How to Protect
Your Company From
Email Spoofing

How to Protect <br class="irn-hide-xl">
Your Company From <br class="irn-hide-xl">
Email Spoofing

By now, most employees know misspellings, fishy links, and questionable attachments are the telltale signs of an email scam. While this is notable evidence of successful employee education, scams and cyberattacks have only gained sophistication. Even the most savvy employees can fall for a clever email spoofing campaign.

According to IBM’s Cost of a Data Breach Report, the average cost per compromised record has steadily increased, and in 2020, the average breach costs organizations $3.92 million. Since spoofing is often the first step in a costly breach, your business has a major incentive to prevent these attacks before they occur. In this piece, we’ll explore email spoofing more closely and offer useful suggestions to protect you and your company.

What is Email Spoofing

Email spoofing is a technique scammers use to make fraudulent emails appear as if they came from a known entity. By impersonating someone familiar, scammers phish for sensitive information such as company credit card numbers, payroll data, and even login credentials to corporate networks. Many cybercrimes start with spoofing, which allows attackers to gain access and trust, then grow into more sophisticated and costly attacks.

The Evolution of Email Spoofing

In spite of the few email filtering options available, spoofing morphed into a major global security issue by the 2000s. In response, the European Union released a Directive on Privacy and Electronic Communications in 2002, making it illegal to send unsolicited communications without the prior consent of the recipient.

The US followed suit in 2004, but these regulations overwhelmingly failed at completely eliminating spoofing and other types of email-based spam. Even with today’s advanced cybersecurity tools, 3.1 billion domain spoofing emails are sent per day, and over 90% of cyberattacks start with an email message.

How Does Email Spoofing Work?

Attackers evade
spam filters by:

Configuring sender addresses to look like they are from an internal domain or a familiar external domain: These addresses may look like supplier addresses, coworker addresses, or even governmental institution addresses.
Using exact sender names (JeffBezos@technologybusiness123.com),
similar sender names (JeffBizos@technologybusiness123.com),
lookalike or cousin domains (JeffBezos@amaz0n.com) to fool unsuspecting recipients or
exact domain spoofs (JeffBezos@amazon.com).
Manipulating the Reply-To field to direct emails with potentially confidential information straight to a fake account.

On a more technical level, <br class="irn-hide-xl"> spoofing is possible for <br class="irn-hide-xl"> the following reasons:

On a more technical level,
spoofing is possible for
the following reasons:

Outgoing email servers cannot detect whether a sender’s email address is legitimate.
Email API endpoints permit attackers to send emails using addresses that don’t exist.
Secure Policy Framework (SPF) can identify most spoofed emails, but attackers rely on the fact that the domain holder must specify all IP addresses authorized to send messages and might miss a few.
Attackers also know that even if IP addresses don’t meet an organization’s standards, attackers know that recipients rarely validate that an email has a “PASS” SPF status before hitting reply.

An Example of Email Spoofing

So what does a spoofed email look like? Let’s review the following example:

For one, the sender is impersonating "Medical Suppliers", using Display Name Spoofing and Domain Name Impersonation.

Alex, who is the head of Denver Dialysis Center procurement, might receive this email thinking that he forgot to pay an important invoice.

The email looks like it was sent by his contact at Medical Suppliers, Inc., Michelle, and it references the correct invoice number. But upon further examination, there are a few clues that point to Display Name Spoofing and Domain Impersonation.

Explanation How Email Spoofing Looks Like

The body of the email has odd language, too. $1,000 fee seems like an arbitrary late payment, and there aren't any details around how late fees are structured going forward.

Moreover, the email contains a link that will likely direct Alex to a fake portal where he'll be prompted to input his credentials and provide payment information.

And even if he doesn't click on the phony link, any replies he sends (which could contain sensitive procurement-related information) will go to the suspicious email address in the Reply-To field: "xyz@hotmail.com".

<br/>
<br/>
<br/>
<br/>
For one, the sender is impersonating "Medical Suppliers", using <b>Display Name Spoofing</b> and Domain Name Impersonation.

For one, the sender is impersonating "Medical Suppliers", using Display Name Spoofing and Domain Name Impersonation.

<br/>
<br/>
<br/>
<br/>
<br/>
<p>Alex, who is the head of Denver Dialysis Center procurement, might receive this email thinking that he forgot to pay an important invoice. </p>
<p>The email looks like it was sent by his contact at Medical Suppliers, Inc., Michelle, and it references the correct invoice number. But upon further examination, there are a few clues that point to Display Name Spoofing and Domain Impersonation.</p>

Alex, who is the head of Denver Dialysis Center procurement, might receive this email thinking that he forgot to pay an important invoice.

<br/>
<br/>
<br/>
The body of the email has odd language, too. $1,000 fee seems like an arbitrary late payment, and there aren't any details around how late fees are structured going forward.

The body of the email has odd language, too. $1,000 fee seems like an arbitrary late payment, and there aren't any details around how late fees are structured going forward.

