What is Email Spoofing?
The most commonly accepted email spoofing definition is a threat that involves sending email messages with a fake sender address. Email protocols cannot, on their own, authenticate the source of an email. Therefore, it is relatively easy for a spammer or other malicious actors to change the metadata of an email. This way, the protocols think it came the real sender.
What is the History of Spoofing?
Spoofing, one of the most common cyber crimes, has its origins as an element of phishing attacks, which were first mentioned in 1996. Hackers were able to create fake America Online (AOL) accounts using fraudulent credit card numbers. They would then use spoofing to spam AOL users.
How is Email Spoofing Different from Phishing?
Phishing refers to a method cyber criminals use to obtain personal information like login credentials or credit card information by sending an email that looks like it is from someone with the authority to ask for that information. The attack is meant to fool the recipient into clicking on a link or downloading an attachment that introduces malware into their system. Phishing is different from spoofing, however.
|Spoofing refers to a form of identity theft where someone uses the identity of a real user.||Phishing involves someone stealing sensitive information such as bank or credit card details.|
|Spoofing can involve phishing.||Phishing is not an element of spoofing.|
|With spoofing, the target has to download malware.||Phishing uses social engineering|
|Spoofing is used to acquire identity information.||Phishing is aimed at extracting confidential information.|
How Email Spoofing Works
Email spoofing takes advantage of the fact that email, in many ways, is not very different from regular mail. Each email has three elements: an envelope, a message header, and a message body. An email spoofer puts whatever they want into each of those fields, not just the body and “To:” fields. This means they can customize the information in the following fields:
- Mail from:
- Reply to:
When the email hits the target inbox, the email program reads what is in these fields and generates what the end-reader sees. If certain information is entered in the right fields, what they see will be different from what is real, such as from where the email originated. In some attacks, the target is thoroughly researched, enabling the attacker to add specific details and use the right wording to make the attack more successful. This is known as “spear phishing.”
Reasons Behind Email Spoofing and How It Can be Dangerous?
Email spoofing can be leveraged to accomplish several criminal or maliciously disruptive activities. Once the bad actor has fooled the recipient regarding the origin of the email, they can do a variety of damage. Figuring out how to stop email spoofing starts with ascertaining why attackers want to use it as a tool.
One of the prime payoffs for email spoofers is that it allows them to conceal who they are. This comes in handy in several ways, particularly if the recipient trusts the alleged sender of the email.
Trust can be earned using the name of a person or company the target is familiar with, such as a friend, business associate, or someone from within their social networks. Trust can also be gained by using the name or identity of someone within the general business community, particularly an individual from a respected company or organization.
Avoiding a Spam Blacklist
Many email providers allow users to create a blacklist that filters out spam. One way of blocking a spammer is by adding their name or domain address to a filter. When someone spoofs an email address, they can use one that is unlikely to be included in the filter settings. In this way, the email slips past the filters undetected and into the recipient’s inbox.
Tarnishing the Image of the Assumed Sender
A spoofed email may contain malicious links, false information, outright lies, or subtle untruths designed to make the sender look like someone with ill intent or who is uninformed. In some cases, a spoofed email may be used to make the sender or their organization appear insecure or compromised by malware or hackers. This may corrode the reputation of the supposed sender, hurting their business or social prospects.
Intending to do Personal Damage
Sometimes, the intent is personal. When an email is well-spoofed, the real sender may gain access to the target’s computer data, business contacts, social media accounts, and more. This can make the target look bad, harm their professional profile, or do damage to their computer. When email spoofing is used to introduce certain types of malware, the sender may be able to take control of the recipient’s computer by installing ransomware, effectively interrupting their digital life.
In some instances, an attacker may seek to gain email login credentials and use them to send out fake emails that appear to be coming from the target. This can corrode the trust of their contacts, business or otherwise, and their integrity as a professional.
Other Criminal Intentions
If an email spoofer is able to gain the trust of the recipient, the door is opened for several types of scams. For example, the sender could:
- Convince people to send money online or through a wiring service
- Request and receive login information for PayPal, bank, or credit card accounts
- Convince a target to send sensitive information about a business’ secrets
- Get the target to provide sensitive personal information
Email Spoofing Protections
Although email spoofing is a prevalent, persistent threat, there are several ways to protect yourself or your organization from it.
There are a few technical precautions you can take to prevent email spoofing tools from accessing your system. For example, if you send emails using a subdomain, it can be harder to spoof your email. You would want to use @help.yourcompany.com instead of @yourcompany.com.
