Let’s start with a definition of email spoofing.
Email spoofing involves a person forging an email’s sender address. If you receive a spoofed email, the real sender isn’t the person who appears in the “From” field. Instead, it’s likely a hacker.
While email spoofing can have serious consequences, it’s not particularly difficult for a hacker to do. And, despite the fact that email filters and apps are getting better at detecting spoofed emails… they can still slip through.
Keep reading to find out:
If you’re here to learn how to prevent email spoofing, check out this article instead: How to Prevent Email Spoofing.
You might be wondering why someone would want to spoof another person or company’s email address in the first place. It’s simple: they want the recipient to believe that the email came from a trusted person.
Most commonly it is used for activities such as:
Now let’s look at the technical process behind email spoofing.
First, we need to distinguish between “email spoofing,” and “domain impersonation.” Sometimes these two techniques get conflated.
Here’s the difference:
When you receive an email, your email client (e.g. Outlook or Gmail) tells you who the email is supposedly from. When you click “reply,” your client automatically fills in the “to” field in your return email. It’s all done automatically and behind the scenes.
But, this information is not as reliable as you might think.
An email consists of several parts:
Spoofing is so common because it’s surprisingly easy to forge the “from” elements of an email’s envelope and header, to make it seem like someone else has sent it.
Obviously, we’re not going to provide instructions on how to spoof an email. But we can break down a spoofed email to help you understand how the process works.
Let’s take a look at the email header:
First, look at the “Received From” header, highlighted in blue, which shows that the email came from the domain “cybercrime.org.”
But now look at the parts highlighted in yellow — the “Return-Path,” “From,” and “Reply-To” headers — which all point to “Mickey Mouse,” or “[email protected]”. These headers dictate what the recipient sees in their inbox, and they’ve all been forged.
The standard email protocol (SMTP) has no default way of authenticating an email. There are authentication checks that depend on the domain owner protecting its domain. In this case, the spoof email failed two important authentication processes (also highlighted in blue, above):
As you can see, DMARC, SPF, and DKIM all = none. That means our spoofed email slipped right through. Here’s how the email looks in the recipient’s inbox:
The email above appears to have been sent by Mickey Mouse, using the email address [email protected]disney.com. But we know from the header that it actually came from cybercrime.org.
This demonstrates the importance of setting up DMARC policies. You can learn more about how to do that here.
Note: Disney does have DMARC enabled. This is a hypothetical example! Want to find out which companies don’t have DMARC set-up? Check out this website.
Measuring the precise number of spoofed emails sent and received every day is impossible. But we can look at how many cybercrime incidents involving spoofing get reported each year.
A good place to start is the U.S. Federal Bureau of Investigation (FBI)’s Internet Crime Complaint Center (IC3) annual report.
In 2019, the IC3 reported that:
Note that the IC3’s definition of “spoofing” includes incidents involving spoofed phone numbers. But we already know that 96% of phishing attacks start with email.
Now you understand what email spoofing is, and how serious a threat it can be, it’s time to read our article on how to prevent email spoofing.