of defense in case they open even one spoofed email that hasn’t been blocked is yet to be identified and removed by automated phishing response technologies.

Outbound Email Impersonation

There are standard email authentication protocols that can help protect companies and their employees from having their email spoofed in attacks against customers and the general public.

  • Sender Policy Framework (SPF) enables organizations to specify which IP addresses are approved to send emails on their behalf. During an SPF check, receiving servers query the DNS records associated with your sending domain to verify that the IP address used to send the email is listed in the SPF record. If it isn’t, the email will fail authentication.
  • DomainKeys Identified Mail (DKIM) uses asymmetric encryption to generate a public and private key pair, with the public key published in a record set up in a domain’s DNS. It works by affixing a digital signature linked to a specific domain name to each outgoing email message. When receiving servers receives an email with such a signature in the header, the server asks the sending domain’s DNS for the public key TXT record. Using the public key, the receiving server will be able to verify whether the email was actually sent from that domain.
  • Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication standard that works as a policy layer for SPF and DKIM to help email receiving systems recognize when an email isn’t coming from a company’s approved domains, and provides instructions to email receiving systems with email on how to safely dispose of unauthorized email.
  • Automated DMARC deployment tools such as Agari Brand Protection™ enable enterprises to accelerate the often cumbersome and costly process of deploying DMARC across large email ecosystems spanning thousands of domains by automating the entire process. Our solution also helps secure defensive domains and proactively identifies attacks from lookalike domains and cloud platforms, supporting rapid remediation with takedown vendors.

To learn more about email spoofing techniques and modern approaches to protecting against them, read the H2 2020 Email Fraud and Identity Deception Trends Report from Agari.

Agari Blog Image

May 18, 2022 Ramon Peypoch

What Is Email Spoofing and How Do You Protect Against It?

What is Email Spoofing? Email spoofing is one of the most common forms of cybercriminal…

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

mobile image