See a sneak peek of Tessian in action featuring admin and end user experiences. Watch the Product Tour →
Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.
Email spoofing is a common way for cybercriminals to launch phishing attacks — and just one successful phishing attack can devastate your business. That’s why every secure organization has a strategy for detecting and filtering out spoofed emails. Do you?
This article will walk you through some of the best methods for preventing email spoofing. Want to learn more about email spoofing, how hackers do it, and how common these attacks are? Check out this article: What is Email Spoofing and How Does it Work?
And, if you’re wondering how to prevent your email address or domain from being spoofed…the first step is to enable DMARC. But, even that isn’t enough. We explain why in this article: Why DMARC Isn’t Enough to Stop Impersonation Attacks.
Email spoofing is a common tactic in social engineering attacks such as spear phishing, CEO fraud, and Business Email Compromise (BEC). Social engineering attacks exploit people’s trust to persuade them to click a phishing link, download a malicious file, or make a fraudulent payment. That means part of the solution lies in educating the people being targeted.
It’s important to note that cyberattacks target employees at every level of a company — which means cybersecurity is everyone’s responsibility. Security awareness training can help employees recognize when such an attack is underway and understand how to respond.
In this article – What Is Email Spoofing and How Does it Work? – we looked at how an email’s header can reveal that the sender address has been spoofed.
Looking “under the hood” of an email’s header is a useful exercise to help employees understand how email spoofing works. You can see if the email failed authentication processes like SPF, DKIM, and DMARC, and check whether the “Received” and “From” headers point to different domains.
Take a look at the example below. See how the “Return-Path”, “From”, “Errors-To”, and “Reply-To” fields (from “disney.com”) differ from the “Received” field (from “cybercrime.org”).
Note: Disney does have DMARC enabled. This is a hypothetical example! Want to find out which companies don’t have DMARC set up? Check out this website.
Although email headers can provide valuable indicators that an email has been spoofed, it’s obviously not realistic to expect people to carefully inspect the header of every email they receive.
So what are some other giveaways that might suggest that an email spoofing scam is underway?
You must get your whole team on board to defend against cybersecurity threats, and security awareness training can help you do this. However, Tessian research suggests that the effectiveness of security training is limited.
Your mail server is another line of defense against spoofing attacks. Email servers check whether incoming emails have failed authentication processes, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
In the “spoofed email header” we provided above, you can see that the spoofed email failed DMARC, SPF, and DKIM checks. Many email providers will warn the user if an email has failed authentication. Here’s an example of such a warning from Protonmail:
As part of your company’s security awareness training, you can urge employees to pay close attention to these warnings and report them to your IT or cybersecurity team. However, it’s not safe to rely on your email provider. A Virginia Tech study looked at how 35 popular email providers handled email spoofing. The study found:
Even the most powerful companies in the world get spoofed, and email filters frequently let these spoofed emails sail through their filters. In October 2021, for example, security experts warned of a highly convincing Amazon spoof email designed to steal customers’ personal and financial information. The email arrived from the domain “firstname.lastname@example.org”
And in March 2021, a widespread email spoofing campaign targeting C-suite executives was uncovered. The attackers created spoofed spear phishing emails that evaded “Office 365’s native defenses and other email security defenses.”
As noted by the Virginia Tech study, email providers often allow fraudulent emails through their filters — even when they fail authentication. But, perhaps more importantly, whether a fraudulent email fails authentication in the first place is out of your hands.
For example, SPF lets a domain owner list which email servers are authorized to send emails from its domain. And DMARC enables domain owners to specify whether recipient mail servers should reject, quarantine, or allow emails that have failed SPF authentication.
So, for domain owners, setting up SPF, DKIM, and DMARC records is an essential step to prevent cybercriminals and spammers from sending spoofed emails using their domain name.
But as the recipient, you can’t control whether the domain owner has properly set up its authentication records. You certainly don’t want your cybersecurity strategy to be dependent on the actions of other organizations. Want more information? Check out our eBook on this topic, Why DMARC and Authentication Records are Failing to Stop Spear Phishing.
Effective email spoofing attacks are very persuasive. The email arrives from a seemingly valid address — and it might contain the same branding, tone, and content you’d expect from the supposed sender.
This makes email spoofing attacks one of the hardest cybercrimes to detect manually. Humans aren’t good at spotting the subtle and technical indicators of a well-planned email spoofing attack. Legacy solutions like Secure Email Gateways and native tools like spam filters aren’t either. The best approach to tackling spoofing — or any social engineering attack — is intelligent technology.
An email security solution powered by machine learning (ML) will automate the process of detecting and flagging spoofed emails, making it easier, more consistent, and more effective.
Here’s how Tessian Defender solves the problem of email spoofing: