A lot of malicious entities spoof their email to hide their identity and try to scam your company. Email spoofing isn’t sophisticated. It also doesn’t need high-end cybercriminals. That said, it’s still annoying and exhausting to avoid if you don’t have good solutions.
Currently, cybercriminals attempt email spoofing in 4 ways:
- Different country extension
- Discreet misspell
- Misleading domain name
- Hacked sender address
Cybersecurity staff worldwide try to hunt these attacks regularly. This is because email spoofing could be dangerous. It can hurt you, and also hurt the domain or assumed domain it’s coming from.
To ensure you’re perfectly safe from these attacks, you’ll need a mixture of software solutions that will filter 90% of spoofing attacks. You’ll also need some simple cybersecurity rules for those who will read emails. In this article, I’ll guide you to learn all about email spoofing. I’ll miss on the variable coding stuff and only focus on what you might experience as a business. Later on, I’ll touch on how you can protect yourself, how email spoofing works, types of employee training, and finally some third-party software to make your life easier in this regard. Let’s start with the definition of email spoofing first.
What Is Email Spoofing?
In short, email spoofing is when cybercriminals forge the address they send the email from. This can relate to the sender’s name or even the metadata behind the email. It can be a technically sophisticated attack where cybercriminals hack and use an email server for this purpose. It can also be a low-tech scam where cybercriminals use an address that only looks like what you’d expect.
In most cases, cybercriminals use email spoofing for phishing, where they’ll try to steal your company data and access to your internal network. Here, the cybercriminal will send either links or executable files through email from an address that the company server and employees would trust.
Next, I’ll go through how each of the 4 common email spoofing attacks works and how you can recognize them during normal operations.
How Does Email Spoofing Work?
The idea behind spoofing attacks is quite simple. The malicious entity online will use the fake address to fool you into giving away your critical data. This malicious entity can be either a human cybercriminal or a malicious AI mail server.
To do this, they’ll need to surpass 2 hurdles.
- The software filtering emails with any malicious code or preventing emails that aren’t allowlisted. Companies using this type of software will stop all, but the most sophisticated spoofing attacks from ever reaching their inbox.
- The person actually reading the email. The form, wording, and links need to look organic and similar to something they’d expect from the assumed source. For example, nobody will believe that someone from Google sent them an email to say they’re strapped for cash.
Let’s see next how cybercriminals can bypass the 2 issues I discussed above.
4 Tactics to Achieve Email Spoofing
To achieve email spoofing, cybercriminals have 4 tactics to use and bypass any hurdles. I’ll now go from the most basic ones to the most sophisticated ones, each requiring more advanced security than the last.
1. Misleading Domain Name
In many cases, it’s impossible to make a similar domain to the one whose identity the cybercriminal wants to assume. That’s why they’ll fall on very desperate tactics of using misleading domain names to prop up their scam.
For instance, let’s say your company is called ExampleCompany and you have a company website at examplecompany.com. Here, the only way to receive an email from this domain is for someone to have access to your server or administrator credentials. That means you’re already hacked!
Cybercriminals can’t use this domain though, so they’ll buy an elongated form like internalexamplecompany.com and send emails from [email protected]
Cybercriminals won’t send a lot of emails from this address, and it’s not purchased by your company. Thus, it’ll be completely legitimate for the server to push this email through.
Pro Tip
- Ensure your email server flags all emails coming from outside of the company or that aren’t directly whitelisted. This will prevent almost all of these scams from working.
2. Different Country Extension
This option is a bit more advanced, as cybercriminals need to hide their WHOIS protocol that would show their information. That said, it’s often possible to use fake information with some domain retailers. It’s also possible to buy the same one as your company but with a different extension.
The most common country extension for this purpose is the Adriatic nation of Montenegro which has a helpful extension of ‘’me’’. Then, the fake domain in our running example would be examplecompany.me which would seem like something internal. United States extensions (us) are also quite frequent.
In many cases, your server will also recognize this as an external message. If the cybercriminal can attach the new domain to your own as a reroute, then it’s possible to bypass this hurdle. That’s why the company should also buy all possible country extensions under their domain name.
