Email spoofing is an attack where hackers pretend that an email is from an address different from their own. Impersonation allows the attacker to impersonate people or organizations for various reasons. It’s scary, so how does it work?
Why Email Spoofing Happens
Email impersonation is a form of identity theft and is usually part of a different type of scam or attack. Identity theft plays a major role in email phishing or so-called 419 scams. An email arrives in your mailbox claiming to be from your bank, an online payment processor or, in the case of a spear phishing, of a person you know personally.
The email often contains a link that you are asked to click on, which takes you to a fake version of a real site where your username and password are harvested.
In cases of CEO fraud, or when attackers impersonate suppliers or business partners, the emails request sensitive information or request bank transfers to accounts controlled by the hackers.
How Identity Theft Works
Email spoofing is surprisingly easy to do. It works by modifying the “header” of the email, a collection of metadata about the email. The information you see in your email app is pulled from the email header.
SMTP (Simple Mail Transport Protocol) does nothing to authenticate e-mail addresses. Hackers therefore take advantage of this weakness to trick unsuspecting victims into believing that the mail is from someone else.
This is a different form of email impersonation, in which the email address is made to look like the real address of the impersonation target. In this case, the attacker creates a separate email on the same domain and uses methods such as switching letters or numbers that look alike in the fake address.
The FROM, REPLY-TO, and RETURN-PATH sections of an email header can be edited without special tools or advanced knowledge. This will result in an email that, on the face of it, shows you a spoofed originating address.
Email spoofing detection
The easiest way to detect a spoofed email is to open the email header and check if the IP address or URL of the header in the “Received” section comes from the source you expect.
The method for viewing the header of an email varies from one email application to another, so you will need to find the exact method for your email client. Here we’ll use Gmail as an example because it’s both popular and easy to do.
Open the email you suspect is spoofed, click on the three dots and “Show original”.
Next to “Received” you will see a server URL and also an IP address. In this case, an email purporting to be from Costco is coming from a server that does not appear to be from Costco.
To confirm this, copy the IP address and paste it into DomainTools WhoIs search.
As the results show, this IP address is from Singapore and originates from a Microsoft domain.
It’s very unlikely that it’s really from Costco, so it’s probably a scam email!
How to fight identity theft
While checking the header of a message for suspicious content is a reliable way to confirm that an email has been spoofed, you need to be slightly technical to figure out what you’re looking at. so it’s not the most effective way to help people in your business or home avoid being victimized.
It’s much more effective to apply a few basic rules when dealing with an unsolicited email that asks you to click on a link, transfer money, or request inside information:
- Double-check any money transfer requests through another channel, such as a phone call.
- Do not transfer money to accounts that are not approved.
- Do not click on links in emails that you did not request.
- Type the web addresses yourself into your browser.
Most importantly, always verify high-risk messages with the sender using a separate channel such as a phone call or secure chat. (However, do not use any phone number provided in the email.) A 30-second conversation can confirm 100% whether you are a victim of identity theft or not!
RELATED: How to Spot a Fraudulent Website