“Spoofing” is defined as a good-natured imitation—think the Scary Movie series, a spoof of the Hollywood horror genre. In cybersecurity, email spoofing refers to malicious impersonation of email addresses. Email spoofing is a threat that has grown increasingly serious in recent years and is a tactic used in business email compromise (BEC) attacks. According to the FBI’s latest Internet Crime Report, BEC cost US victims more than $1.7 billion in 2019.

What is email spoofing?

Email spoofing is a form of hacking designed to trick email recipients into believing the sender is a familiar brand, such as Microsoft or PayPal, or a known acquaintance. It’s a standard element of both phishing and spear phishing. Consider the following example: You get an email from support@appIe.com asking you to confirm your password for your iTunes account. It’s a reasonable request, so you click on the link and fork over your Apple ID and password to a hacker.

What happened? To understand the attack, you have to know the difference between apple.com and appIe.com. Say what? They look the same, but they’re not. One is apple.com, the website for the real company and the second is appIe.com with a capital “i” replacing the lowercase “l” in “apple.” It’s a URL set up by a hacker, and no human user could ever tell the difference.

[Related] The Anatomy of a Spear Phishing Email

The continuum of email spoofing

Email spoofing exists on a continuum of sophistication. While some forms of spoof attacks are quite simple, others require a high degree of technology skill and resources. There are three main types of spoofing along this spectrum:

Display name spoofing

This is a simple but effective approach to email spoofing. With email, the sender’s name is usually displayed but the email address is not. This is almost always the case on mobile devices. Here’s how it works: You get an email on your mobile device from the display name “Peter Williams,” but the actual email address is xyz22@gmail.com. The attacker is working under the assumption that most busy people, especially those on mobile, won’t check the sender email address carefully, and they often don’t.

When combined with social engineering, as might occur with spear phishing, display name spoofing can trick people into taking actions they otherwise would not. For instance, the attacker will research the target and use known facts to establish trust before making a request. This is often the strategy in business email compromise, otherwise known as CEO fraud, in which a hacker impersonates a high-level executive and demands that an employee send a wire transfer.

As an example, let’s say the CEO of your company is named Don Smith. You receive a message from “Don Smith” <dummy667@gmail.com> on a weekend. It starts with something innocuous like, “Jim, are you there?” Because the email is supposedly from the CEO, you quickly respond to say that you’re available. The attacker continues,  “I’m on a trip. We’re closing a confidential merger agreement. As it’s the weekend, no one is in the office. I need you to wire $100,000 right away to the following bank account to finalize this merger. I trust you to tell no one as this is a very sensitive situation. This is a very pressing matter so please proceed and confirm immediately.”

It doesn’t matter that the CEO would never email you from a Gmail address and would never issue such a request on a weekend. Under the right circumstances, recipients can easily be fooled.

Domain spoofing

With the right tools, an attacker can send a phishing email that appears to come from a legitimate domain. For example, an attacker could send an email that appears to come from support@bofa.com, a legitimate Bank of America email address. Except, it doesn’t actually come from that address. It’s a phishing email designed to get you to click on a URL that sends you to a spoofed webpage that looks like www.bofa.com. Domain spoofing has become harder to do, though, due to the proliferation of standards like the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Once incorporated into DNS settings, SPF or DKIM prevent unauthorized user of domain names for spoofing attacks. Not everyone uses these, however.

Cousin domains

The apple.com example above is a cousin domain. This form of hacking tricks the target by creating a send domain that’s close to or even indistinguishable from the real domain. The technique might involve using the .co domain extension instead of .com or by adding or subtracting a letter from the URL. For example, let’s say your company is called Maine Express and has the domain maineexpress.com. A spoofer could register the domain mainexpress.com or maineexpresss.com and fool at least a portion of email recipients. We often see spoofing that simply adds a reasonable-looking word to the URL, making it maineexpressglobal.com and so forth.

[Infographic] Cloud Email: The Bigger the Target, the Easier the Aim

Protecting yourself from email spoofing attacks

Employee training is your first line of defense. Though some spoofing attacks are extremely hard to detect, many are easy to spot, and with the right awareness training, your employees can make a difference. Establishing clear policies about processes like sending wire transfers also helps mitigate the risk of phishing and spear phishing attacks. To counter the close cousin attack, some businesses deliberately buy all similar domains. This has the added benefit of reducing the risk of trademark infringement.

Finally, advanced email security solutions can quickly analyze inbound emails for signs of spoofing. Vade Secure for Office 365 can inspect an email and determine if the visible alias and email address are consistent with the company’s entity model. It also adds an SPF-like layer into the email filtering process that spots unauthorized use of legitimate domain names, as well as close cousin domains detection. To detect spear phishing, the solution looks for revealing inconsistencies in email structures and calls to action within the email content (e.g. wire transfer request, gift card requests, urgency, etc.). If spear phishing is suspected, a customizable warning banner is placed inside the email alerting the email to a suspected spoofing attempt.