Phishing is the most common form of cyber attack and the essence of phishing emails is to make the recipient believe that they are sent from some legitimate person or company. To appear legitimate, cyber criminals use email spoofing, among other techniques.
How to spoof an email address?
Email spoofing is a technique used in spam and phishing attacks to trick users into believing that a message comes from a person or company they either know or trust. In spoofing attacks, the sender forges email headers so that a user's email client displays the fake sender address. Most people do not spend time scrutinising email addresses.
If e-mails come from someone a user knows, such as the user's boss, he or she is very likely to click on links or download attachments from the fake e-mails. In advanced phishing attacks, cybercriminals can also trick people into transferring money, paying fake invoices or sharing personal information.
Email spoofing is possible because of the way email systems are designed. Outgoing messages are assigned a sender address by the email client; an outgoing server has no way of checking whether the sender address is legitimate or fake.
Spoofing through the sender's name
Name spoofing is a type of e-mail spoofing where only the e-mail sender's name is spoofed. This can be done by registering a new Gmail account with the same name as the contact an attacker wants to impersonate.
This type of email can bypass all security measures. It will not be filtered out as spam because it is a legitimate email address. Most modern email client apps do not display metadata. Therefore, name spoofing is very effective due to the proliferation of smartphone email apps. Often they only have space for the sender's name.
Spoofing via legitimate domains
Often, cybercriminals want to appear as a very trustworthy sender with high authority. They can achieve this by spoofing legitimate domains from well-known companies. In these cases, both the sender name and the email address will be fake.
There is no need to hack into companies' internal networks or hijack their email accounts. Hackers can use compromised "Simple Mail Transfer Protocol" (SMTP) servers that allow use without authentication and allow hackers to manually set "To" and "From" addresses. In addition, hackers can also set up a malicious SMTP server themselves.
This can be used for serious cyber attacks because many corporate email domains do not use any countermeasures for verification.
Spoofing via lookalike domains
Some domains are very well protected and in those cases domain spoofing is not possible. If a cybercriminal wants to use a domain, they can create a lookalike domain. In this type of spoofing, the hacker registers and uses a domain similar to the spoofed domain, for example "@faceb00k.com" instead of "@facebook.com". This change may be minimal enough not to be noticed by an unwary user.
Using a very similar domain, which also bypasses the spam filter, may be enough to convince a user to reveal their password, transfer money or send some sensitive files.
Developing email spoofing
Because of the way email protocols work, email spoofing has been a problem since the 1970s. It started with spammers using it to bypass email filters. The problem became more common in the 1990s and then grew into a global cyber security problem in the 2000s.
Security protocols were introduced in 2014 to help combat email spoofing and phishing. Because of these protocols, many spoofed email messages are now sent to users' spam boxes or rejected and never delivered to recipients' inboxes.
Why create fake email addresses?
In addition to phishing, cyber criminals use fake messages for the following reasons:
- To hide the real identity of the fake sender
- To bypass spam filters and block lists. Users can minimise this threat by blocking Internet Service Providers (ISPs) and Internet Protocol (IP) addresses
- To commit identity theft by impersonating a person and requesting personally identifiable information
- To damage the sender's reputation
- To carry out a man-in-the-middle (MitM) attack to obtain sensitive data from individuals and organisations
- To gain access to sensitive data collected by third-party vendors
How does email spoofing work?
The aim of email spoofing is to trick users into believing that the email is from someone they know or trust - in most cases colleagues, suppliers or public authorities. By exploiting this trust, the hackers ask the recipient toprovide sensitive information or take other actions.
As an example of email spoofing, a hacker can create an email that looks like it comes from Danske Bank. The message tells the user that their account will be suspended if they do not click on a link, approve something on the website or change the account password. If the user enters credentials, the criminal now has the credentials for the user's bank account, which can be used to steal money from the user.
More complex attacks target employees working in IT or finance and use social engineering to trick a user into sending (potentially) millions to a criminal's bank account.
To the user, a forged email message looks legitimate and they will therefore open the email. Many hackers will use elements from the official website to make the message more credible.
How to recognise fake emails?
If a forged email does not look suspicious to users, it is likely to go undetected. But if users sense that something is wrong, they can open and inspect the email source code. Here, recipients can find the original IP address of the email and trace it back to the correct sender.
Users can also confirm whether an email has passed a Sender Policy Framework (SPF) check. SPF is an authentication protocol included in many email platforms and email security products. Depending on users' email setup, messages classified as "soft fail" may still end up in their inbox. A soft fail result can often point to an illegitimate sender.
How to protect yourself from email spoofing
In principle, it is impossible to stop e-mail spoofing because the Simple Mail Transfer Protocol, which is the basis for sending e-mails, does not require any authentication. There are some countermeasures designed to deter email spoofing, but your email client may not have them implemented.
Security measures that some e-mail clients use are:
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Domain-based message authentication
- Reporting and Compliance (DMARC)
- Secure/Multipurpose Internet Mail Extensions (S/MIME).
These tools work automatically and, when used effectively, immediately detect forged messages as spam.
As a regular user, you can stop email spoofing by choosing a secure email provider and practicing good IT security:
- Use one-time accounts when registering on websites. That way, if the website is hacked, your private email address won't show up. Hackers can gain access to many email addresses by hacking websites and sending out fake emails en masse.
- Make sure your email code is strong and complex. This will make it harder for cybercriminals to hack your account and use your email to trick people who know you.
- The best way to protect yourself is to scrutinise the emails you receive, especially when someone asks you to click on a link or download an attachment. Fake emails made by professional hackers can be almost identical to the real ones, so always be aware.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.