What is spoofing?
Email spoofing is a particularly insidious form of cyberattack: the sender of an email is falsified in order to gain trust and deceive recipients. The consequences range from data theft and malware to financial damage. In this article, you will learn how spoofing works, why it is so dangerous – and how you can effectively protect yourself against it.
In email spoofing, the sender of an email is faked to give the impression that the message comes from a trustworthy source. The sender’s address is manipulated so that the email appears to come from a well-known company, authority or person known to the recipient, for example.
The SMTP information in the email header is relevant for email spoofing, especially the Header-From: It indicates the email address from which the message originates. For example, when you send an email, the email client automatically fills in this field with your email address, whereby the header-from contains not only the sender’s address but also the sender’s name. During spoofing, criminals change the details and insert a trustworthy sender address and a plausible sender name.
Spoofing is related to social engineering. In social engineering, human characteristics such as helpfulness, trust, fear or deference to authority are exploited to skilfully manipulate people. While social engineering uses emotions to persuade the recipient to carry out certain actions, spoofing creates the technical conditions to achieve the attacker’s objectives.
These goals include, for example, spying on account or access data, obtaining money or spreading malware.
How does mail spoofing work?
In email spoofing, an email is sent with a faked sender name or faked sender address without the attacker having access to the real email account. This is possible because every email has two From fields, the MAIL FROM field and the Header-From field. However, email clients only display the Header-From field. The attacker therefore exploits vulnerabilities in the email protocol (SMTP) to insert falsified sender information.
Email spoofing is possible in various ways. With the help of scripts or programming languages that support SMTP, spoofing can be easily automated.
For example, it is possible to set any sender address in PHP using the mail() function – and this is exactly what attackers abuse.
Here is an example:
$to = 'opfer@example.com';
$subject = 'Wichtige Nachricht';
$message = 'Bitte klicken Sie auf folgenden Link...';
$headers = "From: info@beispielbank.dern";
$headers .= "Reply-To: info@beispielbank.dern";
$headers .= "X-Mailer: PHP/" . phpversion();
mail($to, $subject, $message, $headers);
?>Here it looks as if the mail was sent from info@example.de.
How do I recognise email spoofing?
Analyse the email header
Be suspicious
This applies to unexpected emails, urgent or threatening emails or demands for money or data.
Check the sender’s address
View the full sender address. Look out for misspelled letters in the domain or domain additions.
Why is spoofing dangerous?
You think you would never fall for spoofing? Well, spoofing is so dangerous because it abuses trust, and that’s exactly what makes it so dangerous: financial damage, a ruined reputation or contamination by malware are just some of the possible consequences of a spoofing attack.
For example, an employee of automotive supplier Leoni AG received an email that purported to come from the Management Board. The sender’s address was forged and the email was in perfect German, with instructions to transfer a large sum of money to a foreign account.
Another case: attackers forged emails to the automotive supplier Toyota Boshoku that looked like internal payment instructions, allegedly from management. An employee in the finance department was persuaded to transfer money to an account that did not belong to Toyota, but to the criminals.
And even security experts like Troy Hunt are not safe from spoofing and have already fallen victim to criminals.
How can I protect myself against spoofing?
SMTP alone is not able to check the authenticity of an email. Emails with a forged ‘From’ line and a forged display name end up directly in your inbox. So how can you protect yourself?
In addition to options such as two-factor authentication (2FA) or the general advice not to open links or attachments from unknown senders, there are various technical measures you can take:
Not yet using NoSpamProxy?
With NoSpamProxy you can reliably protect your company from scamming attacks and benefit from many other security features. Request your free trial version now!
