The FBI’s Internet Crime Complaint Center (IC3) received an average of 2,000 cybercrime complaints per day with reported losses topping $4.1 billion in 2020. $216.51 million of these losses were the result of email spoofing. So, what is email spoofing? Let’s learn more about it.
One of the most common tactics cybercriminals use to trick or manipulate people is email spoofing. Spoofing means presenting something or someone as another legitimate entity to establish authority and gain leverage. The eventual goal of spoofing is often to dupe victims for financial gain. Of course, spoofing can occur through multiple means: emails, phone calls, SMS text messages, domain spoofing, and even app spoofing. But the one we’re going to focus on here today is email spoofing specifically.
The number of spoofing email attacks is increasing every year, causing irreparable damage to victims. The IC3 observed that emails spoofed, which makes emails look like they came from CFO, CEO, lawyers, or vendors, is frequently used to target business enterprises. It’s a tactic that’s commonly used in business email compromise (BEC) scams. Data from the IC3’s 2020 Internet Crime Report shows that BEC scams had a huge impact with 19,369 complaints resulting in $1.8 billion in total adjusted losses.
Considering these numbers and how fraudulent emails can affect businesses, it’s crucial that you understand email spoofing and take appropriate steps to prevent this tactic from being successfully used against your organization. Let’s break it all down.
What Is Email Spoofing?
When someone uses email to fraudulently represent themselves as another legitimate entity, this is an example of email spoofing. In a more technical sense, email spoofing about fabricating false email sender information to trick people into believing fraudulent emails are authentic.
Here’s a great video that quickly explains email spoofing:
On February 10, 2021, the IRS (Internal Revenue Services) released an official warning to alert tax professionals about a scam targeting them. The spoofing emails were supposedly sent from “IRS Tax E-Filing” and carried the subject line “Verifying your EFIN before e-filing.” The IRS also warns not to take any steps mentioned in the email especially responding to the said email.
Here’s an excerpt from one of these dodgy emails:
“In order to help protect both you and your clients from unauthorized/fraudulent activities, the IRS requires that you verify all authorized e-file originators prior to transmitting returns through our system. That means we need your EFIN (e-file identification number) verification and Driver’s license before you e-file.
Please have a current PDF copy or image of your EFIN acceptance letter (5880C Letter dated within the last 12 months) or a copy of your IRS EFIN Application Summary, found at your e-Services account at IRS.gov, and Front and Back of Driver’s License emailed in order to complete the verification process. Email: (fake email address)
If your EFIN is not verified by our system, your ability to e-file will be disabled until you provide documentation showing your credentials are in good standing to e-file with the IRS.”
This is a textbook example of a phishing email. Some of the red flags that tell you the email is fraudulent are:
- The email address of the sender is spoofed.
- It uses urgent language to push you to take rash actions.
- The “reply to” email address is different from the sender’s email address.
- It threatens you with penalties if you do not take immediate action.
- The email claims to be from IRS but asks for information (and sometimes copies of documents) that the IRS would already possess.
Of course, we’ve already written an article that covers how to tell if an email is fake or real and invite you to check that one out as well for additional information.
How Does Email Spoofing Work?
There are multiple ways that cybercriminals can spoof emails.
1. Spoofing the Sender’s Display Name
This is the most basic and most common form of email spoofing. It requires the sender to merely change their email display name. On a cursory glance, the recipient will believe that the email is from a legitimate sender. However, if they check the sender’s email address, the scam will fall apart as the email address won’t match the sender’s name or company.
This type of email spoofing is super easy and doesn’t require the attacker to know any kind of computer programming to carry out this scam. Also, the popularity of this scam is rising because it’s so cheap and easy to do. Bad guys will require just a few innocent victims to fall for their farce.
Here are a couple more examples of this type of email spoofing:
2. Spoofing the Domain Name:
Domain name spoofing involves scammers creating email addresses that are associated with domains that are similar to that of the organization they’re impersonating. Much like typosquatting tactics, cybercriminals use basic tricks to make email addresses look legitimate to people who aren’t paying attention or are rushing. A few examples include:
- Swapping “in” in place of the letter “m,”
- Using “1” instead of “l,”
- Replacing “o” in place of “o,” or
- Adding extra numbers, characters, or words to email domains.