<br/>
<br/>
<br/>
<br/>
<br/>
<p>Moreover, the email contains a link that will likely direct Alex to a fake portal where he'll be prompted to input his credentials and provide payment information. </p>
<p>And even if he doesn't click on the phony link, any replies he sends (which could contain sensitive procurement-related information) will go to the suspicious email address in the Reply-To field: "xyz@hotmail.com". </p>

Moreover, the email contains a link that will likely direct Alex to a fake portal where he'll be prompted to input his credentials and provide payment information.

Common Tips for Preventing Email Spoofing

There are several common methods typically discussed as barriers to email spoofing.
Let’s look at their benefits and limitations more closely:

Name

SPF

Description

Sender Policy Framework (SPF) checks the IP addresses of incoming emails against a company’s Domain Name System (DNS).
If sender addresses don’t meet DNS conditions, emails are rejected, keeping malicious emails from ever entering employees’ inboxes.
Works at the SMTP level.

Limitation

SPF is limited to 10 lookups. Many companies have multiple cloud-based services that can send messages, causing companies to bump up against this restriction almost immediately.
Records only apply to specific Return-Path domains and not those found in the ‘from’ address. This leaves a window for scammers to create messages that will authenticate, allowing scammers to spoof the visible “From” field.

Example:

From: Bank of America <billpay@billpay.bankofamerica.com>
Return-Path: <recepcionfacturas@grupo-emsa.com.mx>
Subject: Your eBill Due Date Is Approaching

Name

DKIM

Description

DomainKeys Identified Mail (DKIM) acts as a second layer of protection after SPF.
DKIM confirms sender domains and verifies that emails are sent from valid sources.
DKIM assigns a public key to each sender’s DNS record and creates a private key for outgoing email. If the keys match in an email exchange, it means that the messages weren’t interfered with in transit.

Limitation

DKIM is famously challenging to implement.

Perhaps for this reason, and the fact that a missing DKIM signature does not always mean a message is fraudulent, do if it is missing, the email will always get delivered.
However, as with SPF, DKIM does not prevent a scammer from spoofing the visible ‘from’ field.

Example:

From: Billpay <billpay@billpay.bankofamerica.com>
Return-Path: <tua02@tribunalesagrarios.gob.mx>
Subject: Your eBill for Alex H. Lehocky

Name

DMARC

Description

Domain-based Message Authentication, Reporting, and Conformance (DMARC) notifies domain owners when a spoofed email is detected and allows them to decide what should happen to that email.
Admins can send spoofed emails to a spam folder or reject them outright.

Limitation

Only works if SPF and DKIM are applied properly by the sender and receiver.
Cannot protect against display name spoofing or domain impersonations.

Name

Awareness
training

Description

Teaches employees common security practices like, being wary of emails that seem extra urgent, paying close attention to sender addresses, never sharing passwords or clicking into a website they’ve never been to, and changing their passwords often.
Phishing tests are a good way to assess your employees’ security knowledge and keep them on their toes.

Limitation

Training only goes so far一employees aren’t actively looking for phishing emails like security teams might be, and they don’t always abide by your company’s security regulations.
Employees don't recognize the nuance of every threat, so education can only be one step in a robust cybersecurity process.
Phishing tests can help, but scammers are constantly developing new techniques and leveraging social engineering, making it tough to test for every possibility and all it takes is one lapse of concentration.

How to Successfully Prevent Email Spoofing

Email is now completely enmeshed with work, making spoofing prevention a baseline requirement in any organization.

Commonly used strategies like SPF, DKIM, and DMARC have severe limitations, even when employed simultaneously. In fact, as more companies adopt those tactics, attackers launch more domain impersonation attacks that SPDF, DKIM, and DMARC cannot protect against.

Read our 3 part blog series Understanding-DMARC: What’s Driving All the Hype?

Modern spoofing prevention requires a blended approach of human and machine collaboration.
Wading through thousands of emails a day and picking up on new abnormalities is an impossible task for humans alone, but not for computers.

AI systems flag possible attacks
so that humans can review them for accuracy.

Spoofing Email With Someone Pretending To Be Tim Cook

Admins then provide feedback to the algorithm to make it
stronger, creating an even more robust layer of protection.

AI-powered anomaly detection tools analyze both user behavior patterns and email metadata, helping the algorithms and platform better identify and respond to new spoofing techniques.

To react to spoofed emails quickly and effectively, organizations must layer advanced mailbox anomaly detection on top of SPF, DKIM, DMARC, and training.

Learn more about advanced mailbox-level anomaly detection.

Stop Spoofing With An Advanced Email Security Platform

IRONSCALES is a pioneer in the cybersecurity space, detecting email spoofing and other advanced threats better than any other platform on the market. The IRONSCALES platform includes mailbox-level anomaly detection, anti-phishing tools, and protection against business email compromise (BEC). And with intelligent automation, IRONSCALES can stop phishing emails before they even hit your employees’ inboxes.