Email Spoofing Explained.
What is email spoofing?
The word spoof means falsified. A spoofed email is when the sender purposely alters parts of the email to make the message appear as though it was authored by someone else. A spoofed message can appear to be sent from a coworker, a bank, a family member or any number of seemingly trustworthy sources. A good spoof will look like any other email that you would normally receive.
Warning: If you suspect you have received a fraudulent message DO NOT click any link in the message or enter any information that is requested.
Why do people spoof email?
In many cases, the spoofed email is part of a phishing (scam) attack. In other cases, a spoofed email is used dishonestly to market an online service, sell you a bogus product, or trick you into making a damaging statement or releasing sensitive information, such as passwords.
Identify a spoofed message
It is vital that users understand that emails that appear to be sent from co-workers, can possibly be forged emails. Scammers will alter different sections of an email to disguise who the actual sender of the message is. Examples of properties that are spoofed:
(This will appear to come from a legitimate source on any spoofed message)
REPLY -TO This can also be spoofed, but a scammer may leave the actual REPLY-TO address so that he receives the replies. If you see a different sending address here, the email may have been spoofed.
In this example, it appears that the recipient has received a message from an assistant, requesting money. The subject line is a red flag. The user should contact the assistant through another form of communication to confirm the spoof. Next, you will want to discover who actually sent the message by opening the message headers (“Message Options” in Outlook).
In this message header snippet, we see that the From: field shows the message being sent from “Assistant” firstname.lastname@example.org. However, we can also see that the REPLY-TO: field lists email@example.com. That is a clear-cut example of a spoofed message. You will want to Blacklist any address you find in the REPLY-TO, RETURN-PATH, and SOURCE IP field that is not an address/IP you normally receive mail from.
User education is the first line of defense against these types of attacks. If a user receives a spoofed message:
- Blacklist any address/IP listed in the REPLY-TO, RETURN-PATH, or SOURCE IP that you have determined to be fraudulent. See Blacklist addresses, domains, and IPs in webmail for instructions.
- Immediately change the password of your email account if you or your users provided that information at any point. (Be aware, however, that your credentials do not need to be compromised for someone to spoof your email.)
- Alert the rest of your business to the situation.