Pro Tip
- Buy out all domain name country extensions for your company. Most sellers will sell them in bulk for only cents per year, making this an easy solution to this problem.
3. Discreet Misspell
When attacking companies, a discreet misspelling attack is very rare. That’s because it always appears as an external address. In most cases, cybercriminals will use it against individuals. That’s why you want to prevent it, as this attack can tarnish your company’s name.
To make these attacks, cybercriminals will make a similar domain name to one that you recognize. In our case, that would be exampleconpany.com. Most people will miss that one ‘n’ replacing the ‘m’ as the mind will pass through this email very quickly.
These scams have been frequent for a while with cybercriminals using domains like goggle or facebouk to scam people. While they’re funny when you know what to look for, they’re also tricky to spot when you’re in a hurry.
Pro Tip
- Find all of the variations of your company domain name and buy them as well. In most cases, it’ll even assist your SEO and traffic. If you can’t buy the domain, blocklist it internally.
4. Hacked Sender Address
This is by far the most complicated way to do email spoofing. It requires an existing cybersecurity breach with what’s still considered a trusted server. Opportunities like this have become increasingly rare with current zero-hour cybersecurity solutions. However, you should still have protocols in place to know if this is happening.
Here, the SMTP protocol of the victim has been compromised. Then, you’ll receive emails as if they were from that sender. If they’re allowlisted, this will show them as safe and trusted. This makes this attack one of the most problematic.
Sadly, hacked sender addresses have no technical solutions. You can still avoid them though in most cases with some employee rules for your staff.
Pro Tip
- Only click on links and disclose information in a thread email you’ve started. If you get a request for critical data, escalate a problem and make someone send that address an email reaffirming the request.
Now, I’ll discuss the most frequent reason for email spoofing: email phishing. I’ll list the types of email phishing, how they can look, and how to protect your company from them.
What Is Email Phishing?
Phishing emails are nothing more than scams where people try to hide links and executable files in something you might overlook and trust. They look like regular emails and will usually spell some sort of urgency.
| Your computer is under threat right now. If you want to protect yourself with just one click, follow the LINK HERE. |
That said, unlike us, they won’t try to push you to subscribe to a newsletter that actually has some useful information. Cybercriminals will try to get your emails, passwords, and other private information to rob you. Otherwise, they may steal your identity, so someone else can rob you.
In conclusion, phishing emails are very dangerous. That’s especially in companies receiving dozens or hundreds of emails per person every day. Now, let’s learn about the types of email phishing.
4 Types of Email Phishing
In many cases, phishing attacks will border on silly. We all know the “Nigerian Prince” scam. They cast a wide net, so everyone would probably notice them on a first read.
Some techniques will target your company much more precisely though. The scammer might know the name and position of the person tasked with reading the email. After that, the scammer uses a phishing email to trick the employee into thinking they’re their boss.
Phishing comes in 4 different types. Each of these will have its own specific approach. Still, take note that approaches here have few technical requirements. They also fall into the storytelling art form by the scammer, not strictly coding prowess by the hacker.
1. Tech Support Phishing Scams
Many companies rely on their tech support to have their systems operating and everything working. Some techies are also very sociable. Chances are, they speak very directly if any issues resurface. Cybercriminals know this and will try to exploit it.
Here’s an example of what a TS phishing email might look like:
| SECURITY NOTICE
Hi, Dan here from tech support. I’ve noticed that your passwords are compromised. You’ve probably clicked on something wrong. Be careful next time. Click here to confirm your identity – LINK |
Now, depending on the size of the company, you can clearly see that this email is a scam. For one, you know that you don’t have tech support. Additionally, that person could be sitting 10 feet from you. That said, in a large company, you might be in a hurry to solve this before your superiors find out. As a result, you fall for it.
To prevent this, all employees in your company need to know how to notice scam emails. Alternatively, you may need a rule for employees to respond to emails like this with a request that the solution is done in person. Your employees should also CC their manager in the thread.
2. Clone Phishing Scams
Copying an internal email without sufficient information is hard. That’s why most cybercriminals use your company’s external connections to scam you. Clone phishing is trying to copy the look and form of an official email from companies like PayPal, Google, Amazon, or similar giants you would recognize.
The idea behind this is that you won’t look closely at the domain name. You’ll also disregard that it’s coming outside of your company as expected. Once you click, you’ll execute the file. After that, you’ve sent data automatically or entered new information on a fake web page.
Still, you can easily prevent this with active allowlists. That said, even if you haven’t yet made those lists, you can simply escalate each of these instances and only reply to the thread emails your company has started.
3. Spear Phishing Scams
Spear phishing is where things get complicated. Like any good scam, this one collects data about your business beforehand. After that, it tries to leverage that information against you. These attacks are technically similar to others, but they’re more precise and dangerous because of the info collected by the hackers.
In short, the scammers will find out who works in the company, who would probably read the email sent, or which type of specific software and services the business may use. They’ll then make a custom-made phishing email targeting the person behind the screen directly.
Aside from allowlisting and software solutions that might stop this email from even reaching your inbox, the only way to prevent this scam is to have open communication inside the company. 9 out of 10 scams like this happen since the people reading and responding to emails are afraid to escalate the issue.
4. Whale Phishing Scams
This is one of the most troublesome types. It may also happen if a senior in some company has been hacked privately. Unless you have open communication in the company, this scam will usually take hold before you notice it.
With whale phishing, cybercriminals will assume the identity of some of the senior partners in the company like the CEO or CFO. They’ll then request company information from lower-rank employees.
The email sent will stress the urgency of the information. If combined with spear-phishing, it can also refer to the person that should give the information directly.
In this case, employees should be clearly instructed to request information from the official CEO email from inside the company. They should also include their manager and other higher partners in the conversation. Otherwise, these employees will be pressed to share the information with cybercriminals.
These types of emails have chances to pass through despite the best software. If you also don’t have a good, open, and relaxed company culture, the regular behavior of the CEO can be the downfall of the whole venture.
Next, I’ll go through the technical ways to protect your mail server.
How to Protect Your Business from Email Spoofing
When learning about email spoofing prevention and phishing talks, you’ll hear a lot about training and employee competency too. That’s because this is the last line of defense after software can no longer do anything. That said, good software prevents 90% of email spoofing attacks.
At the moment, every mail server should have 4 protocols to stop the spoofed emails from reaching your inbox. Free email operators like Gmail and Microsoft Outlook will have most of these options enabled by default. It’s still better though to calibrate your mail server further and make allowlist/blocklist tables. Let’s now discover the 4 protocols:
1. Sender Policy Framework (SPF)
An SPF record is something your company needs to have aside from your mail server. It’s a small piece of code to confirm that an email sent with your domain name is sent directly from your mail server. That way, you can prevent your company from becoming a source of a spoofing campaign.
As an email recipient, including the SPF checker in your inbox, will make any email sent from any place aside from the real sender ”light up”. In most cases, they’ll have a red and yellow banner over and on top of the email. This is to warn the reader to be careful.
2. Domain Keys Identified Mail (DKIM)
This protocol does automatically what I also proposed you do manually with suspicious emails. Namely, it’ll create P2P encryption to test if the email sender is the real sender. If the server is spoofed, it won’t recognize the code and the sending of the email will fail.
This is a great tool if the cybercriminal has somehow managed to piggyback on the server without getting administrative access. In those cases, the simple encryption will completely sever the cybercriminal’s ability to send spoofed emails.
3. Reporting & Conformance (DMARC)
DMARC works on top of the SPF and DKIM network. It makes something akin to a list that authenticates all domains on the network. Once it has a domain in the list, it’ll test if that domain is used elsewhere, making a sort of passive protection for both senders and recipients.
This network also keeps a list of all fraudulent or spam domains, preventing further misuse or scams at a later date. Although it’s extremely hard to remove a domain or email from the network, you can flag and remove it from your inbox if they actively use this service.
