Understanding and Preventing Email Spoofing Attacks

Email Spoofing blog banner

Now that most people are familiar with and thus able to avoid standard phishing attacks, malicious actors have shifted to something more insidious. Email spoofing, which is a form of spear phishing, is an attack in which attackers impersonate someone the target knows, is a much more subtle way to compromise a user’s credentials or device. Like phishing, however, once you know the signs of a spoofed email and train other users on how to spot them, addressing the issue is often straightforward.

What is email spoofing?

Email spoofing is when an attacker sends an email to a user that impersonates someone else, generally someone the user knows. Often, this person is a supervisor, manager, or executive at the same company. Because of email headers, the user’s email software displays an email address that looks legitimate to the average user, who is unlikely to look closely at the address if the name is familiar. 

Because users trust people within their organizations, they are highly likely to complete an action as instructed in the email. This might be simply clicking on a malicious link that installs malware, or it could be purchasing hundreds of dollars in gift cards and sending them to a provided address. While this is similar to phishing, the two attacks are distinct. Although phishing emails also aim to spread malware or compromise users, their primary purpose is theft. Spoofing emails, in contrast, are only impersonations that can lead to phishing attacks. Email spoofing attacks might also request user credentials, and if those credentials are shared, the organization’s security and data are at risk. 

Check out another type of spoofing in IT, geo-spoofing.

How does email spoofing work?

Attackers are able to forge email addresses due to a lack of security in Simple Mail Transfer Protocol (SMTP), which does not support encryption, authentication, or other similar security measures. If you’re using Gmail or Outlook, for example, you’re using SMTP, so it’s not difficult for an attacker to find and compromise an SMTP server. Once he has a server, the attacker will then begin adjusting the header of an email. 

In the header, there is a designated space for the sender’s identity (Mail From). Because SMTP lacks authentication protocols, an attacker can very easily change the listed email address in the Mail From line. There are a few details an attacker must consider, such as whether the domain being used is legitimate, whether there is any quarantine or other protection around that domain, and whether the SMTP server has been set up correctly. Failing to consider these will land the email in the victim’s spam folder.

However, supposing that an attacker has a properly configured server and chooses a usable domain, the process is simple. Change the sender’s address, write up an email that looks like it might have come from a trustworthy person, ensure that any commands or prompts in the code have been adjusted for the new sender address (or just use an online tool, if he really wants to make it easy on himself), and the email spoofing begins.

How to identify spoofed emails

Given that these email spoofing schemes are so simple, it’s no surprise that their frequency is increasing. To combat these attacks, one of the best things you can do is learn to identify them and train users in the environments that you manage. Here are some things you should look for when you open emails.

  • Email Signature Accuracy: If it’s company policy to have a specific email signature, an email from another employee or supervisor ought to have one. First, check to confirm there is a signature, then confirm details. For example, make sure that the email address in the signature matches the email address in the Mail From line, and check the phone number area code. If your offices are all in one state but the phone number originates in another, this could be a red flag. 
  • Misspelled Email Address: Before clicking on attachments or responding to the email, take a quick look at that Mail From line. If a familiar domain like bestbuy.com is instead typed as betsbuy.com, it’s a spoofing email. 
  • Generic Email Address: Although many email spoofing attacks will have legitimate domains in their email addresses, sometimes the sender won’t put in the time or effort. Instead, you might receive an email from a Gmail, Outlook, or other generic domain that clearly does not match your organization’s domain or conventions.
  • Email Content: While not every urgent email is spoofed, an email that attempts to alarm you or encourages you to act immediately should be considered suspect. 

Implications and risks of email spoofing

The problem with email spoofing is that it’s both very easy for attackers to use and very convincing to the average user. If you don’t address the problem, your organization will very quickly suffer a security incident that could be very costly. 

Your organization may wind up paying large amounts of money to attackers under the assumption that any requests they make are legitimate. If an employee provides credentials, the organization’s private data is at risk. Users, whether your customers or your employees, incur a higher risk of identity theft and financial losses following any breach by a bad actor. 

Prevention techniques for email spoofing

It’s important to train users to avoid spoofed emails, but that’s usually not enough to protect your organization. Human error accounts for the vast majority of reported security incidents, so the following preventative measures may be needed to limit your risk of a successful attack. 

  • SPF (Sender Policy Framework): SPF is not the most sophisticated solution, but it’s a good start for filtering illegitimate emails. It works by using a record attached to emails that identifies your domain’s authorized servers. The receiving server must then determine, based on that record, whether the email should be allowed to come through.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): More comprehensive than SPF, DMARC provides both the record that the receiving server can analyze and instructions for what to do if the email fails to pass muster with that receiving server. It also requests reports, a useful feature if you want to know more information about the emails passing through your servers. 
  • DKIM (DomainKeys Identified Mail): DKIM focuses on authentication. The good news about this is it’s more secure than some other options; the bad news is you can break your email if you configure DKIM incorrectly. This prevention method also requires records, but it also publishes signatures to verify legitimacy. 
  • Email Filtering and Advanced Threat Protection: Deploying email filtering solutions to detect and block spoofed emails is another good preventative measure. Filters detect things like suspicious links, particular words or phrases common to spam, and the sender’s IP address reputation. Once detected, the filter will move the email to a separate folder to indicate that it may not be legitimate. Additionally, implementing advanced threat protection, which is a cloud-based application that is more sensitive than a traditional filter, can further reduce the number of illegitimate emails that you and other employees receive. 

Avoiding the dangers of spoofing

As with most things in IT, an ounce of prevention is worth a pound of cure. Anything you can do to reduce your risk of email spoofing and the likely consequent phishing attacks will save you time and money in the long run. Don’t put your organization’s financial health or your customers’ private information at risk. Use prevention methods like filtering, advanced protection, SPF, DKIM, and DMARC to provide robust email security and protect against spoofed emails.

Ultimately, the best way to prevent email spoofing is through awareness. Although prevention methods are useful, some spoofing emails can still slip through to your users. As long as the teams within your organization are aware of the threat and know what to look for, they can take steps to actively avoid and prevent security risks, thus ensuring that your organization and its data remain safe.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.

You might also like

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

Watch Demo×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

Start a Free Trial of the
#1 Endpoint Management Software on G2

No credit card required, full access to all features

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).