Spoof Email Address

What is a Spoof Email Address?

A spoof email address is a “fake” email address that resembles the genuine email address of a trusted individual, brand, or company. Digital threat actors and cybercriminals create spoof email addresses and use them to execute scams where they impersonate a trusted party and deceive victims into disclosing sensitive information or facilitating a fraudulent transaction. 

How Do Cybercriminals Create a Spoof Email Address?

Email spoofing attacks are on the rise, simply because of how easy it is to create a spoof email address. Below, we describe the three methods most commonly used by cybercriminals to spoof an email address:

Forging Email Message Headers

An email message has three components: the header, the body, and the envelope. The header includes information like the sender’s email address, the receiver’s email address, the date the message was sent, and an ID number for the message. Cybercriminals can spoof an email address by forging the email message header to present false information to the recipient, including showing a different email address than the real one where the email came from.

Falsifying the Display Name

When you receive an email, you’ll typically see the sender’s display name in your inbox instead of their email address. Cybercriminals can register email addresses with fake display names to deceive recipients into believing that the email came from a trusted source. 

Look-alike or Copycat Domains

Cybercriminals may attempt to impersonate a trusted organization or brand by registering a copycat domain, creating a spoof email address under the copycat domain, and using that email address to scam employees or customers of the brand.

How is a Spoof Email Address Used?

Cybercriminals and digital threat actors use spoof email addresses to carry out social engineering attacks against the employees and customers of a target brand, or the general public. These attacks use manipulative, coercive, and deceptive techniques to fool victims into helping cybercriminals steal money, exfiltrate sensitive data, or gain access to a secure network.

Watch out for the following types of social engineering attacks that use a spoof email address to trick victims:


Phishing attacks are among the most common types of cyberattacks and may be carried out via email, telephone, or SMS text message. In a phishing attack, cybercriminals pose as a trusted organization or brand to scam their victims. Common characteristics of phishing emails include:

  • Clickbait Subject Lines - An eye-catching subject line may be used to entice recipients into opening the email, even if it’s from an unfamiliar sender.
  • Unbelievable Offers or Requests - The email message may include a too-good-to-be-true offer that exploits the recipient’s greed to deceive them into taking the next step.
  • Sense of Urgency - Phishing emails often try to create a sense of urgency, encouraging the recipient to take immediate action on their own judgment instead of talking to a friend or asking for help.
  • Unusual Sender - Phishing emails come from digital threat actors who may use a spoof email address to impersonate someone that the recipient trusts.

Spear Phishing

A spear phishing attack is a highly targeted phishing attack against a very specific organization, brand, group, or individual. To craft a successful spear phishing attack, cybercriminals will invest time in selecting and researching a target organization, developing customized messaging, and choosing the right individual or brand to impersonate with a spoof email address.

Malicious Payloads

Email spoofing attacks can be used to deliver a variety of malicious payloads, including:

  • Fake Requests or Instructions - Cybercriminals may create a spoof email address to impersonate a corporate executive and direct their employees to send a fraudulent wire transfer or share access credentials to a secure network or application.
  • Malicious Attachments - Cybercriminals may use a spoof email address to fool the victim into opening an attachment that contains malicious code. This code may give the criminal remote access to the victim’s computer, enabling them to spy on the victim or exfiltrate data.
  • Malicious Links - Cybercriminals may use a spoof email address to deliver a link to a malicious domain. When the victim visits the domain, there’s no telling what they’ll find. It could be a fake login page for a trusted service that attempts to steal their access credentials, or a code injection attack that targets a security vulnerability in the victim’s web browser.

How to Detect a Spoof Email Address

Enterprise organizations are frequently targeted by phishing and malicious domain attacks that use a spoof email address to deceive their employees. To repel these attacks, employees who use email need the right tools and education to identify spoofed email addresses in their inbox and avoid opening emails from untrustworthy sources.

Here’s how to detect a spoof email address in your inbox:

  • If you don’t recognize the sender of an email, it might be a spoof email address.
  • If the sender’s email address doesn’t match your records, there’s a good chance you’re looking at a spoofed email.
  • If the email subject line is irrelevant to your relationship or business dealings with the sender, or the contents of the email, it might be a spoofed email address.
  • If the body of the email tries to convince the recipient to click a link or open an attachment, it could be from a spoofed email address.
  • If the body of the email contains uncharacteristically bad spelling or grammar, it could be from a spoofed email address.
  • If the body of the email contains an unfamiliar hyperlink that leads to a website other than the one displayed, it is more than likely a malicious link.
  • If the email contains an unexpected attachment, especially an executable file, it is likely to be a malicious attachment.

Spoof emails can vary significantly in both their contents and the deceptive techniques they use. That’s why organizations are increasingly investing in Digital Risk Protection (DRP) software solutions that can automatically detect spoof emails and alert employees before they fall victim to the scam.

How Does ZeroFOX Detect a Spoof Email Address?

The ZeroFOX platform uses artificial intelligence to monitor cloud email solutions, detecting and alerting on phishing attempts, impersonation, and business email compromise (BEC) attacks in real time to protect your organization from attacks that involve a spoof email address.

View our free webinar on ZeroFOX Advanced Email Protection to learn more about how to safeguard your organization against emerging email-based threats.