4. Secure/Multipurpose Internet Mail Extensions (S/MIME)
This protocol is based on the MIME standard that has been around for almost three decades. It’s a simple standard that encrypts messages and gives them a specific hierarchy. That way you can track them.
While its original purpose is to ensure the correct person receives an email, its utility has been proven with preventing spoofed emails from being sent as well. This especially works to prevent whale phishing since it’s possible to use it to organize hierarchies inside the company.
I can go into more technical detail, but anything more than this will cease to be relevant to your business. Next, I’ll focus on what your employees can do to avoid email spoofing as much as possible.
How Employees Can Avoid Email Spoofing
It’s much better to stop email spoofing on the technical side. However, if you can’t do that, you must also ensure you limit its negative effects. You can do this through internal employee protocols and training.
The most crucial part here is good company culture and communication. Most internal mistakes come because the people in the field don’t know how to openly report to their managers.
If you solve this, everything else is just a ”quality of life” improvement and your company will be more or less immune to scams. If you’re still on your way to reaching that point though, here are some quick solutions to help you avoid scams.
1. Use Throwaway Accounts
When applying to services that you need but don’t necessarily trust, it’s best to use the accounts once and then archive them. You should store the password with your IT tech’s password manager. Finally, only give access to a few key employees.
Through this approach, even if the external service you use is compromised, no one in the company can access the emails sent from them.
If nobody reads the emails, then cybercriminals have no one to scam.
2. Avoid Unknown Emails
Stranger/danger is a good maxim regardless of your age. The best way to avoid suspicious emails is to not talk to strangers. Especially in companies where email communication outside of the network isn’t frequent, this can be the best way to protect yourself from risk.
The issue arises if a lot of outbound email traffic is part of regular business. In those cases, you must have a low tolerance for escalations where employees should share any suspicious email with the manager and IT tech just in case.
Even here, employees should keep an eye on any email requesting anyone to share personal information, either from the customers or the company. They should then immediately escalate to someone who knows the protocol in-depth and can manage it.
3. Notify the Sender
Start a separate email chain with the sender asking if they did in fact request that information. If cybercriminals spoofed your email address, the sender will know nothing about that conversation. You’ll then alert them to the fact that they might be compromised.
If this is a business contact, a supplier, or a customer, you can also contact them via telephone to check if they’re the ones requesting something via email.
Take note that if you use the email route, you shouldn’t copy and paste the email. Type it out from memory instead. In that case, you’ll need to look carefully if you’re sending an email to Google or Goggle.
4. Don’t Click on Links
Most modern email operators block any links in the email they find malicious. That said, this isn’t a bad rule to have in general. Anything important would usually come as an attachment and you rarely have a reason to click on links.
You might have some internal requirements for sharing materials, but it’s much better to share those through co-working apps than to use email options. These apps could be Slack, Trello, or Asana.
After all, remember that phishing links are mostly powerless if you don’t click on the links.
5. Google Your Emails
Googling your emails is the simplest way to check if an email is a scam. It’s still very effective though. Copy the entire contents of the email and paste them into Google. If it’s a scam, it’ll show up in the search results. If it’s legitimate, it’ll also appear as a question with an answer on the forum of that company.
This method isn’t 100% foolproof. Some scams might not be noticed yet. That said, it’s a good way to quickly prove to yourself if something is definitely a scam.
Now that I’ve gone through the protocols and employee training parts, it would be good to mention some third party software to help your network security.
The Top 3 Email Security Software
The software I’ll mention here aren’t the only options out there but they’re some of which I know are good and relatively accessible. As is always the case with cybersecurity, there needs to be a balance with software. You should find one to protect you without diminishing your capacity to work.
When it comes to how they work, most email security software will be similar. That said, each will have different features. Here you’ll need to see if the features presented are something you would need.
1. MailEssentials
MailEssentials is a third-party email security software that’s very powerful and one of the best options in the market today. On its own, it provides a very thorough malware and virus list from which it’ll block attacks as well as a spam filter.
