Crafting a spoofed email is a common method hackers use to attempt to gain access to sensitive information.

Luckily, there are many awareness and protection strategies you can employ today to help recognize and avoid a spoofed email.

What is email spoofing?

Hackers have developed countless methods of tricking us into clicking illegitimate links, emails or websites. One of these methods is email spoofing – a technique used to trick recipients into thinking a message came from a person or entity they know or trust. In a spoofed email, the sender forges email headers so that the forged sender’s name or address is displayed, which most recipients will have no reason to doubt. Unless they inspect the header more closely, users see a name they recognize and therefore suspect no fraudulent activity. So they’ll click malicious links, open malware attachments or send sensitive data.

Find out how to detect and avoid your next spoofed email.


First Things First: How to Identify a Spoofed Email

Creating a spoofed email that appears in your regular inbox is a popular technique that attempts to trick the user into thinking they received message from a person they trust and know in real life. Imagine a cyber criminal impersonating you so well that your loved ones, boss, or clients can’t differentiate between the two. This is the unfortunate reality and power that a spoofed email can possess. It’s a scary realization but is becoming more and more common.

Unless inspected more closely, the user can’t see any risk in opening and interacting with the email content. Hackers know that people are more likely to trust an email if they recognize the sender’s name. In this situation, the user is far more likely to click malicious links, open attachments, and forward personal data and even corporate funds.

Does this happen in real life? Yes! Not every email service has valid security protocols in place to prevent a spoofed email from coming into the inbox. There are several tips you should employ when reviewing an email to determine whether the sender address is forged. Let’s explore them here.


Spoofed Email Characteristics and What to Look For

The main goal of a spoofed email is to trick users into believing a message comes from a person they either know or can trust – in most cases, a colleague, vendor, or brand. People of higher positions, like CEOs, bosses and even managers – can be targeted and impersonated. This is because hackers know that several employees report to these people of power, and often want to respond to their urgent requests in a timely manner and without question. If they don’t look closely enough, an attack may occur. Exploiting trust, attackers ask the recipient to divulge sensitive information or take other action, which might have some unpleasant consequences.

For example, an attacker might create an email that looks like it comes from PayPal, a well-known and trusted company that operates an online payments system. From that malicious email, the user is prompted to click the attached link and change his password, otherwise the account will be suspended. As soon as the naïve user types in requested credentials, the attacker gets the necessary information to authenticate into the targeted account. Now the hacker access to the user’s banking information on the account and can do as they please.

How to Identify a Spoofed Email

Spoofed Email Statistics

3.1 billion: number of spoofed emails sent per day.
90%: percentage of cyberattacks that begin with a spoofed email
$26 billion since 2016: worldwide financial impact spoofed emails have caused to businesses
467,000: number of successful cyber attacks reported by the FBI in 2019, of which 24% were based on using a spoofed email

Business Email Compromise – What is It?

Another very common cyberattack that uses a spoofed email is CEO fraud, otherwise known as business email compromise. Here, the skilled cybercriminal spoofs the sender’s email address to impersonate an executive or owner. This cyberattack usually targets an employee in finances or accounting. This is how highly sensitive information and money is transferred from businesses directly to cyber criminals.

Even very aware, cautious employees can be tricked into naively forwarding personal data or money when the request comes from someone they trust – especially an authority figure. For example, the Canadian City Treasure was tricked into transferring $98,000 from taxpayer funds by an attacker claiming to be a trusted city manager.


How to Spot a Spoofed Email – Tips and Tricks

Identifying a spoofed email does not have to be difficult or require loads of time or expertise. The most important thing to pay attention to is the sender’s address:

Does the email address match the display name?

Forgers can sign up for a free account (Gmail, Yahoo Mail, etc.), create an email address similar to someone else’s, and then set the display name to anything they want.

 Has the apparent sender ever used this address?

Remember whether this is the address you normally see when receiving emails from that particular person.

 Is the sender’s name spelled correctly?

The name might look familiar first, but when looking closer, you may see that there are letters out of place.

 Compare the ‘From’ address to the Reply-To address.

In Gmail, for example, click the triangle below the name to see address details.

Hackers are smart. They know how to navigate around email basics and make them look as reliable as possible. This means that examining the sender’s address may not be enough in some scenarios. Remember to run through the content as well by paying attention to these details”

Is the content suspicious?
Was the message expected? Did I ever sign up for emails from this organization?
Does the message make sense? Are there many spelling or grammar mistakes?
Is the message urgent? Are you are being pushed into providing personal information?

If the content doesn’t make sense and has a sense of urgency that pushes you to act immediately, then take a step back. Unsolicited requests for personal information should be taken seriously and avoided. If you are unsure about the authenticity, check your email notifications by logging in to your various accounts or speaking directly with the person the spoofer may be impersonating. If you’re still unsure, reach out to the individual or organization directly (NOT through any links or contact information provided by that sender) to confirm whether the email came from them. Don’t know their contact information? Just Google it!

It’s better to be safe than sorry.


Above all else – Use Common Sense!

Remember that the Internet is full of traps. Before responding to any questionable message, examine the received email for sense of urgency, suspicious links or attachments and any discrepancies that might draw your attention.

Trust your best instincts. If you feel like the email is strange, be cautious. Never take the message at face value if it requires any immediate action or personal information.