Email Spoofing-How It Works and Steps to Prevent It

• Share on
• 
• 
• 

Being aware of email spoofing is crucial for office workers and IT managers to avoid potential dangers. By disguising an incoming message as coming from someone else’s email address — usually, yours – hackers can easily infiltrate your systems or steal sensitive information. Understanding the prevalence and implications of this type of cyberattack is key to protecting your data and preventing unauthorized access to your network.

In this blog post, I’ll explain what it means to “spoof” an email address, how easy it is for malicious actors to pull off successfully, and the steps you can take today to reduce its impact on your organization.

What is Email Spoofing and How Does it Work

Email spoofing refers to the practice of disguising the origin of an email message. It involves forging the header information of the email message to make it appear as if it were sent from a different source. This type of cybercrime is often used to trick recipients into revealing sensitive information or downloading malware.

Cybercriminals may use various spoofing techniques here are examples of five such techniques:

• Simple Mail Transfer Protocol (SMTP) Spoofing: In SMTP spoofing, the hacker exploits the protocol’s lack of authentication. They use their own SMTP server to create and send emails that seem to come from a trusted source. The email fields “From”, “Return-Path”, and “Reply-To” can be set to legitimate email addresses to make it appear as if the email is genuine.
• Display Name Spoofing: In this method, hackers exploit the fact that most email clients display the ‘From’ name rather than the sender’s actual email address. They can set the ‘From’ name to be the name of a trusted individual or organization, while the actual email address can be any arbitrary, often newly created, email account.
• Domain Spoofing: Hackers use a domain that is very similar to a legitimate one but with minor changes. For example, they might substitute ‘m’ with ‘rn’ (e.g., ‘exarnple.com’ instead of ‘example.com’). At a quick glance, the recipient may not notice this difference and trust the sender’s authenticity.
• Cousin Domain Spoofing: In this method, hackers create a new domain that closely resembles a trusted domain. This may involve changing a single letter in the domain name or using different top-level domains (e.g., ‘.net’ instead of ‘.com’).
• Look-alike (Punycode) Spoofing: Hackers use internationalized domain names to make malicious domains look like legitimate ones. They employ characters from different language sets that look similar to ASCII characters to trick users. This technique is often used in combination with phishing attacks.

In some cases, cybercriminals may also use social engineering tactics to make the email appear legitimate and increase the chances of a successful attack. Email spoofing is a serious concern for individuals and organizations alike, as it can result in data breaches, financial losses, and reputational damage. To protect themselves from email spoofing attacks, users are advised to be vigilant when opening unsolicited emails and to use email authentication technologies such as Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting & Conformance (DMARC) and DomainKeys Identified Mail (DKIM).

The Risk Level of Email Spoofing

The risk level of email spoofing is high, as attackers can use this technique to trick recipients into providing sensitive information such as usernames, passwords, and financial data. Email security measures like SPF, DKIM, and DMARC can be implemented to prevent email spoofing, but they are not foolproof. It is crucial to train employees on how to spot and report suspicious emails to minimize the risk of a spoofing attack.

Let’s take a look at this example:

One of our customers received this email:

Hi Internet User,

I am a hacker, and I have successfully gained access to your operating system. I also have full access to your account. I’ve been watching you for a few months now. The fact is that your computer has been infected with malware through an adult site that you visited. If you are not familiar with this, I will explain.

Trojan Virus gives me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.

I also have access to all our contacts and all your correspondence.

Why did your antivirus not detect malware?

Answer: The malware I used is driver-based, I update its signatures every 4 hours. Hence our antivirus is unable to detect its presence.

I made a video showing how you satisfy yourself in the left half of the screen, and the right half shows the video you were watching at the time.

with one mouse click, I can send this video to all your emails and contacts on your social networks. I can also make public all your e-mail correspondence and chat history on the messengers that you use.

If you don’t want this to happen, transfer $1690 in Bitcoin equivalent to my Bitcoin address (if you do not know how to do this, just search “buy bitcoin” on Google). My Bitcoin address (BTC Wallet) is: 13fRV6chMyEKVjmRXXXXXXXXXXXXXX

After confirming your payment, I will delete the video immediately, and that’s it. You will never hear from me again. I will give you 50 hours (more than 2 days) to pay. I will get a notice, when you open this email, and the timer will start. Filing a complaint somewhere does not make sense because this email cannot be tracked like my Bitcoin address. I never make any mistakes.

