Email spoofing

Apply for SearchInform DLP TRY NOW

The number of cases of forgery of e-mail addresses is growing. Not always the email was actually forwarded by the user specified in the sender column. Modern technology makes it easy to spoof email.

Email Authentication

The creators of the Internet did not aim to double-check the identity of users. When the basic Internet mail protocols were formed, the cost of production capacity and ease of operation were counterbalanced by the risks of fraud. Back then, no one could have guessed that 85% of email addresses would carry malicious viruses, spam, or phishing.

The lack of e-mail protection opened up the possibility of forging e-mail headers, including the From - "From" and Reply-to - "Reply" fields. Using unsuspecting text, standard graphics, and formatting makes it easy to trick the recipient. A user who receives a phishing message will sincerely believe that the letter was sent by a bank, tax office, company director, or even the president himself.

The proliferation of e-mail only aggravates the information security crisis. Weak e-mail security opens the way for massive phishing attacks, whose victims click on malicious links, download and open viral files, and send personal information or transfer money to the accounts of fraudsters.

Examples of phishing attacks

Companies around the world suffer from email fraud. For example, as a result of a phishing operation, cybercriminals obtained information about the salaries of 600 employees of Coupa from Silicon Valley. In 2016, the Western European Leoni AG Corporation incurred losses of USD 45 million. An employee of the company transferred the money to the fraudster's account by mistake, not recognizing the fake e-mail.

According to FBI statistics, companies in the United States alone suffer $ 3 billion annually in damages related to email spoofing.

The resource maintains a list of W-2 phishing attacks, which is an analogue of the Russian 2-NDFL declaration. Analysis of the collected data shows a rapid increase in fraud cases over the past two years. The website database contains 204 incidents of forgery of email addresses for fraudulent purposes.

Fake email in five minutes

The initial stage of a phishing attack is forging an address in the "From" field. Why would a scammer fake sending an email from a real user's address when you can register a fake domain or create an account with a “friendly” name in any trusted email service? The point is that spoofing - forging a sender's email address - is much easier to do.

On the Internet, sites for sending fake letters are easily detected. Some resources provide such services for free, while others require payment. Paid services are positioned as sites for friendly jokes and declare that they operate strictly within the framework of the law.

To use such sites, you need to enter the recipient's e-mail in the "To" field and the desired e-mail in the "From" field, write the text - and click the "Send" button. According to the terms of the user agreement, the customers of the service are responsible for the possible damage.

The second method of spoofing involves sending messages using the UNIX command line. The efficiency of the method depends on the settings of the PC operating system.

Another way is to apply PHP code with additional add-ons like the example from the online tutorial on sending emails.

With any spoofing method, scammers use social engineering tools and additionally process emails to create a realistic message.

How to protect yourself from phishing attacks

An effective way to protect against counterfeiting is e-mail authentication using SPF records, DKIM signatures and DMARC. These are old technologies, but most active email addresses are not protected even by this. For example, only 4% of .gov domains use identification, which means that the remaining 96% are easy targets for scammers.

Email authentication ensures that the email is forwarded by a legitimate sender. Also, the owner of the e-mail has the right to control the sending of correspondence from the registered domain. Forced authentication allows you to block phishers, spammers, and "gray" senders who are not listed as legitimate and who are trying to forward messages from a registered e-mail.

Basic Authentication verifies that you have permission to send mail from a registered domain. Before sending an e-mail to the Inbox folder in the recipient's mailbox, the server checks:

  • SPF record, whether the sender has the right to use the domain name;
  • if there is a cryptographic DKIM signature, the system decrypts the headers of incoming correspondence and determines whether the letter was actually sent by the specified domain;
  • the DMARC setting allows the owner of the e-mail box to create rules for processing correspondence from domains that have not passed authentication, and to compare whether the headers of such letters match: the "From" and "Reply" fields.

Email authentication allows the domain owner to have full control over outgoing emails sent on their behalf. Statistics record the IP address of each sender who used the domain, the results of mail analysis according to the DMARC rules, the results of SPF and DKIM processing. The data is in XML format.

The best defense is the simultaneous use of different technologies.

DKIM - one of the best ways to protect your domain - does not guarantee complete email security. Verifying the DKIM signature alone is not enough to prevent spoofing, since the domain used in the signature may be different from the domain entered in the From field.

DMARC builds on and complements early services at the same time. The service allows you to: configure the authentication policy for incoming correspondence and generate reports.

By combining the two functions, the security of the email address is increased. You can check the presence of the DMARC setting on the services: and .