It’ll also scan your sent and received emails to make them safe. This means in the case of a scam email, it would need for someone to type out the username and password in plain text, which won’t happen.
The GFI MailEssentials can also connect with other GFI products like the LanGuard and the HelpDesk. This can vastly improve the internal security of your company’s communication.
This option starts at ~$250 for 10 emails for a year or just over $2 per month per person. It’s very reasonable and even cheaper if you have over 250 users.
2. Mimecast Secure Email Gateway
Mimecast aims to prevent inbound threats from outside of your company like phishing through email spoofing. It uses all 4 of the protocols I’ve talked about above. It even pushes them to work harder and wider, catching more spam and malicious emails.
This software has fewer integrated features than other options. It’s still very simple to use though and might be interesting for those companies without dedicated cybersecurity specialists on staff.
The starting price for this service is $3.5 per user per month. The price is technically more than the others. It’s still very accessible though compared to the general prices.
3. Symantec Messaging Gateway (SMG)
SMG used to be the best option in the market. Now, they seem to lag behind the other two when it comes to their malware list. It’s still an excellent choice though. Combined with good company culture and training, it’ll immunize you from cybersecurity attacks.
The price is $3 per user per month, which is completely okay if you’ve already made the expense for additional training.
Final Words
Email spoofing is, in its essence, a very simple concept. Cybercriminals can hack a server and pretend to be someone else. Alternatively, they can use a very similar but different name to fool your employees. These scams seem silly, but they wouldn’t be so frequent if they weren’t effective. Everyone could be a victim.
This is why you should have 3 layers of defenses, known as protocols, to prevent your company from sharing its private information with malicious entities. Next, you must have good email security software, especially if your company uses email regularly. This software will filter out another 9.9% and make scam emails barely a monthly occurrence, even for the most communicative companies.
Finally, you should set up employee training for the people that read the emails. You should also ensure good communication within the company.
Got more questions about email spoofing? Check out the FAQ and Resources sections below.
FAQ
Can big companies become victims of scams?
Yes. While not every scam will work on every person, some scams will resonate with anyone. Scams appeal to our human emotions and play on the fact that people working are usually tired and bored. This makes them miss the obvious cues that something is a scam. As a result, it’s very important to include cybersecurity training in your company.
Will opening the wrong email compromise my system?
No. Simply opening an email that might have a malicious attachment or phishing link inside won’t compromise your system. That said, clicking on those links and attachments will. That’s why a best practice is not to click on links sent through emails. If the sender has an inquiry, message them separately. That way, you ensure the authenticity of the link.
How do I know if someone is phishing me?
They’ll ask for private information. In the same way, you know information about your customers, and other services have yours. You don’t need to send your passwords or usernames through email. No individual person will ever ask anyone for their password, banking information, or similar data. In that case, always report to someone in your company who knows the protocols.
Will my firewall stop email malware?
No. Your firewall will only stop malware that directly attacks you from the internet. On the other hand, email malware makes you accept the malware. You’ll bring it in by yourself. In turn, you allow it to attack the system from the inside. Even with multiple firewalls, they might stop an executable file, but not non-technical phishing scams.
Do scammers know if you open their email?
In most cases yes. Partially-hacked email servers might use P2P encryption codes to prevent this metadata from going to the cybercriminal. That said, in most cases, the scammer will know if you’ve opened their email and when. The goal isn’t to avoid this but to ensure you don’t respond and verify the email as malicious.
Resources
TechGenix: Newsletters
Subscribe to our newsletters for more quality content.
TechGenix: Article on Firewall Services
Learn more about some of the top firewall services.
TechGenix: Article on Firewall Vendor Strategy
Choosing between a single vendor and a multi-vendor strategy can be tough. Check out this article to learn more.
GFI: Article on Unblocking Legitimate Emails
Learn how to unblock some emails you wanted to receive in.
TechGenix: Article on Secure Email Gateways
Learn how you can secure your internal email system and manage itbetter.
TechGenix: Article on Email Defense
Learn more about email defense and how to manage it perpetually.
