Today, about 91% of cybersecurity breaches begin with an email. Hackers continue to develop clever ways of delivering malicious emails to unsuspecting victims which in turn leads to serious implications on any business’ network security. In this article, we will be discussing how email spoofing is used to create malicious email attacks such as phishing emails.
Email spoofing is the act of forging email headers so that it appears to be from a legitimate source. An email header is a code snippet in an HTML email that contains information about the sender, recipient, email’s route to get to the inbox, and various authentication details. The email header always precedes the email body.
The goal of spoofed emails is to trick recipients into trusting their origin and possibly respond to the emails. It is a common tactic used to fabricate spam and phishing emails.
Email spoofing can be easily achieved with a working Simple Mail Transfer Protocol (SMTP) server and mailing software like Outlook or Gmail. Once an email message is composed, the scammer can forge fields found within the message header such as the FROM, REPLY-TO, and RETURN-PATH addresses. After the email is sent, it will appear in the recipient’s mailbox that appears to come from the address that was entered.
This is possible to execute because the SMTP does not provide a mechanism for addressing authentication. Although email sender authentication protocols and mechanisms have been developed to combat email spoofing, the adoption of those mechanisms has been slow.
Email spoofing is a common tactic used by cybercriminals to send out spam and phishing emails. Spoofed emails can appear to be from trusted shopping websites, government institutions, suppliers, vendors, etc. With phishing, the goal could be to get their targeted victims to:
- Provide personal or financial information;
- Turn over intellectual property and other proprietary information or data;
- Perform a wire transfer or another electronic transfer of funds;
- Provide login information or other user credentials;
- Download a file from an email that contains malicious software
- Click on a malicious link.
A perfect example of email spoofing attacks is phishing emails that were being sent to Kenya Revenue Authority users from a spoofed email address email@example.com the month of June 2020. Just like a typical phishing email, the hackers used fear to trick recipients to perform an action by using the subject line ‘Penalty order’ while the email contents instructed users to download a malicious attachment in order to view the tax penalties imposed on them.
Email spoofing is also used to execute impersonation attacks such as business email compromise attacks, spear phishing and whaling attacks. These spoofed emails are intentionally designed to target more than just employees or random recipients.
Hackers use spoofed email addresses that appear to be from a company CEO or CFO with the aim of doping the recipient into transferring funds or sharing sensitive information such as passwords and credit card details.
Though email spoofing is popularly used to execute phishing attacks, hackers can also use email spoofing to avoid email blacklists, spam traps, commit identity theft and tarnish the reputation of the impersonated sender.
A spoofed email will appear to be from a legitimate or trusted source, but if you look closely, you may spot anomalies that identify the message as a spoofing attempt.
In a spoofed email, the actual email address may be different from the display name. Display name spoofing portrays a display name of the person being impersonated while leaving the actual sending email address intact. Scammers can also spoof the entire email address as well or just the domain name, i.e., what follows the @ symbol.
Example 1: “John Doe” firstname.lastname@example.org
Example 2: “John Doe” email@example.com
Additionally, the email address in the header will not match the sender’s email address, and the “Reply to” field in the header will not match the name of the sender. You can find this in your email header information.
How to check email header information
You can only view email header information on your laptop. The email headers contain a significant amount of tracking information showing where the message has traveled across the Internet. Different email platforms display these headers in different ways
On Gmail, click the three dots on the top right corner of the email and select the ‘show original‘ option. On other email platforms, click more or options and select ‘view source‘. This will display the header information.
There’s a lot of technical stuff here, but you can ignore most of it. The two things that matter the most are the domain name, the IP address in the “Received” field, and the validation results in the Received-SPF field.
Tips on how to identify a spoofed message in email headers.
- Identify that the ‘From‘ email address matches the display name. The from address may look legitimate at first glance, but a closer look in the email headers may reveal that the email address associated with the display name is actually coming from someone else.
- Make sure the ‘Reply-To‘ header matches the source. This is typically hidden from the recipient when receiving the message and is often overlooked when responding to the message. If the reply-to address does not match the sender or the site that they claim to be representing, there is a good chance that it is forged.
- Find where the ‘Return-Path‘ goes. This identifies where the message originated from. While it is possible to forge the Return-path in a message header, it is not done with great frequency.
So, how do you prevent your email address or domain from being spoofed in the future? And how do you help your employees recognize spoofed emails for what they are? We’ll answer both of those questions by discussing the following:
1. SPF, DKIM, and DMARC email authentication protocols
Email authentication validates that senders are who they claim to be. Organizations can protect their domains from being spoofed by declaring who is allowed to send messages on behalf of the business domain using SPF, DKIM & DMARC
SPF allows the owner of a domain to specify which mail servers can send mail from that domain. Brands sending emails publish SPF records in their DNS which list which IP addresses are authorized to send emails on behalf of their domains.
Using DKIM, email servers attach special DKIM signatures to the emails that act as a watermark for email so that email receivers can verify that the email actually came from the domain it says it does and that it hasn’t been tampered with.
