The Skysnag Blog
What is Email Spoofing?
Email spoofing is the creation of email messages with a forged sender address. This indicates that the message looks to have originated from a source other than the one intended. In phishing and spam campaigns, email spoofing is commonly used to make it more difficult for recipients to identify the genuine sender and avoid opening the email. Spoofing attacks alter email headers to make it appear as if the message came from a different sender. This can be accomplished by altering the From field or other header elements.
Email spoofing is possible due to:
- Lack of authentication: There is no standard way to authenticate the sender of an email message. This means that it is possible for someone to send an email with a forged sender address.
- Domain spoofing: Domain spoofing is a type of email spoofing that involves forging the domain name of the sender. This can be done by changing the From field or other parts of the email header.
- SMTP relay: SMTP relay is a method of email delivery that allows messages to be sent from one server to another. This can be used to send email messages with a forged sender address.
History of email spoofing
Email spoofing has been used since the early days of email. In 1978, two engineers at Digital Equipment Corporation used email spoofing to send a message to the president of the company, pretending to be from the CEO. In the 1990s, email spoofing was used by spammers to send unsolicited commercial emails (UCE). In 2001, the Melissa virus used email spoofing to spread itself. In 2003, the SoBig virus used email spoofing to spread itself. In 2007, the Storm worm used email spoofing to spread itself.
How email spoofing works
Email spoofing works by forging the sender address of an email message. This can be done by changing the From field or other parts of the header.
When email spoofing is used in phishing campaigns, the attacker will often send emails that appear to come from a legitimate company or website. The email will usually contain a link that leads to a fake website that is designed to steal the recipient’s login credentials.
Paypal spoofing example
In 2018, there was a widespread email spoofing campaign that targeted PayPal users. The emails claimed to be from PayPal and said that the recipient’s account had been suspended. The email directed the recipient to click on a link to reactivate their account. However, the link led to a fake website designed to steal the user’s PayPal login credentials.
This campaign was successful because it used email spoofing to make the emails appear to come from a legitimate source. The email also used persuasive language to trick the recipient into clicking on the link.
Ways to avoid falling victim to Spoofing attacks
It is important to be suspicious of unsolicited emails. If an email looks suspicious, do not click on any links or attachments. Instead, contact the company directly to confirm that the email is legitimate.
An attacker can programmatically send messages using basic scripts in any language that configures the sender address to an email address of choice. Email API endpoints allow a sender to specify the sender address regardless of whether the address exists. And outgoing email servers can’t determine whether the sender’s address is legitimate.
Email servers use Simple Mail Transfer Protocol (SMTP) to send and receive messages. When you click “Send” in your email client, the message goes to the SMTP server configured in your client software. The SMTP server then looks up the recipient’s domain and routes the message to that domain’s email server. The recipient’s email server then delivers the message to the right inbox.
Every time an email message travels from one server to another across the internet, the IP address of each server is logged and included in the email headers. These headers show the true route and sender, but many people don’t look at them before interacting with an email sender.
The three main parts of an email are:
- The sender address
- The recipient address
- The body of the email
An attacker can easily forge the sender address of an email to make it seem like it came from a legitimate source. Email servers do not validate the sender’s address, so the message will still be delivered even if the address is fake. This can be used in phishing attacks to make the email seem like it came from a trusted source. The attacker can also use the Reply-To field to specify where replies should be sent, which can be another email address that they control.
This email has a FAIL status in the Received-SPF field, which is the best indicator that it’s a spoofed email. The email address in the From sender field is supposedly from Bill Gates (firstname.lastname@example.org). However, the email was originally handled by the email server email.random-company.nl, which is the first clue that this is a case of email spoofing. The best field to review in these email headers is the Received-SPF section.
SPF is a security protocol that was set as a standard in 2014. It works in conjunction with DMARC to stop malware and phishing attacks.
SPF can detect spoofed emails, and it’s become common with most email services to combat phishing. But it’s the responsibility of the domain holder to use SPF. A domain holder must configure a DNS TXT entry specifying all IP addresses authorized to send an email on behalf of the domain in order to use SPF.
With this DNS entry configured, recipient email servers look up the IP address when receiving a message to ensure that it matches the email domain’s authorized IP addresses. If there is a match, the Received-SPF field displays a PASS status. If there is no match, the field displays a FAIL status. Recipients should review this status when receiving an email with links, attachments, or written instructions.
Email Spoofing Statistics
- 3.1 billion spoofed emails are sent each day. This amounts to approximately one spoofed email for every 2 people on the planet. The study also found that the majority of these spoofed emails are sent from malicious actors in China and Russia.
- Email spoofing and phishing have had a worldwide impact costing an estimated $26 billion since 2016. In the United States, the FBI reported that over $12 billion was lost to email scams and cybercrime in 2019 alone.
A common attack that uses email spoofing is business email compromise (BEC). This is where cybercriminals spoof an email from a high-level executive within an organization in order to request a wire transfer or access sensitive information.
The number of email spoofing attacks is only expected to rise in the future as cybercriminals become more sophisticated in their methods.
There have been many high-profile examples of email phishing scams in recent years. Here are some of the most notable cases:
- In 2016, the Democratic National Committee (DNC) was the victim of a phishing attack that resulted in the release of over 20,000 emails.
- In 2017, a phishing attack on the UK’s National Health Service (NHS) led to the cancellation of over 19,000 appointments.
- In 2018, Google disclosed that it had been the target of a phishing attack that affected over a million users.
- In 2019, the city of Baltimore was hit by a ransomware attack that originated from a phishing email. The attack crippled the city’s computer systems and caused over $18 million in damages.
- In 2020, the personal information of over 100 million people was exposed in a data breach at the credit reporting agency Equifax. The breach was the result of a phishing attack on one of Equifax’s employees.
How to protect from email spoofing
There are a few steps that you can take in order to protect yourself from email spoofing attacks:
- DMARC stands for Domain-based Message Authentication and Reporting, and it is an email authentication standard that can be used to prevent email spoofing. Email senders can use DMARC to describe how their email should be handled if authentication fails.
- SPF (Secure Sender Policy Framework) is an email authentication standard that can be used to prevent email spoofing. Email senders can use SPF to indicate which servers can send emails on their behalf.
- Use a reliable email service: Reputable email services will usually have anti-spoofing features in place.
- Unsolicited emails should be treated with caution, even if they appear to come from a reliable source. If an email appears to be suspicious, do not open it or click any of the links or attachments.
- Do not respond to emails that want personal or financial information. This type of information will never be requested by email by a legitimate company.
- Keep your anti-virus software up to date, and scan your computer on a regular basis. This will aid in the detection and removal of any dangerous software that has been installed as a result of opening a phishing email.
- On your email account, enable two-factor authentication. This will add an extra layer of security to your account, making it more difficult for fraudsters to access it.
- Any questionable emails should be reported to your email provider and the police. This will help others avoid becoming victims of the same fraud.
- Configure your domain’s email authentication mechanisms.
Skysnag automates DMARC, SPF, and DKIM for you, saving you the trouble and time required for manual configuration. Unlock insights, bypass email authentication configuration issues including SPF and DKIM; and protect your domain from spoofing with strict DMARC enforcement, all autonomously with Skysnag. Get started with Skysnag and sign up using this link for a free trial today and maintain a healthy domain name.
Enforce DMARC, SPF and DKIM in days - not months
Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.