The word spoof means falsified. A spoofed email is when the sender purposely alters parts of the email to make the message appear as though it was authored by someone else. Commonly, the sender’s name/address and the body of the message are formatted to appear from a legitimate source. Sometimes, the spoofer will make the email appear to come from a private citizen somewhere.
A spoofed message can appear to be sent from a coworker, a bank, a family member or any number of seemingly trustworthy sources. A good spoof will look like any other email that you would normally receive.
Warning: If you suspect you have received a fraudulent message DO NOT click any link in the message or enter any information that is requested.
Why do people spoof email?
In many cases, the spoofed email is part of a phishing (scam) attack. In other cases, a spoofed email is used to dishonestly market an online service or sell you a bogus product. The intent is to trick the recipient into making a damaging statement or releasing sensitive information, such as passwords. If you're receiving bounced (returned) emails for messages that you never sent, this could be a case of spoofing.
Identify a spoofed message
It is vital that users understand that emails that appear to be sent from co-workers, can possibly be forged emails. This is the case with spoofing.
Scammers will alter different sections of an email to disguise who the actual sender of the message is. To identify the following examples you will need to open the email headers of a message you suspect has been spoofed. Examples of properties that are spoofed:
FROM email@example.com (This will appear to come from a legitimate source on any spoofed message)
REPLY-TO This can also be spoofed, but a lazy scammer will leave the actual REPLY-TO address. If you see a different sending address here, the email may have been spoofed.
RETURN-PATH This can also be spoofed, but a lazy scammer will leave the actual RETURN-PATH address. If you see a different sending address here, the email may have been spoofed.
SOURCE IP address or “X-ORIGIN” address. This is typically more difficult to alter but it is possible.
These first three properties can be easily altered by using settings in your Microsoft Outlook, Gmail, Hotmail, or other email software. The fourth property above, IP address, can also be altered, but usually requires more sophisticated user knowledge to make a false IP address convincing.
In this example, it appears that the recipient has received a message from their office assistant, requesting money. The subject line should alert you immediately. This user should contact their assistant through another form of communication to confirm that they did not send this message. Next, you will want to discover who actually sent the message by opening the message headers.
In this message header snippet, we see that the From: field shows the message being sent from "Assistant" firstname.lastname@example.org. However, we can also see that the REPLY-TO: field lists email@example.com. That is a clear cut example of a spoofed message. You will want to Blacklist any address you find in the REPLY-TO, RETURN-PATH, and SOURCE IP field that is not an address/IP you normally receive mail from.
User education is the first line of defense against these types of attacks. If a user receives a spoofed message:
- Blacklist any address/IP listed in the REPLY-TO, RETURN-PATH, or SOURCE IP that you have determined to be fraudulent.
- Immediately change the password of your email account f you or your users provided that information at any point.
- Alert the rest of your business to the situation.
Spoofing is possibly the most frustrating abuse issue to deal with, simply because it cannot be stopped. Spoofing is similar to hand-writing many letters, and signing someone else's name to it. You can imagine how difficult that would be to trace.