Email Security Blog

What Is Email Spoofing and How Do You Protect Against It?

Ramon Peypoch May 18, 2022 Email Security

What is Email Spoofing?

Email spoofing is one of the most common forms of cybercriminal activity, specifically a form of identity deception that’s widely used in phishing and spam attacks. It underpins the mechanism required to conduct hacking activities, and it can take many forms. Unfortunately, most email users will eventually receive an email that has been spoofed—whether they know it or not.

Just as forgery was a key method used by traditional criminals as the gateway to more complex crimes, email spoofing is the forgery of an email sender address so that the message appears to have come from someone other than the actual source. Spammers will often spoof emails in order to encourage recipients to open, reply to, or even take action in response to their solicitations. And while brand spoofing is common, we are increasingly seeing criminal activities where individuals are spoofed to target employees and partners.

Types of Email Spoofing

Some of the most prevalent forms of email spoofing are:

Spoofing Using Display Name Deception

Display name deception is the most common form of email spoofing and is often successful because many email clients (especially on mobile devices) show only the display name. With this kind of attack, criminals can insert the identity of a trusted individual (such as the name of an executive at the targeted company) or a trusted brand (such as the name of the bank used by the targeted individual) into the display name. Since common consumer mailbox services, such as Gmail and Yahoo, allow a user to specify any value in the display name, this type of attack is simple and cheap to stage from such a service.

Spoofing Using Legitimate Domains

In addition to manipulating the display name, an attacker may also use the actual email address of the impersonated identity in the From header, such as “United Customer Service” <noreply@united.com>. This type of attack, known as a domain spoofing attack, does not require compromising the account or the servers of the impersonated identity, but exploits the security holes in the underlying email protocols. Attackers often use public cloud infrastructure or third-party email sending services that do not verify domain ownership to send such attacks. Email authentication standards, such as DMARC, can be used by a domain owner to prevent spoofing of their domain, but have still not been adopted widely by popular brands and government organizations.

Spoofing Using Lookalike Domains

In cases where a domain is protected by email authentication and domain spoofing is not possible, attackers try to deceive the recipient by registering and using domains that are similar to the impersonated domain. These types of attacks, known as lookalike domain attacks, often use homoglyphs or characters that appear similar to the original characters in the impersonated domain. Attackers can use rendering similarities, such as “PayPal” <paypal@paypa1.com>, exploiting the specific fonts and rendering styles used in popular email clients. Another variation of the lookalike domain attack is to add additional words to the domain name. For example, if an attacker wanted to send you a bogus invoice from Acme Corporation, whose domain might be acme.com, the attacker could simply register acme-payments.com or invoices-acme.com. Finally, attackers can use characters from another script in the Unicode set. Cyrillic is a common choice, as in the From header “Dropbox” <notifications@ dropbox.com>, where the “o”s in the domain are actually Cyrillic characters, but an email client will render the version that looks exactly like the impersonated domain.

Spoofing and Business Email Compromise

Throughout the past few years, there has been an increase in business email compromise attacks, which typically spoof CEOs’ and CFOs’ email addresses to initiate wire transfers. Recent research from Agari’s Cyber Intelligence Division (ACID) indicates that this tactic is also being used to request small-dollar gift cards for charity events or to reward staff for their work. In these cases, the email is typically coming from an executive at the organization and is directed to either an executive assistant or to junior employees in his or her department.

Preventing Email Spoofing in Your Inboxes

While it is not possible to prevent cybercriminals from spoofing email addresses (as they continuously find new ways to trick their targets), it is possible to block these messages before they reach the inboxes of your employees, customers, and partners. Here at Agari, we use a combination of email authentication and identity detection to ensure that spoofed emails are detected before they ever reach the inbox. Our comprehensive strategy ensures that intended targets stay safe from brand impersonation, identity deception and email spoofing, ultimately helping you restore trust to the inbox.

Laptop with multiple paddle locks with key holes

May 27, 2022 John Wilson

SMTPS: Securing SMTP and the Differences Between SSL, TLS, and the Ports They Use

What is the difference between SMTPS and SMTP? SMTPS uses additional SSL or TLS cryptographic protocols…

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

mobile image