Suppose, for example, the name of a legitimate courier agency is Safe Express, and their domain name is safeexpress.com. If bad guys want to use email spoofing to impersonate the company to scam their clients, they can create a dodgy domain safexpress.com that looks incredibly similar and use it to send out phishing emails.
Here’s an example of domain spoofing using an email from Nextdoor:
The first image (left) shows how the email appears when you receive the email if you don’t click the arrow to expand the sender’s email information. The second screenshot (middle) is an example of a legitimate email from Nextdoor — notice how the email comes from an address that ends in “@hs.email.nextdoor.com.” The third screenshot (right) is an example of a spoofed domain that looks very convincing. There’s an extra “r” at the end of “nextdoor” before the “.com.”
3. Creating an Email Using a Genuine Domain
Despite being a less common form of spoofing, it is perhaps the most terrifying one. The email looks like it has come from a genuine person as the domain name on the sender’s address is legitimate. This vulnerability is not left open anymore as most companies use Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) in their DNS setting to prevent any unauthorized person from using their domain name for spoofing. These protocols are explained later in the article.
4. Email Spoofing for BEC Scams
Business email compromise, or BEC, is usually done by spoofing the email sender’s information to look like the email has come from the CEO or the CFO of the company. This type of email scam will often involve directing the recipient to transfer a huge amount to a bank account belonging to the attacker. As the email looks like it is from the victim’s boss, the employee may comply with the directions in the email without asking many questions.
Some scammers have also managed to impersonate the CEOs of enterprises to ask employees to donate to a charity. Needless to say, the said “charity” here is to the bank account of the attacker.
What Makes Emails Vulnerable to Spoofing?
The principal vulnerability that makes email spoofing possible is the lack of authentication in Simple Mail Transfer Protocol (SMTP). Although authentication protocols to prevent mail spoofing exist, they’re not widely adopted. According to the results of a 2018 academic study, only 40% of Alexa’s top 1 million domains had SPF and only 1% had DMARC. This leads to an increased risk of cyber attacks, including:
- Phishing attacks,
- Malware infiltration in their IT systems, and
- Ransomware attacks.
How to Prevent an Email Spoofing Attack
If the spoofing attacks are so hazardous, there should be something we can do to put a check on them, right? Email service providers like Google’s Gmail and Microsoft’s Outlook have built-in systems that help to prevent email spam and junk emails from coming through to your inbox. The recipient is alerted to receiving potential spam or a spoofed email.
Everyone should always be vigilant before opening any emails marked as spam. Although some legitimate emails might not pass the security test and end up in the spam folder, in most cases, the email service providers are right in their threat detection.
But having said that, relying on your email service provider’s security measures alone is not enough. They’re not perfect, after all, and spoofed emails might find a way into your inbox without their knowledge.
That being said, certain protocols exist that you can use to prevent email spoofing attacks from using your domain. And if you use these protocols as part of your email security protections, then you can curb these attacks and prevent someone from sending phishing emails on behalf of your brand and domain.
In this section, we’ll cover three email protocols you can implement now. We’ll also share two other things you can do to add additional layers to your email security defenses. Of course, it’s important to mention that they must be properly implemented and configured for these protections to do you any good. We’re not going to get into the technical “how-to” or implementation aspect of these tools. But what we will cover is what each of these email security methods is and how it improves email security for your organization and its external recipients, too.
Sender Policy Framework (SPF)
SPF is a protocol designed to communicate which servers or IP addresses (both internal and external) are authorized to send emails on behalf of a particular domain. This is done using domain name system (DNS) records, which basically lets recipients’ email clients know the email came from you.
So as long as an email originates from one of the IP addresses included in the DNS record, it’ll be viewed as OK. If the IP address comes from a different IP address that isn’t in the DNS record, then it’ll be blocked.
As the owner of your company’s domain, you can enable SPF by creating one or more DNS TXT records. This allows you to authorize certain IP addresses to send emails on behalf of your domain while prohibiting anyone else from doing so. If a scammer sends an email from your domain name, the SPF will identify the IP address and warn the recipient’s email server of a possible scam.
