A few days ago, I received an email from our long-time client (we built his website and redesigned it several times over the years). He wrote something like the following:
“I think someone broke into my email or website. I received this as a test. Please check it out (ASAP)!”, (and he forwarded the problematic email he received).

After we checked everything necessary (including checking his website with Virusdie), I found that no one had broken into his website (or email).

The customer had received a fake email. But he could not recognize it and his first thought was that someone had hacked him.

That’s when I realized that I need to explain the whole process of email spoofing so that you can recognize such (fake) mails, but also (and more importantly) to protect yourself from email spoofing.

So, let us start with the definition – what is email spoofing?

A scammer sets up an email address that looks like it comes from your company.

What’s the difference between phishing, spoofing and domain impersonation?

Phishing is a form of social engineering where victims get a fake message from an attacker with the intention to trick them into giving their sensitive information or even insert malicious software into their device (like ransomware for example).

Spoofing is a type of attack where somebody form an unknown source disguises himself as somebody known (trusted source) by falsifying data to gain advantage over their victim for their bad intensions.

Domain impersonation is an attack where attackers impersonate domain of some legitimate business usually by replacing one or more letters of the legitimate email with similar letters or adding a letter that is hard to notice to a legitimate email domain.

Email spoofing makes phishing even more dangerous. The Internet Crime Complaint Center (FBI) received an average of 2,000 cybercrime complaints per day with reported losses of over $4.1 billion in 2020. $216.51 million of those losses were the result of email spoofing.

Why do people spoof email?

This is an age-old problem that has been around since the 1970s. Today, it is used by spammers to bypass your inbox filters and trick you into clicking on links or downloading attachments. The problem grew at the turn of the century and remains a global cybersecurity issue today. In 2014, new security protocols were introduced to combat phishing and email spoofing.

Email spoofing is like playing with trust. Attackers want to trick users into thinking they know you or that you can trust them. Spoofers often take advantage of your trust by asking you to reveal information or take action. For example, attackers might send an email that looks like it came from PayPal. They try to trick you into believing that the email is genuine. Do not be fooled.

Email spoofing allows the criminal to access your company’s private information. Usually, the criminal has malicious intentions. This includes stealing data such as email addresses, IP addresses and passwords.

One of the worst things you can do is pretend to be someone else. Spoofing is the gateway to phishing. Pretending to be someone else is also a way to collect more information about you, such as your credit card number or medical records.

Sometimes fake email addresses are used to disguise the true sender. Switching between email accounts can help to bypass spam filters and disguise the identity of the sender.

How emails are spoofed?

– Spoofing via the Sender’s display name
– Spoofing via legitimate Domain’s name
– Spoofing via lookalike domains

Attackers can use simple scripts in any programming language to configure the sender address to their email addresses.

Email API endpoints provide an interface for sending email without relying on recipient servers to recognize the sender address as valid. And outgoing email servers do not know if the sender address is legitimate.

The SMTP protocol is used to deliver outgoing email. When a user clicks Send in an email client, the message is first sent to the outgoing SMTP server configured in the client software. The SMTP server identifies the recipient domain and forwards the message to the domain’s e-mail server.

The recipient’s email server then forwards the message to the user’s correct inbox. For each “hop” an e-mail message makes as it travels from server to server across the Internet, the IP address of each server is logged and included in the e-mail headers.

Many users do not look at the headers, so they miss an important piece of information that could help them act on your message or filter spam.

How to identify email spoofed phishing attacks?

– Check the email Header information
– Question the content of the Message

If you are using an online email account, look at the email headers and make sure it says PASS or FAIL in the Received-SPF section.

When opening email attachments, check the sender and subject line. You may need to do additional due diligence on emails that come from an email address you do not recognize.

When it comes to online security, you can never be too safe. Avoid any email that conveys a sense of urgency or danger, or any email that suggests you must act immediately to avoid negative consequences.

What to do if someone spoofs your email?

If someone spoofs your email, it’s best to report it. You can contact your customers and staff so they’re aware of the scam.

Tips and Tricks how to avoid email spoofing

You need to add three things to your email account: an SPF record, a DKIM record, and an DMARC record.

SPF stands for Sender Policy Framework and allows you to specify which servers are allowed to send email from your domain.

DKIM is short for Domain Keys Identified Mail and allows you to sign your emails with a private key to confirm their authenticity.

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.

Spam fighters use SPF and DKIM to ensure that emails are genuine, and they can help you protect your email account against spoofing. This is an important improvement of SPF (Sender Policy Framework), a protocol to authenticate the sender of an email.

It is very important for websites or other organizations to protect themselves from spam and phishing attacks that try to steal information.

10 more steps how you can fight this challenge:
1. Deploy an email security gateway
2. Use antimalware software
3. Use encryption to protect emails
4. Use email security protocols
5. Use reverse IP lookups to authenticate senders
6. Train employees in cyber awareness
7. Watch out for possible spoofed email addresses
8. Never give out personal information
9. Avoid strange attachments or unfamiliar links
10. Use email Signing Certificates to protect your outgoing emails

Conclusion

In October 2021, Amazon customers received a fake email that looked so real it almost tricked them into giving away their private information. The email looked so real that it was sent through the filters of powerful companies and government agencies. Even the most powerful companies get faked.

The best way to avoid becoming a victim of email spoofing is to keep your malware protection up to date and be aware of the tricks used in social engineering. If you have any doubts about the validity of an email, simply ask the sender for more information and avoid clicking on any suspicious links in such mails, but go directly to site in question via Google

———

Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.

Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.