You can also have your IT team update your Domain Name System (DNS) by adding a sender policy framework and two mailbox exchange records. These records enable your domain to allow a verified third party to send emails on behalf of your domain. Once set up, the mail server routes the messages from the third party to the custom domain.
Use Anti-Malware Software
Anti-malware software can prevent email spoofing by identifying then blocking suspicious websites and detecting spoofing attacks. Once the software has identified a suspicious sender or email, it can stop the email from ever reaching your inbox. Even though spoofed emails cannot be stopped at the source, anti-malware software can work like a force field to protect your system from them.
Use Email Signing Certificates to Protect Outgoing Emails
An email signing certificate gives you the ability to encrypt emails so that only the intended recipient can access the content within the message. You can also apply a digital signature so that the person receiving the message can make sure the email was sent by you, as opposed to someone spoofing your email address.
Email encryption certificates use asymmetric encryption, in which a public key encrypts the email and sends it to the recipient. The recipient has a private key for decrypting the message. In this way, both the message and any included attachments can be sent and received securely.
Conduct Reverse IP Lookups to Verify the Real Sender
With a reverse IP lookup, you can tell if the apparent sender is the real one, as well as where the email actually came from. You can use an online reverse lookup tool to identify the domain name associated with the IP address. This is, in effect, an email spoofing test. If the IP address is different from where the email supposedly came from, you have just identified an email spoofing attack.
Audit Email Accounts to see How They Respond to SPF and DMARC
Domain-based Message Authentication, Reporting & Conformance (DMARC) enables email senders and receivers to figure out whether a message is from a legitimate sender, as well as how to treat the email if it is not. DMARC, essentially, checks the credentials of an email.
Part of the DMARC process involves the Sender Policy Framework (SPF), which is used to authenticate the message being sent. If the message fails to pass either SPF or SPF alignment, it will fail the DMARC process and be rejected.
DMARC also uses the DomainKeys Identified Mail (DKIM) method for message authentication. If the message being sent does not pass either DKIM or DKIM alignment, it will, similarly, fail DMARC and be rejected.
In addition to software-based anti-spoofing measures, there are other steps you can take to protect your organization from email and domain spoofing attacks. In some cases, you just have to keep an eye out for things that raise suspicion. In other situations, some basic education can be used to empower team members to protect themselves.
Provide Cyber Awareness Training for Your Employees to Help Them Identify Threats
To an unsuspecting employee, a fake email may look legitimate. Often, this is because the employee has never been exposed to email spoofing before. In other cases, although the employee has seen email spoofing in the past, a novel form of spoofing may slip their notice. To combat this, you can initiate educational programs designed to equip employees with the ability to spot and handle modern email spoofing tactics.
To achieve the best results, the training should be ongoing. You can periodically update the training materials and teaching methods to reflect new developments in the email spoofing arena. The training should also include what to do when a spoofing attempt is discovered.
Watch for Unknown, Odd, or Spoofed Email Addresses
Often, the types of email addresses you see in the messages you receive are either predictable or familiar. Watch out for unknown or strange email addresses. If you get an email from an address that raises suspicion, verify its origin before interacting with the content. Once you have identified a spoofed email address, stay on the lookout for them in the future. Attackers will try using the same tactics more than once, which can make previously spoofed addresses easier to pick out.
Do Not Give Out Personal Information
In many situations, email spoofing can get as far as your inbox and still not do any damage—as long as you do not give them what they want. The objective is often to grab and exploit the personal information of the target. If you and those in your organization make it a practice to never divulge personal information in an email, you can limit or eliminate the damage email spoofing is intended to inflict.
Avoid Strange Attachments or Unfamiliar Links
It is good practice to stay away from suspicious attachments or links. In many cases, it is possible to see the source of a link by right-clicking or long-tapping it. If you have any doubt as to the link’s origin, this technique may reveal its source.
With attachments, carefully examine the email’s contents, subject line, and file extension before opening. If there are strange typos or odd extensions on the attached file, it is best to steer clear.
How Fortinet Can Help
The Fortinet FortiMail solution addresses both inbound and outbound traffic to enforce compliance policies, detect and prevent threats, and protect your company’s data assets. It works by applying rules for vetting emails before they enter or leave your system. It works hand in hand with your current email system, so you do not have to revamp your email setup just to take advantage of the FortiMail protections.
Further, FortiMail integrates with FortiGuard Labs, which gives it access to the FortiGuard analysis of the global threat network. This means spam and malware attacks can be spotted and stopped in their tracks.