Email Spoofing – How Attackers Impersonate Legitimate Senders

Email Spoofing – Definition and Introduction

In a nutshell, Email spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. In spoofing attacks, the attacker forges email headers so that email clients display the fraudulent sender email address.

The ultimate goal of spoofing is to trick users into believing that the email is from someone they know or can trust and lead them to perform a specific action – such as clicking a phishing link or downloading a malicious file etc.

Email spoofing is possible due to the way email systems are designed. You can think of an email in the same way you would think of a traditional postal letter. As your postal letter needs to have a “Mail From” address, email too needs the “Mail From” address. Email spoofing can be fairly easy as SMTP (Simple Mail Transfer Protocol) does not offer protection against email spoofing.

The most commonly observed scenarios of email spoofing are BEC (Business Email Compromise) campaigns, Sextortion scams, CEO phishing attacks. Spoofed emails can also be part of multi-stage cyberattacks. All attackers need to carry out these attacks is victims clicking on a malicious link or opening a malicious attachment.

Domain Spoofing

Legitimate domain spoofing is a common form of phishing when an attacker appears to use a company’s domain to impersonate a company or its users. It can simply be done by sending emails with false domain names which appear legitimate.

Since the SMTP lacks authentication, it’s easy to spoof a sender address. However, several email authentication methods have been created that enhance overall email security.

SPF (Sender Policy Framework)

Checks if a certain IP address is authorized to send emails from a given domain. It allows an email domain to restrict the set of IP addresses that can send emails from this domain. Unfortunately, SPF policies rely on the receiving email server to decide to do something about it. (Softfail, hardfail, neutral)



DKIM (Domain Key Identified Email)

This method uses a cryptographic key pair that are used to sign outgoing emails and validated incoming emails. In this implementation, a digital signature is generated using a private key which is placed on the sender’s mail server. The associated public key for signature authentication is placed on the DNS server responsible for the sender’s domain. If the email is sent from a different domain, the signature will be invalid. The weakness with DKIM is that attacker can simply send a fake email without a DKIM signature, and the message can never be authenticated.


DMARC (Domain-based Message Authentication, Reporting and Conformance) 

  • This method simply gives a sender the option to let the recipient know whether its email is protected by SPF or DKIM and what actions to take when dealing with emails that fail authentication. DMARC provides instructions to recipients in the event of authentication failures such as SPF and DKIM.


Display Name Spoofing

Display Name Spoofing is a targeted phishing attack where an email’s display name is altered to make an email look like it comes from a trusted or known sender.

Attackers can also use the same email signatures at the bottom of emails as legitimate senders.

Many email clients, especially smartphone email apps only display the sender’s name by default and not the email address. This allows attackers to simply alter the name and leave the actual email address in the “From” header. This address is often protected by SPF and DKIM resulting in the fraudulent message being treated as a legitimate one by mail servers.

Ghost Spoofing

Another form of display name spoofing wherein the attacker not only spoofs the sender’s name but also the email address. This makes the victim believe that the email in question came from the person/entity he/she know or trust. The actual email comes from a completely different address and often pass SPF and DKIM authentication checks.

Lookalike Domain Spoofing

To make things even worse for common users to identify potential phishes, attackers use more sophisticated techniques like using lookalike domains to carry out phishing campaigns. Buying a domain is fairly cheap and it has high ROIs for attackers. Fraudsters register domains that look similar to the targeted organization.

For example, (real domain) and (fake lookalike domain)

In this example, in the lookalike domain, ‘I’ is replaced by ‘l’ (lowercase ‘L’). If users follow this link, it can further lead to a credential dumping site or site to download a second-stage malware payload or even make fraudulent payments.

Unicode Spoofing

  • It is another type of lookalike domain spoofing where an ASCII character in the domain name is replaced with a similarly looking Unicode character. Unicode characters are allowed to use in domain names while registration. Attackers use this technique to trick victims into thinking that email comes from a legitimate domain.

Real Domain = Spoofed domain in Unicode = ɑþþ

How to Protect from Email Spoofing?

Email security controls in your organization can prevent 99% of the malicious emails and spams from coming your way but there are still emails that deliver to end-users making it through spam filters. To protect your and your organization’s data, users can take several steps to avoid becoming a victim of a phishing attack.

  1. Never open a link in an email or attachment that came from a suspicious or unknown sender.
  2. Check for phishing red flags in the email – Sender email address, sender domain, lookalike domain, message making sense of urgency or loss or benefit.
  3. Avoid replying to suspicious emails. Instead, report it to your security teams. Or simply delete it.
  4. Do not click on links embedded in the message body. Instead, you can hover your mouse over the links to see the actual URL. Or manually type the URL in your browser instead of clicking on it.