Email Spoofing: How Cybercriminals Fake Your Inbox

Email spoofing is one of the most widely used tactics by cybercriminals, where they forge the sender’s email address to make it appear as if it’s from a trusted source. These emails can range from seemingly urgent messages from your bank to emails from a colleague asking for sensitive information.

At DontSpoof, we’ve thoroughly researched email spoofing and collaborated with cybersecurity experts to bring you the most accurate and up-to-date information. According to the Verizon 2023 Data Breach Investigations Report, 36% of all data breaches involved phishing , many of which included email spoofing techniques. This highlights how effective and dangerous spoofed emails can be.

What is Email Spoofing?

Email spoofing occurs when cybercriminals manipulate the sender’s address to make the email appear as though it’s from a legitimate source. This method is commonly used in phishing attacks, where victims are deceived into clicking malicious links, downloading harmful attachments, or sharing sensitive information.

Attackers use various techniques to fake the sender’s address, often making minor adjustments that are hard to spot. Here are several common methods attackers use to fake email addresses:

1. Subtle Domain Alterations

Attackers will often create a domain name that closely resembles a legitimate one by adding or changing a few characters.

• Example:
  • Real: support@paypal.com
  • Spoofed: support@pay-pal.com

This subtle change (adding a hyphen) can easily go unnoticed by victims, especially if they are quickly skimming through the email.

2. Lookalike Characters

Another trick attackers use is substituting letters in the domain with similar-looking characters. These lookalikes make it difficult for the recipient to notice that the address is fake.

• Example:
  • Real: billing@amazon.com
  • Spoofed: billing@amαzon.com (Notice how “a” is replaced with a Greek alpha character)

3. Free Email Providers

Attackers may use free email providers (like Gmail or Yahoo) to spoof legitimate emails by creating a display name that looks trustworthy, while the email address itself is a personal or generic one.

• Example:
  • Display Name: “Amazon Support”
  • Email Address: support.amazon@gmail.com

Although the display name seems official, the actual email address is not associated with the real Amazon domain.

4. Same Display Name, Different Email

In this method, attackers set the display name to mimic a legitimate sender, while the actual email address is different.

• Example:
  • Display Name: “John Doe – Company HR”
  • Email Address: john.doe.hr@compny.com

In this case, a quick glance might lead the recipient to believe it’s an internal email, but a closer inspection would reveal the domain is misspelled.

5. Spoofing Personal Contacts

Attackers can also target individuals by spoofing the email addresses of their friends, family members, or colleagues. These types of attacks are particularly dangerous, as victims are more likely to trust an email from someone they know.

• Example:
  • Real: sarah.smith@gmail.com
  • Spoofed: sarah-smith@gmail.com

This method is common in personalized phishing attacks, where the attacker has done some research on the target’s social network.

6. Subdomain Tricks

Some attackers create a legitimate-looking subdomain that tricks recipients into thinking it’s associated with the real brand.

• Example:
  • Real: support@company.com
  • Spoofed: support@company.securityalerts.com

By adding a familiar term (like “security alerts”), the fake domain seems official, though it’s entirely controlled by the attacker.

How Does Email Spoofing Work?

Email spoofing relies on the inherent weaknesses of the Simple Mail Transfer Protocol (SMTP). SMTP doesn’t have built-in mechanisms to verify the authenticity of the sender, making it possible for attackers to manipulate the “From” field to impersonate any email address.

Here’s how attackers typically execute an email spoofing attack:

1. Faking the Sender’s Address: As outlined above, attackers use techniques such as domain lookalikes, character substitution, and free email services to make the sender’s address appear legitimate.
2. Crafting a Convincing Message: The email is designed to look professional, mimicking the branding, tone, and style of the legitimate sender. This often includes official logos, signatures, and disclaimers.
3. Triggering a Response: The email usually contains urgent language, asking the recipient to click on a link, download an attachment, or reply with sensitive information.
4. Exploiting the Victim: Once the recipient follows the instructions, the attacker gains access to personal or financial information, infects the device with malware, or redirects the victim to a phishing site.

