Email Spoofing

Email spoofing is the fabrication of an email header in hopes of tricking the recipient into believing the email came from a different source. Because core email protocols do not have a built-in authentication method, spam and phishing emails commonly use spoofing to trick the recipient into trusting the sender.

The ultimate goal of email spoofing is to get recipients to open and possibly even respond to a solicitation. Although the spoofed messages are usually just a nuisance requiring little action besides removal, the more malicious varieties can cause significant problems and sometimes pose a real security threat.

An example of a spoofed email would be a message purporting to be from a well-known retail business asking the recipient to provide personal information like a password or credit card number. The fake email might even ask the recipient to click on a link offering a limited-time deal, which is actually a link to download and install malware on the recipient’s device.

• Email spoofing is the process of impersonating a trusted email sender address with the goal of masking a cybercriminal’s identity.
• Simple Mail Transfer Protocol (SMTP) lacks email authentication, making it easy for cybercriminals to spoof sender email addresses. 
• Spoofing is not to be confused with phishing. Spoofing focuses on masking the sender’s identity, while phishing focuses on obtaining private information.
• Email spoofing is a tactic used in most phishing attacks.
• There are many signals end users can look for to spot spoofing emails. Educating employees on those warning signs is often the best line of defense against these attacks.

By exploiting core email protocols’ lack of built-in authentication, cybercriminals devised an efficient way to use spoofing to trick recipients into trusting an email’s origin. This practice dates back to the 1970s, when hackers exploited vulnerabilities in email protocols that lacked authentication.

However, email spoofing didn’t take off until the 1990s, when spammers began using it to bypass filters. By the 2000s, it had become a global cybersecurity threat.

Today, security protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting, and Conformance (DMARC) help combat email spoofing. Despite these efforts, email spoofing remains a significant issue. It remains a primary vector for business email compromise (BEC) scams and phishing attacks, with Google blocking nearly 100 million phishing emails daily.

Phishing is a social engineering attack in which cybercriminals attempt to trick individuals into revealing sensitive information by posing as a legitimate entity, typically through fraudulent emails or websites. Spoofing is a technique used to disguise the sender's identity or origin. It’s a common tactic in phishing and other attacks.

Here’s a side-by-side look at how phishing and spoofing compare:

Phishing attacks aim to trick users into divulging personal data or performing actions beneficial to the attacker. Spoofed emails, which impersonate trusted sources, are often used to make phishing attempts more convincing. While phishing primarily targets human psychology, spoofing exploits technical vulnerabilities to bypass security measures.

Email spoofing is possible because the Simple Mail Transfer Protocol (SMTP) does not provide a mechanism for address authentication. Although email address authentication protocols and mechanisms have been developed to combat email spoofing, adoption of those mechanisms has been slow.

The email spoofing process typically involves the following steps:

1. The attacker creates an email with a forged sender address. 
2. They use an SMTP server that doesn't require authentication or their own SMTP server. 
3. The email is sent through this server, which doesn't verify the authenticity of the sender's address. 
4. The receiving server processes the email based on the information in the headers, which appear legitimate.

While authentication protocols like SPF, DKIM, and DMARC have been developed to prevent spoofing, their adoption has been gradual. These protocols work by allowing domain owners to specify which mail servers are authorized to send emails on their behalf and providing cryptographic signatures to verify the sender's identity.

Example: Let's say an email spoofer wants to assume the identity of a bank. They might create an email with the following header information:

Text

From: customerservice@legitbank.com
To: victim@email.com
Subject: Urgent: Account Security Update

The attacker then sends this email through an SMTP server that doesn't authenticate the sender. When the victim receives the email, it appears to come from their bank's customer service department. The message might contain a phishing link or request sensitive information, exploiting the trust associated with the spoofed address.

To protect against such scenarios, email providers and organizations are increasingly implementing authentication protocols. However, the effectiveness of these measures depends on widespread adoption and proper configuration. Users can protect themselves by exercising caution with unexpected emails, verifying sender addresses, and not clicking suspicious links or attachments.

 

Although it’s most often used for phishing purposes, there are actually several reasons for spoofing sender addresses. They include:

• Hiding the sender’s true identity. However, if this is the only goal, it can be achieved more easily by registering anonymous mail addresses.
• Avoiding spam block lists. If a sender is spamming, they are bound to be blocked quickly. A simple solution to this problem is to spoof email addresses.
• Pretending to be someone the recipient knows. An attacker might do this to exploit the victim’s trust in an acquaintance and ask for sensitive information or access to personal assets.
• Pretending to be from a business the recipient has a relationship with. The goal here is to get ahold of bank login details or other personal data.
• Tarnishing the image of the assumed sender. This might involve a character attack that paints the so-called sender in a bad light.
• Committing identity theft. An example might be a request for information from the victim's financial or healthcare accounts.

Here's a list of characteristics that may indicate you have received a spoofing email:

• Suspicious sender email address that doesn't match the claimed identity (e.g., an email claiming to be from Venmo with an address of venmo_security@outlook.com instead of a legitimate Venmo domain)
• Display name that’s inconsistent with the actual email address (e.g., an email from “Jonathan Simpson” coming from an email address of bill.smith@gmail.com)
• Urgent or threatening language creating a sense of pressure
• Requests for sensitive information like passwords or financial details
• Unexpected attachments or links
• Poor grammar, spelling errors, or unusual phrasing
• Generic greetings instead of personalized ones (e.g., “Dear Valued Customer” or “Dear User”)
• Mismatched or incorrect logos and branding
• Unusual sending times, especially if outside business hours
• Requests to bypass normal security procedures
• Inconsistencies with previous communications from the supposed sender
• Email headers showing unexpected routing information (e.g., headers that show the email was routed through multiple countries, even though the sender is supposedly local)
• Links that, when hovered over, reveal suspicious URLs (e.g., misspelled domains or long, overly complex URLs)
• The use of public email domains (e.g., gmail.com) for official business communications

Since the email protocol SMTP lacks authentication, it has historically been easy to spoof a sender’s address. As a result, most email providers have become experts at detecting and alerting users to spam rather than rejecting it altogether.

Other protections include the previously mentioned frameworks that facilitate incoming message authentication:

• SPF (Sender Policy Framework): This helps combat domain spoofing by checking whether a certain IP can send mail from a given domain. SPF may lead to false positives, but it still requires the receiving server to check an SPF record and validate the email sender.
• DKIM (Domain Key Identified Mail): This method uses a pair of cryptographic keys to sign outgoing messages and validate incoming messages. However, because DKIM is only used to sign specific pieces of a message, the message can be forwarded without breaking the validity of the signature. This technique is referred to as a “replay attack."
• DMARC (Domain-Based Message Authentication, Reporting, and Conformance): This method gives a sender the option to let the receiver know whether its email is protected by SPF or DKIM, and what actions to take when dealing with mail that fails authentication. DMARC is not yet widely used.

Email spoofing isn’t always easy to spot. But, with the proper training on identifying spoofing emails and understanding the nuances of email security, organizations can protect their digital infrastructure and valuable data from this popular attack vector.

Not sure where to start? It never hurts to seek the advice of email security experts. Let the Barracuda team put our in-depth cybersecurity knowledge to work for you. Schedule your Email Protection demo today, and let us guide you toward safer communications.