Email spoofing is the fabrication of an email header in the hopes of duping the recipient into thinking the email originated from someone or somewhere other than the intended source. Because core email protocols do not have a built-in method of authentication, it is commonplace for spam and phishing emails to use said spoofing to trick the recipient into trusting the origin of the message.
The ultimate goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation. Although the spoofed messages are usually just a nuisance requiring little action besides removal, the more malicious varieties can cause significant problems, and sometimes pose a real security threat.
As an example, a spoofed email may purport to be from a well-known retail business, asking the recipient to provide personal information like a password or credit card number. The fake email might even ask the recipient to click on a link offering a limited time deal, which is actually just a link to download and install malware on the recipient’s device.
One type of phishing – used in business email compromise – involves spoofing emails from the CEO or CFO of a company who works with suppliers in foreign countries, requesting that wire transfers to the supplier be sent to a different payment location.
How Email Spoofing Works
Email spoofing is possible because the Simple Mail Transfer Protocol (SMTP) does not provide a mechanism for address authentication. Although email address authentication protocols and mechanisms have been developed to combat email spoofing, adoption of those mechanisms has been slow.
Reasons for Email Spoofing
Although most well-known for phishing purposes, there are actually several reasons for spoofing sender addresses. These reasons can include:
- Hiding the sender’s true identity – though if this is the only goal, it can be achieved more easily by registering anonymous mail addresses.
- Avoiding spam block lists. If a sender is spamming, they are bound to be block listed quickly. A simple solution to this problem is to switch email addresses.
- Pretending to be someone the recipient knows, in order to, for example, ask for sensitive information or access to personal assets.
- Pretending to be from a business the recipient has a relationship with, as means of getting ahold of bank login details or other personal data.
- Tarnishing the image of the assumed sender, a character attack that places the so-called sender in a bad light.
- Sending messages in someone’s name can also be used to commit identity theft, for example, by requesting information from the victims financial or healthcare accounts.
Email Spoofing Protections
Since the email protocol SMTP (Simple Mail Transfer Protocol) lacks authentication, it has historically been easy to spoof a sender address. As a result, most email providers have become experts at detecting and alerting users to spam, rather than rejecting it altogether. But several frameworks have been developed to allow authentication of incoming messages:
- SPF (Sender Policy Framework): This checks whether a certain IP is authorized to send mail from a given domain. SPF may lead to false positives, and still requires the receiving server to do the work of checking an SPF record, and validating the email sender.
- DKIM (Domain Key Identified Mail): This method uses a pair of cryptographic keys that are used to sign outgoing messages, and validate incoming messages. However, because DKIM is only used to sign specific pieces of a message, the message can be forwarded without breaking the validity of the signature. This is technique is referred to as a “replay attack”.
- DMARC (Domain-Based Message Authentication, Reporting, and Conformance): This method gives a sender the option to let the receiver know whether its email is protected by SPF or DKIM, and what actions to take when dealing with mail that fails authentication. DMARC is not yet widely used.
How Emails are Spoofed
The easiest way to spoof mails is for the attacker finds a mail server with an open SMTP (Simple Mail Transfer Protocol) port. SMTP lacks any authentication so servers that are poorly configured have no protection against prospective cyber criminals. It’s also the case that there is nothing stopping a determined attackers from setting up their own email servers. This is very common in In cases of CEO/CFO fraud. Attackers will register domains easily confused for the company they are impersonating, where the email is originating from – e.g. “@exarnple.com” instead of “@example.com”. Depending on the formatting of the email, it might be extremely difficult for a regular user to notice the difference.
Although email spoofing is effective in forging an email address, the IP address of the computer sending the mail can generally be identified from the “Received:” line in the email header. This is frequently due to an innocent third party becoming infected by malware, which hijacks the system and sends emails without the owner even realizing it.