DMARC verifies that the email address in the “From” header actually comes from the actual sender. It also ensures email is properly authenticating against DKIM and SPF standards. It ensures that fraudulent emails appearing to come from domains under your organization’s control are blocked
2. Email signing certificates
An email signing certificate, sometimes referred to as an S/MIME certificate or a personal authentication certificate is something that you can use to help email recipients verify whether an email is coming from you. These certificates do two things:
- Assert identity through the use of unique digital signatures
- Use public-key encryption to provide secure, end-to-end encryption for your emails. And considering that most email servers nowadays also use SSL/TLS encryption, it means that you can enjoy both data at rest and data in transit protection.
3. Cybersecurity awareness training
Email security awareness training for users and employees supports underlying security policies. It engages them in assessing risks as part of their workflow. By preventing employees from inadvertently clicking on links or revealing sensitive information, email security solutions in place improve frontline security protection against the most common email-borne threats today. Key areas to consider while implementing an effective organization-wide email security training program include;
- Email scams
- Password security
- Removable hardware such as hard drives and USBs
- Safe internet use
- Social networking threats
- Physical security and environmental controls
- Data management and privacy
- Bring Your Own Device (BYOD) policies
3. Email header data
To identify email spoofing, take a closer look at the email header information of a suspicious email. This is because an email header contains a significant amount of data pertaining to the origin of an email. In addition to email subject line information and the basic “from” and “to” sender/recipient info, other email metadata you can find in the header properties include:
- the type of content
- browser information
- delivery date information
- suspicious flag or spam flags
- language used in the email, and
- Microsoft Exchange threat scan results.
Read more on how to view email headers on Gmail
Read more on how to view email headers on Outlook
There are countless ways which hackers will use to trick their victims and they are getting smarter every day. Here are some red flags that are common across most phishing emails;
- Links in the email may look exactly like the original, for example, domain names but will have grammatical errors or extra subdomains. Sometimes, hovering over the link could expose the true domain name.
- Generic salutations; a service provider, for example, should address an email to you using your name. A phishing email will use generic terms like sir or madam
- Link manipulation; a technique in which the scammer sends a link to a website. The user on clicking on the deceptive link will be redirected to the scammers’ website instead of the website indicated on the ‘link’. One of the anti-phishing techniques used to detect link manipulation is to move the mouse over the link to view the actual address.
- The email will try to push or force you into action by creating a sense of urgency for example, ‘Your account will be deactivated in 24 hours if you do not…”
- Some emails will try to reassure their legitimacy by encouraging you to verify your email or log into a website using a link that they will provide
- The body of the email will contain unsolicited weblink attachments. Below is an example one of our clients received.
- If you happen to click on a link, you will notice that you will be redirected. This is where the hacker redirects to a site that will harvest your login credentials as you key them in
Read more about phishing attacks here.
Pepea Email Security provides a best-of-breed email spam filter and antivirus protection. Deploying the latest threat intelligence and sophisticated multi-layer detection engines, this email security solution protects email and employees from spam, malware, phishing attacks, and other advanced threats.
With our email filtering solution, you can easily reduce the risk, complexity, and costs that are typically associated with email management solutions.
With Pepea Email Security, you can:
- Block spam – Pepea spam filtering uses multiple engines that are designed to stop 98% of spam with zero false positives.
- Stop malware and viruses – Our inbound and outbound filtering solution provides 100% anti-malware protection including zero-hour protection to detect new forms of malware and 100% availability.
- Minimize email downtime with an email spam filter and security solution that also protects against targeted attacks such as email spoofing and phishing attacks
- Enhance productivity by enabling users to manage their own lists of blocked users in our easy to use search and retrievable quarantine database
- Support mail validation technology including DKIM and DMARC.
- Increase your organization’s email uptime with 24/7 technical support services and redundancies
- Protect your business reputation with outbound filtering that prevents hackers from using your system to send out spam emails
- Reach the right recipient mailbox and prevent blacklisting with outbound filtering
Our software as a service (SaaS) email filtering system will save you time by reducing spam processing time to an absolute minimum.
- Hosted email spam filtering gateways that reduce email management complexities and offer increased service reliability
- Supported mail servers; Sangari spam filtering supports all types of mail servers
- Searchable quarantine database and reporting
- 24/7 reliable technical support should need assistance
- Email queuing that stores emails when your mail server is unreachable
- Managed services; we deploy, monitor, secure, maintain and update our spam filters while you focus on other activities
- Integration and automation; Sangari customizes its solution to fully integrate our spam filters with the main control panels and other collaboration tools for email such as Cpanel
- Mail validation technology including DKIM and DMARC
- Zero hour antivirus protection that detects and captures new forms of malware
The threat of email spoofing and phishing will continue to persist as long we continue to use email for personal and business communication purposes. Business decision-makers must, therefore, secure their mailbox from these attacks by employing an effective and reliable email security solution.