Domain Keys Identified Mail (DKIM)
In the simplest sense, DKIM is all about helping your domain establish trust with your recipients’ email servers. Domain keys identified mail helps to prevent spoofing by applying a digital signature to email headers for all outgoing messages on a domain. This allows recipients’ mail servers to detect whether messages coming from that domain are from one of its legitimate users or if the sender’s information has been faked.
What DKIM doesn’t do, though, is encrypt email data. However, it does ensure message integrity. It does this by using a checksum to prove to a recipient’s email server that the message hasn’t be altered after it was sent.
Although DKIM does not filter emails, it certainly helps to reduce your email domain’s spam score. If the DKIM signature cannot be verified, the email can be sent to spam to warn the recipient.
To implement DKIM, you need to modify your server as the sender. The sender creates cryptographic public and private keys, installs them on their server, and creates a DNS TXT record that contains the public key. The outgoing messages are signed by using the private key. The recipient of the email can use the public key to verify the authenticity of the email.
Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
DMARC is a protocol that informs email recipients that emails from its domain either or both SPF and DKIM to help them determine whether their messages are legitimate. This way, it knows that if the authentication passes, the email should be legitimate and the user is good to go to trust it. But if the authentication fails, it tells the recipient to reject or junk the message.
Something else that DMARC does is let the recipient’s server know what the sender recommends in the event of failed authentication. As the sender, for example, you can specify if you want the recipient to:
- Give no special treatment to the emails that fail authentication;
- Send non-authenticated emails to the spam folder;
- Reject such emails before they reach the recipient’s client; and/or
- Send an email to the sender about passed or failed DMARC authentication.
Check out this great video from Cisco that breaks down what DMARC is:
Email Signing Certificates
Email signing certificates, also known as S/MIME certificates, are what you as a sender can use to digitally sign your emails. This type of X.509 digital certificate allows your recipients to verify whether the email was sent by you (not an imposter) and that it hasn’t be altered in any way since you sent it. It also encrypts messages that are shared between two S/MIME certificate users. (You just have to get a copy of the recipient’s public key before you can start sending encrypted emails.)
The fundamental purpose of an email signing certificate is to:
- Authenticate the email sender,
- Encrypt email message (when corresponding with other S/MIME certificate users), and
- Ensure message integrity.
Increasing Your Organization’s Cyber Hygiene a Through Awareness Training
Is it enough to employ all the above measures for a fool-proof system? The answer is no. Every day, cybercriminals come up with new spins for old attack methods as well as entirely new attack methods to try to breach our defenses. As such, we must be proactive and mindful of every task we carry out to keep them at bay.
Training your employees about cyber hygiene is critical to supporting your overall cybersecurity efforts and for increasing employees’ knowledge. After all, it only takes one wrong click from an employee for a full-fledged cyber attack or data breach. Some important topics that all cyber awareness trainings should cover include:
- Common phishing scams and tactics (including examples of email spoofing and social engineering),
- Other types of cyber attacks,
- Account and password security methods,
- General cyber security best practices, and
- What they should do when they experience or suspect a cyber attack or breach.
Always remember, training is not a one-and-done deal. Refresher courses on cyber security awareness must be carried on regularly to ensure that they are aware of the most current threats. Recent cyber attacks on other companies should be discussed with the employees so that they have information about how they were carried out and how they could have been prevented.
Cyber security-themed quizzes, games, puzzles, and online games are also fun and engaging ways to increase your employees’ cyber awareness. Building your defenses against cybercriminals to protect yourself should be your priority.
Final Words On Email Spoofing
Now that you understand what email spoofing is, you can realize that the best way to prevent such attacks is to raise awareness among your employees and staff members about it. Not opening dodgy emails, not clicking on the attachments or the links, and not even replying to such emails can go a long way to protect you against email spoofing attacks.
You also need to be willing to take technical steps to prevent someone from using your domain as part of their email spoofing campaigns. As you discovered, this means using DNS records in conjunction with protocols like SPF, DKIM and DMARC to your full advantage.