According to Cisco’s 2023 Cybersecurity Threat Report, 90% of data breaches involve phishing emails, many of which employ email spoofing to deceive recipients.

Why Attackers Use Email Spoofing

The key reason why email spoofing is so widespread is its ability to exploit trust and familiarity. Here’s why attackers continue to use this method:

• Impersonating Trusted Entities: Attackers rely on the perceived trust recipients have in familiar organizations, such as banks, government agencies, or personal contacts. By mimicking these entities, attackers increase the likelihood that the victim will comply with their demands.
• High Success Rate: Email spoofing remains highly effective. A PhishMe study found that 91% of cyberattacks begin with a phishing email, and spoofing is one of the primary methods to get victims to act without suspicion.
• Wide Reach: Attackers can send thousands of spoofed emails simultaneously, targeting both businesses and individuals with a single campaign. This scalability makes it a favored tactic for cybercriminals.

At DontSpoof, we’ve seen firsthand how effective email spoofing can be, particularly when the email is convincingly disguised. Our mission is to raise awareness and provide insights into how these attacks happen.

Real-World Examples of Email Spoofing

Email spoofing has played a role in several high-profile cyberattacks, resulting in millions of dollars lost and sensitive information stolen.

Example 1: CEO Fraud via Spoofed Email

In 2020, a large multinational company was targeted in a CEO fraud attack, where the attacker spoofed the CEO’s email address and requested a wire transfer. Believing the email to be genuine, the company’s financial department transferred $2.8 million to the fraudster’s account. It was only after the transaction that the scam was discovered .

Example 2: Spoofing PayPal Emails

PayPal users have been frequent targets of spoofing attacks. In one widespread campaign, users received emails that looked identical to official PayPal communications. The emails claimed that there had been suspicious activity on the recipient’s account and urged them to click on a link to resolve the issue. Once clicked, the link redirected users to a fake login page designed to steal their PayPal credentials .

Example 3: Spoofed Government Emails

In 2022, scammers spoofed government agencies in multiple countries, sending emails that appeared to be from official departments. These emails requested personal information for “COVID-19 relief funds” and led victims to phishing sites that stole both financial and personal data. Many victims, trusting the government’s name and urgency, provided the requested information without suspicion .

Common Signs of a Spoofed Email

Despite their sophisticated appearance, spoofed emails often contain subtle clues that give them away. Here are some signs to look out for:

• Mismatched email addresses: Always hover over the sender’s email address to ensure it matches the legitimate domain. Even small deviations, like extra characters or subtle misspellings, can indicate a spoofed email (e.g., support@your-bank.com instead of support@yourbank.com).
• Generic greetings: Spoofed emails often lack personalization and may start with phrases like “Dear Valued Customer” rather than using your name.
• Unexpected attachments: Be wary of emails containing attachments, especially those with suspicious file extensions (e.g., .exe, .zip, or .scr).
• Poor grammar and spelling: Legitimate businesses generally avoid grammatical errors in their official communications. Mistakes in the email’s content can signal a spoof.
• Urgent requests: Spoofed emails often create a sense of urgency, asking recipients to take immediate action to resolve an issue. Verify the sender’s identity before acting on any requests for sensitive information.

At DontSpoof, we educate users on identifying these signs to avoid falling victim to phishing and spoofing attacks.

Conclusion

Email spoofing continues to be a serious and evolving threat in the world of cybersecurity. By understanding how attackers fake email addresses and recognizing the subtle clues that give them away, you can reduce the risk of being deceived by these fraudulent emails.

At DontSpoof, we remain committed to providing the latest research and insights on email spoofing and other types of cyberattacks. To learn more about other forms of spoofing, check out our article on Types of Spoofing.