If 1 find that you have shared this message with someone else, the video will be immediately distributed.

In this case, the cybercriminal not only spoofed the email address but additionally tried to manipulate the victim into paying ransom in order to stop the cybercriminal from publishing personal/confidential content.

But was there any real threat with this specific message?

Let’s quickly analyze it,

• There was only one personal peace of information which was the victim’s name and surname. This on its own is not enough as the majority of emails will contain either name or name and surname.
• There was a lack of any credible proof that cybercriminals actually had any confidential data. If you read or watched any recent news you would spot that majority of successful attacks when there is a negotiation with cybercriminals they would always provide evidence that their claims are true. Usually, that would mean supplying the victim with a small example of the data, photos or video. By supplying the proof cybercriminal knows they will be treated seriously.
• Increasing stakes – the cybercriminal tries to explain why the antivirus software does not pick up the infection as the technique used is powerful and they stay always ahead of antivirus providers.

Based on this we can safely assume this was not a technical attack that exposed some vulnerability but simply a psychological attack where Cybercriminal tries to off-balance the user and place himself as a guide that will guide the victim to a happy ending. Which of course is paying the money.

Sadly, if the victim decides to pay, it will not end there, instead, they will be faced with a much stronger push and more demands to pay. The push will only stop once the victim refuses to pay and stops communicating with the cybercriminals.

As you can see failure to address email spoofing can lead to disastrous consequences, including financial losses and reputational damage. As such, it is imperative that businesses prioritize email security to protect themselves and their customers from falling victim to email spoofing.

What to Do if You Receive an Email From a Suspicious Address?

It’s common to receive emails from unknown or suspicious sources. These emails may contain malware or phishing scams that could compromise the security of your computer or personal information. If you receive an email from a suspicious address, the best thing to do is to avoid opening any links or downloading any attachments no matter how tempting this might be. It’s also important not to reply to the email or provide any personal information. Instead, mark the email as spam or move it to your junk folder. Always be cautious and vigilant when it comes to suspicious emails, as they could potentially cause harm or damage to your digital life.

How to Protect Your Email from Spoofers

With the rise of cybercrime, it is more important than ever to protect your email from spoofers, who disguise themselves as legitimate entities to gain access to sensitive information. The good news is that there are several steps you can take to fortify your email security. First and foremost, use a strong and unique password for your email account- no pet names or birthdays! Enable multi-factor authentication and use reputable antivirus software to scan for malicious content. Be wary of unsolicited emails and attachments, especially those from unknown senders. Finally, keep your software and applications updated to the latest versions to prevent vulnerabilities.

By implementing these precautions, you can safeguard your email and maintain the privacy of your personal and professional communications. On the system administration level, it is always a good idea to use SPF, DMARC and DKIM

Let’s first explain what each of the security protocols does:

Sender Policy Framework (SPF) is an email authentication method designed to prevent spammers from sending emails on behalf of your domain. In other words, it verifies that an email claimed to come from a specific domain comes from an IP address authorized by that domain’s administrators.

Here’s how it works:

• Domain owners publish a list of IP addresses (servers) that are allowed to send emails on behalf of their domain in the form of an SPF record in their Domain Name System (DNS) entry.
• When an email is received, the receiving mail server can check the SPF record of the domain in the ‘envelope from’ or ‘return-path’ field of the email. It does this by looking up the SPF record in the DNS.
• If the IP address of the sending server is listed in the SPF record, the check is passed and the email is accepted.
• If the IP address of the sender is not in the SPF record, the check fails and the email can be marked as spam or rejected.

SPF allows email senders to specify which email servers are authorized to send emails for their domain. This can help prevent unauthorized use of a domain in “From” addresses, which is often used in phishing and email spam.

DomainKeys Identified Mail (DKIM) is an email authentication method that allows the recipient to check that the email was indeed sent by the domain it claims to have been sent from and that it wasn’t modified during transport.

