Email Security Blog

Email Spoofing Explained: What It Is and How to Protect Against It

Ramon Peypoch October 1, 2019 Email Security

Email spoofing is one of the most common forms of cybercriminal activity. It underpins the mechanism required to conduct hacking activities such as spear phishing and business email compromise, and it can take many forms. Unfortunately, most email users will eventually receive an email that has been spoofed—whether they know it or not.

Just as forgery was a key method used by traditional criminals as the gateway key to more complex crimes, email spoofing is the forgery of an email sender address so that the message appears to have come from someone other than the actual source. Spammers will often spoof emails in order to encourage recipients to open, reply to, or even take action in response to their solicitations. And while brand spoofing is common, we are increasingly seeing criminal activities where individuals are spoofed to target employees and partners.

Spoofing Using Display Name Deception

Display name deception is the most common form of email spoofing and is often successful because many email clients (especially on mobile devices) show only the display name. With this kind of attack, criminals can insert the identity of a trusted individual (such as the name of an executive of the targeted company) or a trusted brand (such as the name of the bank used by the targeted individual) into the display name. Since common consumer mailbox services such as Gmail and Yahoo allow a user to specify any value in the display name, this type of attack is simple and cheap to stage from such a service.

Spoofing Using Legitimate Domains

In addition to manipulating the display name, an attacker may also use the actual email address of the impersonated identity in the From header, such as “United Customer Service” <>. This type of attack, known as a Domain Spoofing Attack, does not require compromising the account or the servers of the impersonated identity, but exploits the security holes in the underlying email protocols. Attackers often use public cloud infrastructure or third-party email sending services that do not verify domain ownership to send such attacks. Email authentication standards, such as DMARC, can be used by a domain owner to prevent spoofing of their domain, but are still not adopted widely by popular brands and government organizations.

Spoofing Using Look-alike Domains

In cases where a domain is protected by email authentication and domain spoofing is not possible, attackers try to deceive the recipient by registering and using domains that are similar to the impersonated domain. These types of attacks, known as look-alike domain attacks, often use homoglyphs or characters that appear similar to the original characters in the impersonated domain. Attackers can use rendering similarities, such as “PayPal” <>, exploiting the specific fonts and rendering styles used in popular email clients. Another variation of the Look-alike Domain Attack is to add additional words to the domain name. For example, if an attacker wanted to send you a bogus invoice from Acme Corporation, whose domain might be, the attacker could simply register, or Finally, attackers can use characters from another script in the Unicode set. Cyrillic is a common choice, as in the From header “Dropbox” <notifications@””>, where the “o”s in the domain are actually Cyrillic characters, but an email client will render the version that looks exactly like the impersonated domain.

Email Spoofing and Business Email Compromise

Throughout the past few years, there has been an increase in business email compromise attacks, which typically spoof CEO and CFO email addresses to initiate wire transfers. Recent research from the Agari Cyber Intelligence Division indicates that this tactic is also being used to request small-dollar gift cards for charity events or to reward staff for their work. In these cases, the email is typically coming from an executive at the organization and is directed to either an executive assistant or to junior employees in his or her department.

Preventing Email Spoofing in Your Inboxes

While it is not possible to prevent cybercriminals from spoofing email addresses, as they continuously find new ways to trick their targets, it is possible to block these messages before they reach the inboxes of your employees, customers, and partners. Here at Agari, we use a combination of email authentication and identity detection to ensure that spoofed emails are detected before they ever reach the inbox. As part of the Secure Email Cloud, this strategy ensures that intended targets stay safe from brand impersonation, identity deception, and email spoofing, ultimately helping you trust your inbox.

For information on how Agari stops all types of email spoofing, download this white paper on the Agari Identity Graph

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

Woman-shopping on cell phone

November 30, 2021 Mike Jones

It’s the Most Wonderful Time of the Year… for Cybercriminals

The holiday season is upon us, which means it’s also the busiest time of the…

laptop with envelope and security badge-secure email

November 24, 2021 John Wilson

TLS for Email: What is it & How to Check if an Email Uses it

Transport Layer Security (TLS) is encryption to secure email messages between sender and receiver to…

mobile image