Spoofing Emails
What is Email Spoofing?
Email spoofing is when someone sends an email that looks like it’s from a trusted source, but it’s actually from a different, often malicious sender.
This technique is used to trick the victim into thinking the email is legitimate, potentially leading to scams or phishing attacks.
For example, an email might appear to be from your bank, but it’s really from a hacker trying to steal your personal information.
Most Common Motives Behind Spoofed Emails
Here are the most common goals of spoofed emails:
- Phishing: Steal sensitive information like usernames, passwords, or credit card details.
- Spreading Malware: Distribute malicious software, like a virus or ransomware. This is done by tricking recipients into opening infected attachments or clicking on malicious links.
- Financial Fraud: Tricking recipients into making unauthorized financial transactions. This is often done by pretending to be a coworker or vendor.
- Brand Damage: Harm the reputation of a brand or organization by sending harmful or offensive content that appears to come from them.
- Gaining Unauthorized Access: Trick targets into revealing login credentials. This allows the attackers to gain access to otherwise secure systems or networks.
- Social Engineering: Manipulating recipients into performing specific actions. These often include financial fraud, account takeovers, or sharing confidential information.
How Email Spoofing Works
Email spoofing is used in various types of scams, including phishing, business email compromise (BEC), and spreading malware.
The attack works by manipulating the email header to make the message appear as if it’s from a trusted source.
For example, attackers change the “From” address to a legitimate-looking email in order to trick recipients.
The email is then sent using standard email protocols that don’t verify the sender’s authenticity.
Recipients, seeing a familiar name, might open attachments, click on malicious links, or follow harmful instructions.
This allows the attacker to steal information or install malware.
To break it down even further, there are three common types of email spoofing attacks:
- Display Name Spoofing: The attacker changes the display name that appears in the “From” field of the email. While the actual sender address might be different, the display name appears as someone the recipient knows or trusts. For example, an email appears to come from “John Smith,” a known colleague, but the email address is “[email protected]”.
- Domain Spoofing The attacker forges the domain part of the email address to make it look like it comes from a legitimate organization. This is a bit more sophisticated as it involves buying a similar domain name. For example, an email appears to come from Paypal, but in reality, it’s from a fake domain like “[email protected]” or “[email protected]”.
- Reply-to Spoofing: The attacker changes the “Reply-to” address so that any responses to the email are sent to the attacker’s email address instead of the legitimate sender. This is often combined with display name or domain spoofing. For example, an email appears to come from “[email protected]”, but when the recipient replies, the response goes to “[email protected]”.
Real world email spoofing examples
- BEC Attack on Ubiquiti Networks: In 2015, Ubiquiti Networks fell victim to a Business Email Compromise (BEC) attack. Spoofed emails were used to convince employees to transfer $46.7 million to fraudulent overseas accounts. The attackers posed as company executives and used social engineering tactics to execute the scam.
- DNC Hack in 2016 US Presidential Campaign: During the 2016 US presidential campaign, Russian hackers used spoofed emails to target the Democratic National Committee (DNC) and Hillary Clinton’s campaign. This led to multiple data breaches, leaking sensitive information that impacted the election.
- FACC AG: In 2016, Austrian aerospace parts manufacturer FACC AG was hit by a BEC attack involving spoofed emails. The attack cost the company €50 million. Attackers impersonated the CEO and other executives, tricking employees into transferring large sums of money to the attacker’s account.
How to Identify a Spoofed Email
Although there’s no foolproof method to identify a spoofed email, there are several things to look for:
- Check the Sender’s Email Address: Look closely at the email address, not just the display name. Spoofed emails often use addresses that are similar to legitimate ones but have slight variations. Be on the lookout for extra characters or misspellings.
- Look for Generic Greetings: Legitimate companies usually address you by name. Be wary of emails that use generic greetings like “Dear Customer” or “Dear User.”
- Examine the Email Content for Errors: Check for spelling and grammar mistakes. Legitimate companies usually proofread their emails, so errors can be a sign of a spoofed email.
- Check for Urgency: Be wary of emails that create a sense of urgency or pressure you to take immediate action. A common example is threatening to suspend your account if you don’t respond quickly.
- Inspect Links Before Clicking: Hover over any links in the email to see the actual URL. If the URL looks suspicious or doesn’t match the company’s website, don’t click it. Instead, navigate to the company’s website directly.
- Review Attachments: Be careful with unexpected attachments, especially if they come from unfamiliar sources. Attachments are a popular way to send malware.
- Look for Unusual Requests: Legitimate companies will never ask for sensitive information. If an email ask for sensitive information, like your password, Social Security number, or credit card details, it should immediately raise a red flag.
- Check the Email Headers: The email headers can reveal discrepancies between the sender’s supposed address and the SMTP servers used to route the email to you.
- Verify with the Source: If all else fails, call the sender directly or contact the company using their official contact information from their website.
How to Protect Against Email Spoofing
While user education is often touted as the solution to phishing attacks, technical solutions are often more reliable.
Here’s a list of technical solutions that help prevent spoofed emails:
- Organizations should configure SPF records for their domains.. This helps ensure that emails are sent from authorized mail servers.
- Configure DKIM which uses cryptographic signatures to verify that emails aren’t altered in transit and are from the stated sender.
- Configure DMARC to provide instructions on how to handle emails that fail authentication checks and provides reporting for monitoring.
- Deploy email gateways that can filter and block spoofed emails before they reach the recipients’ inboxes.
- Require MFA for accessing email accounts and other critical systems.
- Keep all email servers and software up to date with the latest security patches.
- Develop and enforce email policies that spell out how sensitive information should be handled. Hint: sensitive information should not be sent unencrypted over email.
- Encourage employees to verify any unusual requests for sensitive information or financial transactions through a different communication channel, such as a phone call.
- Monitor for any relevant lookalike, typosquatting, or homoglyph domains that could be used as part of a phishing attack.
- Continuously monitor the dark web for leaked employee, customer, or supplier credentials that could be used to gain unauthorized access to email accounts.