What is Email Spoofing? How to Spot a Compromised Email
One of the first places that users look when they receive an email is the “From” line of the message. This lets users know how to prioritise incoming email and also whether an unexpected email is from someone they know.
But phishing scammers have made it more complicated to know exactly who is sending the message, because it can be from a completely different address than what is showing in the email window.
So far in 2020, Australians have reported losing nearly $9 million due to phishing emails.
Phishing attacks are continually evolving to avoid detection by IT security applications and users, and one of the tactics they use to fool recipients is called email spoofing.
What Exactly is Email Spoofing?
Email spoofing is when an email address is inserted into the “From” area of an email message for the purpose of deception. The email is being sent from an entirely different email server, but the sender attempts to mask that by spoofing the email address of a trusted sender.
For example, a phishing scammer might locate a list of clients of a telecom company. Then, they’ll send a phishing email to those clients, using the telecom’s email address as the “Sender.”
Recipients look at the Sender, see it’s from their Telecom company and are much more likely to fall victim to the phishing scam because they trust the sender.
68% of phishing attacks impersonate brands or individuals.
How to Identify a Spoofed Email
It has come to a point where every email is now suspect. Phishing scammers continue to disguise their emails, making it more difficult for users to identify fakes.
But there are some helpful ways to spot compromised emails and avoid falling for the trick of email spoofing.
Review the Message Header Data
Many email applications on desktop, web, and mobile, will show a name in the “From” line of the message, rather than the email address. Even those that show the email address can still display one that’s been spoofed.
You need to dig a little deeper by viewing the message raw source or header data to ensure the sender displayed is actually who the email address came from.
If you’re using Outlook in Microsoft 365, open the message in a new window and go to File > Properties. Other programs will have this feature under menu items such as “view header” or “view source.”
Here are some of the areas you’ll see in the message source data:
- Received from
- Source IP address or “X-Origin”
You’ll want to review each email address you see in the header data to see if anything strange stands out, like domains that don’t match the sender.
Look for Slight Misspellings
Another form of spoofing is when a domain is slightly misspelled, and the hacker uses that domain to send a message. In this case you might see firstname.lastname@example.org when the actual address it’s spoofing is @worldhealth.com (with the “L”).
It’s easy to mistake a deliberate misspelling like this for the real thing, so users need to very carefully review email addresses for any mistakes.
Use Email Authentication
Because of the growing problem with email spoofing being used in phishing, many email services (like Microsoft’s) have improved their spoof detection capabilities. This includes enabling email authentication through three methods, SPF, DKIM, and DMARC.
These three protocols can be enabled on a company’s mail server and work together to detect whether or not an email is being sent from an approved IP address for a domain or has been altered in a way that would indicate spoofing.
Enabling SPF, DKIM, and DMARC helps in two important ways:
- Stops spoofed emails from being delivered to user inboxes
- Alerts your company if a spammer is trying to spoof your email domain
Use Phishing Detection Best Practices
Email spoofing is used to get recipients to fall for a phishing email. These will usually include links to malicious websites or can contain a dangerous file attachment.
Employees that use good phishing practices can identify a spoofed email by identifying other parts of the message that indicate it’s a fake. These include:
- Hovering over links to reveal the real URL
- Reviewing emails for poor grammar/spelling
- Asking, “Is this email unexpected or unusual?”
- Looking for phishing tactics like threats, urgency, emotional ploys
Use a Good Anti-Spam/Anti-Phishing Application
Detection technologies continue to evolve to keep up with new types of phishing attacks. Ensure that user devices (including mobile devices) are protected by a good anti-spam and anti-phishing application that can quarantine spoofed messages automatically to help keep them out of user inboxes.
Could Your Email Security Use Some Help?
Email authentication is now becoming a priority for many businesses, not only to help combat incoming email spoofing, but to ensure their messages make it through to clients. GKM2 can help you set it up!
Contact us today for a free consultation. Call +61 2 9161 7171 or reach out online.