We are now partnered with Aura and Guardio! Check out our scam analytics dashboard ScamSight

Email Spoofing

ScamHub

Email Spoofing Overview

In this article we'll go over a very common phishing technique, used by scammers, called "Email Spoofing". Email spoofing is one of the most common techniques used in phishing attacks and scam campaigns. Before getting into specifics, we need to cover some of the following terms:

Phishing: A fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by impersonating a trustworthy entity.

Email Spoofing: The act of disguising an email message as coming from a different source.

How Email Spoofing Works

Scammers manipulate "Email Headers" to make their malicious email appear as if it's coming from a trusted source, like a bank, online retailer, or a friend or family member. Often, the scammer will also include images, pictures, and logos to make the email appear as legitimate as possible.

Email Header: A hidden section of an email that contains technical information about the message. It includes details about the sender, recipient, the email's journey through different servers, and other technical information.

Important: Some scammers may even manipulate their malicious email to make it appear as if it originated from your own personal email address. These scammers will usually claim they have "hacked" your personal email. Most of the time this isn't true, but you should take the time to review your account security and ensure you don't have any log-in attempts that you don't recognize.

The end goal for a spoofed email can vary, but this deception can trick victims into clicking on malicious links, downloading harmful attachments, or revealing sensitive information.

The section below will go into some technical detail on how scammers edit email headers. Feel free to skip to the non-technical section if technical details don't interest you.

Email Headers: Technical

A typical email client (such as Gmail) automatically enters the "Sender Address" when a user sends a new email message. But a scammer can programmatically send messages using basic scripts in any language that configures the sender address to a chosen email address. Email API endpoints allow a sender to specify the sender address regardless of whether the address exists. And outgoing email servers can't determine whether the sender's address is legitimate.

Outgoing email is retrieved and routed using the Simple Mail Transfer Protocol (SMTP). When a user clicks "Send" in an email client, the message is first sent to the outgoing SMTP server configured in the client software. The SMTP server identifies the recipient domain and routes it to the domain's email server. The recipient's email server then routes the message to the corresponding user inbox.

For every "hop" an email message takes as it travels across the internet from server to server, the IP address of each server is logged and included in the email headers. These headers divulge the true route and sender, but many users do not check headers before interacting with an email sender.

The three major components of an email are:

The sender address
The recipient address
The body of the email

Another component often used in phishing is the "Reply-To" field. The sender can configure this field and use it in a phishing attack. The reply-to address tells the client email software where to send a reply, which can be different from the sender's address. Again, email servers and the SMTP protocol do not validate whether the email is legitimate or forged. It's up to the user to realize that the reply is going to the wrong recipient.

Email Headers: Non-Technical

You can think of an email like a letter. When you send a letter, you put your return address on it. With email, there's a similar "from" address. But unlike a letter, it's easy to fake this address. Scammers and cyber-criminals can make it look like their email is from your bank or a poplar store to fool you.

Emails travel through many computers (called servers) before reaching you. Each server stamps the email like a postmark, but this doesn't prove who actually sent the email. It's like a letter going through different post offices; the postmark shows where it went, but not who wrote it.

What Should You Do?

As a non-technical person, the easiest thing you can do is learn to recognize potential "red-flags". These include:

Urgent Requests: Demands for immediate action, often involving money or personal information.
Poor Grammar or Spelling: Mistakes that seem unusual for the sender.
Generic Greetings: Lack of personalization, like "Dear Customer" instead of your name.
Suspicious Links or Attachments: Links that look odd or attachments with unexpected file types.
Unexpected Sender: An email from someone you don't know or a company you don't usually deal with.
Email Address Mismatch: The name shown might be familiar, but the email address doesn't match.
Something "feels" off: Trust your gut. If an email feels strange or suspicious, it probably is.

If you detect one, or more, of these red flags - delete the email without clicking on any links or opening any attachments.

Remember: Legitimate businesses won't ask for sensitive information through email. If you're unsure about an email, contact the company DIRECTLY using a verified phone number or website.

Preventing Email Spoofing

Unfortunately, for the average user there really isn't a solid solution for preventing email spoofing altogether. While there are several third-party software solutions, these solutions are typically priced and designed for large enterprise businesses.

The best thing you can do is learn to recognize the red flags we've listed above and stay vigilant.