Email spoofing is a type of cyber attack that uses emails with forged sender addresses. Because the recipient trusts the alleged sender, they are more likely to open the email and interact with its contents, such as a malicious link or attachment.

How does email spoofing work?

Email spoofing does not hack a sender’s account. It only makes an email appear as if it is coming from the sender. The difference is that, if a sender’s account were actually hacked, the spoofer could gain access to the person’s contacts or use the account to spam people, thereby causing a drop in email reputation. Email reputation is a measurement that affects deliverability.

• Masking identity – A spoofed email is anonymous. Hackers sometimes use spoofed emails to mask their identity and pre-establish trust with the user by appearing to be from a reputable organization or person.
• Avoid spam filters – Hackers use spoofed emails as a means to get around email spam filtering. When an email is spoofed, it is unlikely to be caught in spam filters, and may often look like an email you get every day.
• Identity theft – When the spoofed email appears to be trustworthy, many unsuspecting users send personal information and credentials to hackers. For example, hackers may ask for healthcare information or identity verification.

Phishing

Most email spoofing attempts lead to phishing attacks. A phishing email can appear to be from your bank, employer, or boss, or use techniques to coerce information out of you by pretending, for example, to be a government agency.

The hacker could steal existing account credentials, deploy ransomware, or acquire enough information to open a new fraudulent account.

How to identify a spoofed email

• The displayed sender name does not match the email address.
• The information in the email signature, such as the telephone number, doesn’t align with what is known about the sender (i.e., the sender is located in California but the phone number in the sig file has a Massachusetts area code).
• Check the email header for the RECEIVED line. It should match the email address that is displayed in the email.
• Check the email header for RECEIVED-SPF. It should say Pass. If it says Fail or Softfail, the email may have been spoofed.
• If the organization is using DKIM and DMARC, the AUTHENTICATION-RESULTS will show whether the email passed the requirements of those protocols.