What is Display Name Spoofing?

Display Name Spoofing Explained

Display name spoofing is a sender impersonation technique where an attacker configures the From header display name to match a trusted contact while sending the email from a completely unrelated address. RFC 5322 defines the From header as containing both a display name (a free-text label) and an addr-spec (the actual email address). Email clients render the display name prominently and often hide the addr-spec entirely, which creates a reliable attack surface.

This technique is the simplest and most common form of email impersonation used in business email compromise (BEC) campaigns. Unlike domain spoofing, which forges the actual sending address, display name spoofing leaves the email address untouched. The attacker sends from a real account they control, meaning SPF, DKIM, and DMARC all pass for the actual sending domain. No authentication bypass or technical exploitation is required.

How Display Name Spoofing Works

The attack exploits the gap between what email protocols authenticate and what email clients display:

• Display name selection. The attacker identifies a high-value sender to impersonate: a CEO, CFO, outside counsel, vendor, or IT administrator. They set the From display name to match exactly (e.g., "John Smith, CEO").
• Sending address. The attacker uses a free webmail account (Gmail, Outlook.com, Yahoo) or registers a throwaway domain. The address itself may look plausible (john.smith.ceo@gmail[.]com) or completely unrelated. Most recipients never see it.
• Client rendering. Mobile email clients and many desktop clients show only the display name by default. On a phone, a message from "John Smith, CEO" appears identical whether it originates from john@company[.]com or a random Gmail account.
• Payload delivery. The spoofed message typically requests an urgent wire transfer, W-2 forms, gift card purchases, or a redirect to a credential harvesting page. The request leverages the impersonated authority to pressure the recipient into acting quickly.

MITRE ATT&CK catalogs this behavior under T1656 (Impersonation), which covers adversaries impersonating trusted senders to deceive targets into performing actions on the attacker's behalf.

Why Display Name Spoofing Bypasses Traditional Defenses

Standard email security controls fail against display name spoofing because they validate the wrong layer.

Authentication passes. SPF verifies the envelope sender domain. DKIM validates message integrity against the signing domain. DMARC aligns them. All three evaluate the actual sending domain, which is legitimate. The display name is a free-text field that no authentication protocol validates. NIST SP 800-177 Rev. 1 details these authentication mechanisms and their scope, noting that domain-based controls verify the sending domain, not the human-readable identity.

Content filters miss the context. A message reading "Please process the attached invoice" is not inherently suspicious. The social engineering operates through sender identity, not through malicious content, links, or attachments. Signature-based and content-based scanning tools have no signal to act on.

Scale and simplicity. Display name spoofing requires no infrastructure, no compromised accounts, and no technical sophistication. An attacker needs only a target's name, their employer, and a free email account. This low barrier makes it the default impersonation method in CEO fraud and vendor email spoofing campaigns.

Display Name Spoofing Detection from IRONSCALES

IRONSCALES detects display name spoofing through behavioral AI that compares sender identity patterns against established communication baselines for each user.

Related Terms

• Email Spoofing
• Impersonation
• Business Email Compromise
• CEO Fraud
• Domain Spoofing