What Is Email Spoofing and How Does It Work?

How email spoofing works

Email spoofing is possible primarily because the Simple Mail Transfer Protocol (SMTP), the main protocol used for sending emails, does not include a built-in authentication mechanism to verify the sender's identity. The underlying systems of the web were built on implicit trust, focusing more on accurate data transmission than on content security or sender verification.

Here's a breakdown of how email spoofing works:

• Forgery of Email Headers. Attackers use software tools, basic scripts, or even directly connect to an SMTP server to programmatically change specific fields within the email header. These manipulated fields include the "From," "Reply-To," and "Return-Path" addresses. The email client automatically enters the sender address, but outgoing email servers often cannot determine if the sender address is legitimate or spoofed.
• SMTP's Lack of Authentication. When an email is sent via SMTP, the initial connection provides two pieces of address information: "MAIL FROM" (also known as the Return-path header) and "RCPT TO" (the recipient's address). Subsequently, the sending system sends the "DATA" command, which includes header items like "From," "Reply-to," and "Sender". By default, the system does not check if the sender is authorized to send on behalf of these addresses. Consequently, the recipient's email client displays the forged address from the "From:" header, making it appear authentic.
• Separation of Envelope and Header. An email effectively has two parts related to addressing: the header (what the recipient sees) and the SMTP envelope (the information servers use for delivery). Crucially, these two do not have to match for an email to be successfully transmitted. Since the SMTP envelope typically doesn't check the header, and recipients usually don't scrutinize the technical details in the full email header, spoofing becomes relatively easy.
• Exploiting Open Relays. Some mail servers, especially older or misconfigured ones, act as "open relay servers." These servers allow anyone with the necessary knowledge to connect and send messages that appear to be from any address of their choice, whether valid or fictitious. Even if a mail server uses an SMTP service extension for authentication, it doesn't prevent authenticated users (e.g., those with compromised accounts) from sending spoofed emails.
• Bolstering Credibility. To make spoofed emails more convincing, attackers may copy a legitimate company's logo, branded art, and other design elements. They might also use messages and language that seem relevant to the imitated entity. While the full email header does log the IP addresses of the servers an email traverses, revealing its true route and sender, many users do not inspect these headers.

How to spot email spoofing

Email spoofing can be detected by carefully scrutinizing various elements of an email, from its technical headers to its visible content and sender information.

• Check the Email Header for Discrepancies.
  • "From," "Reply-To," and "Return-Path" Fields. Attackers programmatically change these specific fields within the email header to make the message appear from a different source. While recipients usually see the "From" header, the "MAIL FROM" (Return-path) used for delivery is generally not visible to the end-user, and by default, no checks are done to ensure the sending system is authorized for that address.
  • "Received" Section. The full email header logs the IP addresses of the servers an email traverses. By inspecting the "Received" lines, you can identify the true route and sender. If a different domain appears here than the one in the "From" address, the email is likely forged.
  • "Received-SPF" Status. Sender Policy Framework (SPF) records list authorized servers to send emails for a domain. If an email comes from an unauthorized server, the "Received-SPF" field will display a "Fail" or "Softfail" status, indicating a potential spoof.
• Look for Disconnects in Sender Information.
  • Display Name vs. Email Address. A common sign of a spoofed email is when the displayed sender name does not match the actual email address, especially if the domain in the email address looks suspicious. For instance, a display name like "Amazon Support" but an email ending with a different domain, or a misspelled domain (e.g., quick0rders.com instead of quickorders.com), is highly suspicious.
  •  Inconsistencies in Signatures. Check if information in the email signature, like a telephone number, doesn't align with what is known about the purported sender.
• Assess the Email Content and Tone.
  • Sense of Urgency or Threatening Language. Spoofed emails often use alarming, aggressive, or urgent messaging to provoke immediate action without critical thought.
  • Requests for Personal Information. Be wary of emails asking for sensitive data such as account credentials, credit card numbers, or social security numbers. Companies generally do not ask for usernames or passwords via email.
  • Unsolicited Links or Attachments. Avoid clicking links or downloading attachments from suspicious or unknown senders. Spoofed emails are often used to deliver malware or direct users to malicious websites.
  • Poor Spelling and Grammar. Professional organizations typically send well-crafted emails. Numerous errors in spelling or grammar can be a red flag.
  • Generic Greetings. Spoofed emails may use vague salutations like "Dear Customer" instead of your specific name.
• Copy and Paste Content into a Search Engine. Text used in common phishing attacks may already be reported and published online.
• Verify Through Alternative Channels. If an email seems suspicious, always use another method of communication to contact the supposed sender, such as calling them via phone, using interoffice chat, or visiting their official website to verify the request. Do not use contact information provided in the suspicious email itself.

How to defend against email spoofing

Use email security protocols and filters to protect your organization against email spoofing. 

• SPF, DKIM, and DMARC. These protocols work together to authenticate emails and detect forged sender addresses. Email filters check these protocols. If an email fails DMARC checks, organizations can configure policies to label, reject, quarantine, or allow it through. Google now requires SPF/DKIM on all incoming messages to Gmail accounts, and other providers are likely to follow suit.
• Antimalware Software. Antimalware solutions can detect and block spoofed emails before they reach your inbox by identifying suspicious senders or websites.
• Email Filters. Simple email filters can limit the number of suspicious emails that get through.
• Secure Email Gateway. These systems filter suspicious messages and block emails from known spoofed addresses at the network level, before they impact users.

Trellix Email Security delivers comprehensive protection for inbound and outbound emails, safeguarding your organization. With advanced threat detection, actionable alerts, and email claw-back capabilities, you can reduce attacks using AI, machine learning, and analytics.