Email Spoofing

Email Spoofing Definition

Email spoofing is a technique used by cyber scammers to fraudulently manipulate the sender address of a malicious email, making it appear to have come from a recognized or trusted source. When that trust is established, it is immediately exploited by asking the recipient to share confidential information or creating a false pretense for some other action.

Cybercriminals frequently use email spoofing in email phishing and spam campaigns that aim to steal sensitive data from individuals, businesses, government agencies and other organizations. When the recipient believes they are receiving an email from a reputable party, they’re more likely to open the email and follow its directions - often accessing a fake website or downloading a malicious attachment that will steal or destroy their data.

How Does Email Spoofing Work?

Cybercriminals have found numerous methods for email spoofing that present false information to the recipient in order to steal their information. Three of the most common email spoofing techniques are forging email message headers, registering a false domain and falsifying a display name.

Forging Email Message Headers

This type of email spoofing is made possible by Simple Mail Transfer Protocol (SMTP) design, the standard communication protocol for sending and receiving email over the Internet. The SMTP functions as a set of rules for digital communication between email client applications and mail servers that allow for transmitting emails from a sender to a receiver.

When an email is sent, an SMTP transaction is initiated to transfer the email from the sender’s mail server to the recipient’s mail server. The process typically works in the following stages:

  1. The sender creates an email, adds the recipient’s email address, and clicks Send.
  2. The sender’s email client application connects to their domain SMTP server, which will send the email over the Internet.
  3. The sender’s SMTP server communicates with the recipient’s SMTP server to open an SMTP session.
  4. Once the SMTP handshake is complete, an SMTP session is established and a transaction can be initiated to send the email from one server to the other. 
  5. An SMTP transaction includes three command/reply sequences that take place between the sender’s SMTP server and the recipient’s SMTP server:
    1. MAIL FROM - A command that establishes the sender’s identity and establishes a return path for the email.
    2. RCPT TO - A command that establishes the recipient of the email message.
    3. DATA - A command that asks whether the recipient’s SMTP server is ready to receive the email, then sends the body of the email once readiness has been established.
  6. The SMTP transaction is complete when the email arrives on the recipient’s mail server. After that, the email will be placed in the recipient’s email inbox.
  7. The recipient can now use their own email client application to retrieve and read the email from the sender.

The vulnerability of the SMTP protocol is that an outgoing SMTP mail server has no built-in means of authenticating information provided by the sender. This means that cybercriminals can freely customize the email header with false information in hopes of fooling the recipient about the origin of the email. 

This is most often accomplished by forging fields within the email message header, including the FROM, RETURN-PATH, and REPLY-TO addresses that indicate the message’s origin and where to send a reply.

This type of email spoofing has become so accessible, there are even public websites that allow anyone to send a spoofed email for free in just a few clicks.

Registering a Look-alike Domain

Domain email spoofing is one of the most common forms of digital fraud, with over 3 billion domain spoofing emails sent each and every day (Yahoo AU). 

This type of email spoofing involves registering a domain with a similar name to a trusted domain. The cybercriminal can then send emails from this domain, often customizing the email design and content layout to resemble familiar communications from the trusted domain. 

If the recipient does not realize that the email came from a look-alike domain, they’re likely to act as if the email contains a genuine message from the trusted domain.

Falsifying a Display Name

Falsifying a display name is the most basic form of email spoofing. This method involves the cybercriminal registering an email account under the name of an individual they would like to impersonate. Then, when they send emails from the account, the recipient will see the name of a trusted contact (or whoever else the cybercriminal chooses to impersonate) and may be more likely to follow the instructions in the email.

Can a Spoofed Email Be Traced?

How do you know if you received a spoofed email?

You can start by reading the email header. Ensure the email came from a trusted domain and double-check the spelling to ensure it isn’t a look-alike domain. If the email came from a trusted contact, check that the sender’s email address matches your records. 

You can find even more information by accessing the full email message header through your mail client application. This will allow you to identify which servers the email passed through on its way to your inbox, and you can even trace the email back to the IP address where it originated.

How ZeroFOX Protects Against Email Spoofing

ZeroFOX uses artificial intelligence to identify impersonating email accounts and spoofed domains in real-time. ZeroFOX maintains the broadest range of takedown capabilities on the market today, with the ability to quickly and decisively disrupt the digital infrastructure of cybercriminals using email spoofing to target your business.