Email spoofing is a technology used in spam and phishing attacks to fool users into believing a message came from someone or something they know or can trust. Spoofing attacks involve the sender forging email headers so that client software displays the forged sender address, which most users accept at face value.
Users see the forged sender in a message unless they inspect the header more closely. They are more likely to trust a name they recognize. As a result, they will click on malicious links, open malware attachments, send sensitive information, and even wire corporate funds.
Because of the way email systems are designed, email spoofing is possible. The client application assigns a sender address to outgoing messages; outgoing email servers have no way of knowing whether the sender address is legitimate or spoofed.
Antimalware software and recipient servers can assist in detecting and filtering spoofed messages. Regrettably, not all email services have security protocols in place. Nonetheless, users can examine the email headers included with each message to determine whether the sender address is forged.
A Brief History of Email Spoofing
Email spoofing has been a problem since the 1970s due to the way email protocols work. It began with spammers who used it to circumvent email filters. The problem became more prevalent in the 1990s, then expanded to become a global cybersecurity issue in the 2000s.
In 2014, security protocols were implemented to combat email spoofing and phishing. As a result of these protocols, many spoofed email messages are now routed to user spamboxes or are rejected and never delivered to the recipients’ inboxes.
How Email Spoofing Works
The primary objective of spoofing is to fool users into thinking the email is from someone they know or can trust—usually a colleague, vendor, or brand. Taking advantage of that trust, the attacker requests that the recipient divulge information or perform some other action.
An attacker, for example, could send an email that appears to be from PayPal. The message informs the user that their account will be suspended if they do not click a link, log in to the site, and change their password. If the user is successfully duped and enters credentials, the attacker now has the credentials to authenticate into the targeted user’s PayPal account and potentially steal money from the user.
More sophisticated attacks target financial employees and use social engineering and online reconnaissance to trick a targeted user into sending millions of dollars to the attacker’s bank account.
A spoofed email message appears legitimate to the user, and many attackers will use elements from the official website to make the message more credible. And here is an example of a PayPal phishing attack using a spoof email sender:

When a user sends a new email message using a standard email client (such as Microsoft Outlook), the sender address is automatically entered. An attacker, on the other hand, can send messages programmatically using basic scripts in any language that configure the sender address to any email address of choice. Email API endpoints enable a sender to specify the sender address regardless of whether or not the address exists. Furthermore, outgoing email servers are unable to determine whether the sender address is legitimate.
The Simple Mail Transfer Protocol is used to retrieve and route incoming email (SMTP). When a user presses the “Send” button in an email client, the message is first routed to the outgoing SMTP server configured in the client software.
The SMTP server recognizes the recipient domain and forwards the message to the domain’s email server.
The message is then routed to the correct user’s inbox by the recipient’s email server. The IP address of each server is logged and included in the email headers for each “hop” an email message takes as it travels across the internet from server to server. Although these headers reveal the true route and sender, many users fail to check them before interacting with an email sender.
The following are the main components of an email:
- The address of the sender
- The address of the recipient
- The message’s body
The Reply-To field is another component that is frequently used in phishing. This field can also be configured by the sender and used in a phishing attack. The Reply-To address instructs client email software where to send a response, which can differ from the sender’s address.
Again, neither email servers nor the SMTP protocol validate whether this email is legitimate or forged. It is the user’s responsibility to recognize that the response is being sent to the incorrect recipient.
- AbdulTech Online | Email Spoofing
Take note of the email address in the From sender field, which appears to be from Bill Gates (b.gates@microsoft.com). There are two sections to go over in these email headers. The “Received” section shows that the email was handled by the email server email.random-company.nl, which is the first indication that the email is forged.
However, the best field to examine is the Received-SPF section, which has a “Fail” status. The Sender Policy Framework (SPF) is a security protocol that was established as a standard in 2014. It works in conjunction with DMARC (Domain-based Message Authentication, Reporting and Conformance) to stop malware and phishing attacks.
SPF can identify spoofed email and is used by most email providers to resist phishing. However, it is the domain holder’s responsibility to use SPF. To use SPF, a domain owner must create a DNS TXT entry that lists all IP addresses that are authorized to send email on behalf of the domain.
When this DNS entry is configured, recipient email servers check the IP address when they receive a message to ensure that it matches the authorized IP addresses for the email domain. If a match is found, the Received-SPF field displays a PASS status. If no match is found, the field shows an FAIL status. When receiving an email with links, attachments, or written instructions, recipients should check this status.
Email Spoofing and Phishing Statistics
Email clients configured to use SPF and DMARC will automatically reject or route emails that fail validation to the user’s spambox. Attackers target individuals and businesses, and a single successfully deceived user can result in the theft of money, data, and credentials.
It’s no surprise that phishing is one of the most common cyber attacks today. Consider the following data:
Every day, 3.1 billion domain spoofing emails are sent. More than 90% of cyber-attacks begin with an email message. Since 2016, email spoofing and phishing have cost the global economy an estimated $26 billion.
In 2019, the FBI reported that 467,000 cyber-attacks were successful, with email accounting for 24% of them. The average scam defrauded users of $75,000 on average.
CEO fraud, also known as business email compromise, is a common attack that employs email spoofing (BEC). In BEC, the attacker impersonates a business executive or owner by spoofing the sender’s email address. This type of attack usually targets a financial, accounting, or accounts payable employee.Even intelligent, well-intentioned employees can be duped into sending money when the request comes from someone they trust, particularly an authority figure. Here are a few well-known examples of phishing scams:
- An attacker posing as city manager Steve Kanellakos duped the Canadian City Treasure into transferring $98,000 from taxpayer funds.
- Mattel was duped into sending $3 million to a Chinese account, but it was able to recoup the funds after the defrauded financial executive confirmed that the email message was not sent by the CEO, Christopher Sinclair.
- The Crelan bank in Belgium was duped into sending €70 million to the attackers.
How to Protect from Email Spoofing
- Don’t ever click a link to a website that requires you to authenticate. Always enter the official domain into your browser and log in directly on the site.
- The steps for viewing email headers differ depending on the email client, so look up how to view email headers for your inbox software first. Then, open the email headers and look for the Received-SPF section, which should have a PASS or FAIL response.
- Copy and paste an email message’s content into a search engine. The text used in a typical phishing attack has almost certainly already been reported and published on the Internet.
- Be wary of emails purportedly from an official source that have poor spelling or grammar.
- Avoid opening attachments from unknown or suspicious senders.
- Emails promising riches—or anything else that sounds too good to be true—are almost certainly a scam.
- Be wary of emails that convey a sense of immediacy or danger. Phishing and BEC attacks frequently attempt to exploit recipients’ natural skepticism by implying that something bad will occur if they do not act quickly. If the message warns of pending account closures, scheduled payment failures, or suspicious activity on one of your financial accounts, proceed with caution. Navigate to the website using your browser.