The way DKIM works is by using cryptographic technology. Here’s a simplified explanation:

• The owner of the domain (typically the organization using it) generates a public-private key pair. The private key is securely stored on the sending mail server, while the public key is added to the domain’s DNS records.
• When an email is sent from the domain, the outgoing server generates a unique DKIM signature for the email using the private key. This signature is added to the email’s headers.
• Upon receiving the email, the recipient’s server retrieves the public key from the sender’s DNS records and uses it to validate the DKIM signature in the email. If the signature checks out, the email is accepted and considered authentic.
• If the signature doesn’t check out (e.g., because the email was modified during transport), the email can be considered suspicious.
• If no DKIM signature is present when there should be one, this too could be a sign that the email isn’t authentic.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email protocol that uses SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to determine the authenticity of an email message. DMARC enables the owner of a domain to publish policies on how an email from its domain should be handled if it fails SPF or DKIM tests.

Here’s a high-level overview of how DMARC works:

• The domain owner publishes a DMARC record in their Domain Name System (DNS) settings. This record outlines what an email receiver should do if they encounter an email that fails the SPF and/or DKIM checks, such as reporting it, quarantining it, or rejecting it.
• When an inbound mail server receives an email, it checks the SPF and DKIM values against the sender’s domain. If the email passes the SPF and DKIM checks, it’s considered authentic and is delivered normally.
• If the email fails the SPF and/or DKIM checks, the receiving server then checks for a DMARC record. If a DMARC record is present, the server follows the instructions in that record (report, quarantine, or reject the email).
• The email server then sends reports back to the domain owner about the emails that failed DMARC, providing visibility into who is sending emails on behalf of their domain.

Tips for Identifying Spoofed Emails

As the prevalence of email continues to soar, so does the threat of malicious emails. One of the most common types of these malicious emails is a spoofed email, which appears to come from a legitimate source but actually originates from a different one. Fortunately, there are several tips that you can use to identify spoofed emails and protect yourself from potential harm.

• Firstly, check the sender’s email address carefully, as many spoofed emails will have small discrepancies or odd characters in the email address.

• Second, if you use Office 365 and Outlook, you could see an icon with exclamation and short text, please read it as frequently, if security tools find something not right they will try to warn you about it. For example, you could get the message: “The actual sender of this message is different than the normal sender. Click here to learn more”

• Additionally, be wary of urgent or threatening language in the email, as this is a common tactic used by scammers. Finally, if in doubt, contact the purported sender of the email directly and ask whether the email is legitimate. By following these steps, you can avoid becoming a victim of a spoofed email and keep your personal information safe.

What You Can Do if Your Email Address is Compromised

Unfortunately, even the most careful individuals can fall victim to email compromises. If you suspect that your email address has been compromised, there are several steps you can take to regain control and protect yourself.

• First, change your password immediately and ensure it is strong and unique.

• Second, monitor your inbox and sent folders for suspicious activity, check Delted Folder as cybercriminals will frequently try to delete any tread of emails they don’t want you to see.

• Third, enable two-factor authentication for an added layer of security.

• Fourth, consider using a password manager to securely store all your login credentials.

• Lastly, inform your contacts of the situation and advise them to be cautious when opening any emails from your account.

By taking these steps, you can regain control of your email and keep your personal information safe.

Learning how to protect oneself from email spoofing is essential to maintain the security of one’s data. While no system is foolproof, there are basic steps that everyone can take to minimize the risk level of an attack. By creating strong passwords and limiting access to your accounts, you can reduce your odds of having your identity stolen or compromising information being revealed about you. Keeping track of where your email appears online, such as in social media posts, can also help prevent fraudulent emails from impersonating you or gaining unwanted access to sensitive information. Finally, learning how to recognize a spoofed email and understanding what action you should take when you receive one is equally important. Armed with this knowledge, we can all take proactive steps towards increasing our online safety and avoiding potentially damaging emails sent to our names.

However, if you need a helping hand, simply send us a message at [email protected] or call us on 0800 389 6798. Our IT support services for businesses include everything from cyber security, cloud computing, and IT compliance to IT infrastructure support, and more. We love working with our IT support clients and using our IT knowledge and experience to make their lives easier. We take care of the tech stuff so you can focus on what you do best. You can contact us by clicking here.