The Human Layer Security Summit is back. Save your spot today.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

How to Prevent and Avoid Falling for Email Spoofing Attacks

  • By Maddie Rosenthal
  • 22 January 2021

Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

Email spoofing is a common way for cybercriminals to launch phishing attacks — and just one successful phishing attack can devastate your business. That’s why every secure organization has a strategy for detecting and filtering out spoofed emails.

Do you?

This article will walk you through some of the best methods for preventing email spoofing.

Want to learn more about email spoofing, how hackers do it, and how common these attacks are? Check out this article: What is Email Spoofing and How Does it Work?

And, if you’re wondering how to prevent your email address or domain from being spoofed…the first step is to enable DMARC. But, even that isn’t enough. We explain why in this article: Why DMARC Isn’t Enough to Stop Impersonation Attacks

Security awareness training

Email spoofing is a common tactic in social engineering attacks such as spear phishing, CEO fraud, and Business Email Compromise (BEC). Social engineering attacks exploit people’s trust to persuade them to click a phishing link, download a malicious file, or make a fraudulent payment.

That means part of the solution lies in educating the people being targeted. 

It’s important to note that cyberattacks target employees at every level of a company — which means cybersecurity is everyone’s responsibility. Security awareness training can help employees recognize when such an attack is underway and understand how to respond. 

In this article  – What Is Email Spoofing and How Does it Work? – we looked at how an email’s header can reveal that the sender address has been spoofed.

Looking “under the hood” of an email’s header is a useful exercise to help employees understand how email spoofing works. You can see if the email failed authentication processes like SPF, DKIM, and DMARC, and check whether the “Received” and “From” headers point to different domains.

But it’s not realistic to expect people to carefully inspect the header of every email they receive. So what are some other giveaways that might suggest that an email spoofing scam is underway?

  • The email doesn’t look how you expect. The sender might be “paypal.com.” But does the email really look like PayPal’s other emails? Most sophisticated cybercriminals use the spoofed company’s branding — but some can make mistakes.
  • The email contains spelling and grammar errors. Again, these mistakes aren’t common among professional cybercriminals, but they still can occur.
  • The email uses an urgent tone. If the boss emails you, urgently requesting that you pay an invoice into an unrecognized account — take a moment. This could be CEO fraud.

You must get your whole team on board to defend against cybersecurity threats, and security awareness training can help you do this. However, Tessian research suggests that the effectiveness of security training is limited

Email provider warnings

Your mail server is another line of defense against spoofing attacks.

Email servers check whether incoming emails have failed authentication processes, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

Many email providers will warn the user if an email has failed authentication. Here’s an example of such a warning from Protonmail:

This is an example of a warning issued by an email provider about email spoofing.

As part of your company’s security awareness training, you can urge employees to pay close attention to these warnings and report them to your IT or cybersecurity team.

However, it’s not safe to rely on your email provider. A 2018 Virginia Tech study looked at how 35 popular email providers handled email spoofing. The study found:

  • All except one of the email providers allowed fraudulent emails to reach users’ inboxes.
  • Only eight of the providers provided a warning about suspicious emails on their web apps. 
  • Only four of the providers provided such a warning on their mobile apps.

Authentication protocols

As noted by the Virginia Tech study, email providers often allow fraudulent emails through their filters — even when they fail authentication.

But, perhaps more importantly, whether a fraudulent email fails authentication in the first place is out of your hands.

For example, SPF lets a domain owner list which email servers are authorized to send emails from its domain. And DMARC enables domain owners to specify whether recipient mail servers should reject, quarantine, or allow emails that have failed SPF authentication. 

So, for domain owners, setting up SPF, DKIM, and DMARC records is an essential step to prevent cybercriminals and spammers from sending spoofed emails using their domain name.

But as the recipient, you can’t control whether the domain owner has properly set up its authentication records. You certainly don’t want your cybersecurity strategy to be dependent on the actions of other organizations. 

Email security software

Effective email spoofing attacks are very persuasive. The email arrives from a seemingly valid address — and it might contain the same branding, tone, and content you’d expect from the supposed sender.

This makes email spoofing attacks one of the hardest cybercrimes to detect manually. Humans aren’t good at spotting the subtle and technical indicators of a well-planned email spoofing attack. Legacy solutions like Secure Email Gateways and native tools like spam filters aren’t either. 

The best approach to tackling spoofing — or any social engineering attack — is intelligent technology. Email security solutions powered by machine learning (ML) automates the process of detecting and flagging spoofed emails, making it easier, more consistent, and more effective.

Here’s how Tessian Defender solves the problem of email spoofing:

  1. Tessian’s machine learning algorithms analyze each employee’s email data. The software learns each employee’s email style and maps their trusted email relationships. It learns what “normal” looks like so it can spot suspicious email activity.
  2. Tessian performs a deep inspection on inbound emails. By checking the sender’s IP address, email client, and other metadata, Tessian can detect indications of email spoofing and other threats. 
  3. If it suspects an email is malicious, Tessian alerts employees using easy-to-understand language.

Further reading:

Tessian Defender Data Sheet

Customer Stories

Report: To Prevent Spear Phishing Look for Impersonation

If you’d rather talk to someone about your specific challenges, you can talk to an expert at Tessian.

Maddie Rosenthal
[if lte IE 8]
[if lte IE 8]