Email spoofing refers to a technique cybercriminals use to make fraudulent emails appear as if they came from a known, trusted entity. Attackers purposely alter parts of the email to make the message seem as though it was authored by someone else. Used in spam and phishing attacks, this method is highly effective because it exploits a vulnerability within the Simple Mail Transfer Protocol (SMTP). The SMTP used by email systems to send, receive, or relay outgoing emails, does not have a mechanism to authenticate email addresses.
With SMTP, cybercriminals can manually change the “To” and “From” addresses—an essential element of spoofing. This means that an attacker can disguise their sender address and make the message look like it came from a vendor, a high-level manager, or a trusted co-worker. By impersonating someone the user might know and trust, cybercriminals can obtain sensitive information or login credentials from recipients.
Common Types of Email Spoofing
Look-Alike Domain Spoofing
Look-alike domain spoofing happens when a cybercriminal impersonates an organization with a domain that looks similar to the one that the targeted company uses. These look-alike domains can have one letter missing from the domain name, or they can have a correctly spelled domain name that comes with a different extension, such as .net or .biz.
In August 2019, UK charity, Red Kite Community Housing, was the victim of this type of attack. Cybercriminals found out the names of individuals at a vendor that did work for the charity. They bought a look-alike domain and impersonated some of the vendor’s employees. The cybercriminals used sophisticated social engineering tactics to get employees at the charity to wire them nearly £1M. Red Kite Community Housing said it had procedures in place to verify changes to payment information. However, its employees by-passed the procedures and failed to catch the error before the money changed hands.
Display Name Spoofing
Display name spoofing occurs when a bad actor uses a fake display name to impersonate an individual or business. Many email programs only show the display name from an email sender, and the recipient can easily be fooled that the message is legitimate. Most email programs allow recipients to open the display name and see the email address that is behind the message. The address can be completely unrelated to the impersonated company, which is a giveaway that the message is fraudulent. However, the email address behind the display name can also be similar to the domain of the impersonated company. In these cases, it's much harder for an email recipient to detect that the message isn't legitimate.
Legitimate Domain Spoofing
Legitimate domain spoofing happens when a bad actor simply inserts the impersonated company's domain into the "From" section of an email. The cybercriminal actually sends the email message from another address, but recipients won't recognize this unless they check the email headers and trace the message's SMTP path across email servers.
The Impact of Email Spoofing
Email spoofing impacts most companies in the same ways but in varying degrees, depending on the motive of the cyberattack.
The need to cultivate and keep strong professional relationships is paramount to all organizations. Spoofed emails can quickly erode these relationships since email recipients will doubt whether an organization’s emails are legitimate or not. If a company’s valuable clientele keeps getting fraudulent emails in that company's name, they are less likely to open legitimate emails, especially those that encourage them to take important actions.
Since 2016, email spoofing and phishing attacks have cost the world an estimated $26 billion. By combining spoofing and social engineering methods, cybercriminals can trick employees into giving up personal information, clicking a malicious link, or opening a malware-laden attachment. They can then threaten to publish, block, or corrupt data unless the target company pays a ransom.
Spoofing attacks can lead to costly ransomware attacks. It's not uncommon for companies to lose significant operational time before a ransomware attack is discovered and cybercriminals are paid. This also equates to lost revenue.
One of the highest costs of email spoofing is all the personal credentials that can be stolen, including usernames, passwords, and bank information. If bad actors have this information, they can gain access to even more personal information, corporate data, or even intellectual property. The consequences can be particularly devastating for a company that relies on proprietary data and intellectual property for its existence.
How to Protect Organizations against Email Spoofing Attacks
1. Protecting against Inbound Spoofing Attacks
Guarding one’s organization against inbound spoofing means making sure that fraudulent emails never make it to company inboxes. The following solutions and protocols can help organizations mitigate the risk of inbound spoofing attacks.
- Traditional Email Security Controls
Traditional and cloud-based email systems have built-in safeguards to identify and quarantine emails that contain malicious links or attachments. When properly configured, these systems block certain malicious emails automatically.
- Identity-Based Protection
While traditional email systems block basic spoofed emails, they are insufficient against highly targeted, social engineering email attacks. Advanced security tools are able to analyze every message flowing into and within the organization, and flag anything outside the parameters of typical interactions as a potential threat. These machine-intelligent security solutions can defend against low volume, highly targeted identity deception-based attacks, no matter their source.
Bad actors are always looking for ways to overcome the latest security tools. However, many threats can still be foiled by detailed cybersecurity procedures. To minimize email spoofing risk, organizations should set aside time and budget to train employees about the latest threats in their industry and how to detect them in real-life scenarios.
2. Protecting against Outbound Spoofing Attacks
To prevent having their emails spoofed in attacks against customers, vendors, partners, or the general public, companies can adopt several email authentication protocols.
Sender Policy Framework (SPF) is a protocol that allows companies to specify which IP addresses are approved to send on their behalf. During SPF checks, the mail server can verify whether the sender’s IP address is on the approved list and validate the sender’s domain found in the SMTP envelope.
- DomainKeys Identified Mail
DomainKeys Identified Mail (DKIM) uses asymmetric encryption to add a digital signature, or a private key, to every outgoing message that’s linked to a specific domain name. When receiving servers receive an email with such a signature in the header, the server—which hosts the domain and holds the public key—verifies if the incoming email message was actually sent from an authorized domain.
- Domain-Based Message Authentication, Reporting, and Conformance
Domain-Based Message Authentication, Reporting, and Conformance (DMARC) is an industry standard that checks the domain in an email’s “From” header to verify if it is a DKIM-SPF-authenticated domain. If the message fails authentication, DMARC flags it and can also provide instructions on how to properly get rid of the unauthorized emails.
As spoofed emails are designed to be as deceptive as possible, organizations should make spoofing prevention a baseline requirement. Employee training for phishing email detection should be augmented with the right security protocols and a reliable email security solution that stops fraudulent emails from reaching employee inboxes.
To find out more about how you can protect your organization against email spoofing attacks, download for free The Clear & Complete Guide to Smarter Email Security: