Email spoofing: What it is and how to avoid it

What is email spoofing?

Email spoofing is a tactic used in cyberattacks in which a hacker sends you an email with a fabricated sender address to make you believe it came from a trusted source. A scammer may pretend to be a bank, a government organization, a colleague, or a friend. Such social engineering techniques can be especially effective when hackers are looking to:

• Extract victims' personal information.
• Distribute malware.
• Persuade targets to transfer money.
• Disguise their identity.
• Damage someone's reputation.
• Find a gateway to launch DNS attacks or hijack browser cookies (by downloading malware).

While it's possible to notice email spoofing, it may be difficult, even for the most vigilant. And it's not just individuals — companies can suffer from email spoofing, too. For example, in 2024, a construction business in Australia encountered an email spoofing attack that almost left the company with a loss of $900,000. The scammers compromised a supplier's email account and sent a fraudulent invoice to the company, altering the bank account details to divert funds. Luckily, swift action from the local bank's customer protection team led to the recovery of the lost money.

And this case is not a coincidence. With reports of a growing number of phishing email attacks, it’s unlikely that the email spoofing scam (or any email scam, for that matter) trend will die down anytime soon. That’s why understanding why and how email spoofing works will be key to safeguarding yourself from potential harm.

How email spoofing works

Email spoofing works by exploiting the target's lack of attentiveness. First, hackers get hold of your email address. That's usually the easiest step because people publish their email address on social media, share it with others, or leave it in contact forms. Newsletters or online registration forms that intentionally collect data can leak it, too.

After snatching your email address, hackers can exploit it by:

• Accessing your inbox with other leaked credentials (for example, a stolen password).
• Breaching your online accounts (typically through a brute force attack).
• Creating a lookalike email address to use against your colleagues and friends.
• Infecting your computer with malware and using your email to spam others.

Not all email providers have strong email authentication protocols to filter out suspicious and poorly configured domains and emails. Therefore, hackers can exploit these loopholes to get their spoofed emails through.

Email spoofing techniques

Threat actors have several email spoofing techniques at their disposal, including those below.

Display name spoofing

Display name spoofing is an email spoofing tactic that (as the name suggests) focuses on forging the sender's display name. Scammers set the name in the email to match that of a trusted entity (for example, a company or a high-ranking corporate employee) and send emails to their targets. 

Since it’s impossible to create an exact copy of an email address, malicious actors may use dashes and other symbols to make the email handle as close to the legit one as possible (for example, using “John-johnson@email.com” instead of “John.johnson@email.com”). This technique is popular in phishing and BEC attacks because it deceives recipients into trusting the message and taking harmful actions, such as clicking on a malicious link, downloading malware, or transferring money.

Scammers may also take advantage of the fact that most email clients (such as Gmail or Outlook) prioritize the display name over the actual email address (for example, showing “John Johnson—CEO” instead of “123notascam@email.com”). That’s why it’s also important to double-check the sender’s email address and, if possible, compare it to the official email.

Domain spoofing

Domain spoofing is a cyberattack technique that manipulates the sender’s email address to impersonate a legitimate company. Unlike display name spoofing, which only forges the sender’s name, domain spoofing modifies or fakes the sender’s email domain to deceive targets into believing the email is from a trusted source.

Cybercriminals often try to impersonate different company domains (such as “support@paypal.com” or “hr@amazon.com”) to seem like an official representative of a legitimate company. Since they cannot duplicate real company domains, threat actors make minor changes, hoping that potential victims will not notice the discrepancies (such as “support@paypa1.com” or “h.r@amazon.com.” 

Full email header spoofing

Full email header spoofing is an advanced email forging technique encompassing more than just displaying names or domains. Instead of changing the sender's or domain name, malicious actors manipulate the entire email header, including fields such as:

• From (fake sender address, such as "support@paypal.com" instead of the attacker's real email).
• Reply-to (redirects responses to a different address controlled by the attacker).
• Return path (determines where bounced emails go, often altered to avoid detection).
• Received (hides the actual origin of the email).
• Message ID (can be faked to match the impersonated domain).

This type of email spoofing is particularly dangerous because it can look unquestionably legitimate to unsuspecting users. In addition, full-header spoofed emails can bypass spam filters (if attackers manipulate the "Return-Path" and "Received" headers) and require additional effort (such as manually checking and analyzing the email header fields) to sniff out.

Detecting email spoofing

Detecting email spoofing is a feat that requires vigilance. To make it easier, here’s a list of tips that may help you spot the telling signs of an email spoofing.

• Check the sender’s address. Sometimes, looking at the sender’s address is all it takes to catch a scam. If you see weird symbols or unusual spelling in the sender’s email address, someone’s likely trying to scam you.

• Compare the “From” address to the “Reply-to” address. This method requires some extra effort, but it can help you find the discrepancies in case of email spoofing. If you’re using Gmail, all you need to do is open the email, click the three dots in the top right side of the page, and click “Show original.” Then, compare the “From” and “Reply-to” fields. If they don’t match, it’s an immediate red flag.

• Look for spoofed web links. Spoofed emails often contain phishing links and spoofed URLs that may lead to fraudulent login pages or websites that host malware. Instead of clicking the link immediately, hover on it for a few seconds until the browser shows the website’s address (typically on the bottom left of the browser screen). If the revealed URL looks suspicious, do not click on it. You can also use a link checker to properly check the link’s safety.

• Check the spelling, grammar, and visual layout. Grammatical errors are among the most common red flags regarding phishing, email spoofing, and other email scams. Carefully read the email’s content and avoid interacting with those littered with spelling, grammar, and logic mistakes. In addition, be cautious of emails with oversized logos, low-quality images, or inconsistent formatting because these can indicate scam attempts.

• Be wary of suspicious attachments. Spoofed emails often contain suspicious attachments that typically host malware. Before opening any files attached to an email, ensure the sender is legitimate. And even then, use additional tools, such as NordVPN’s Threat Protection Pro™ feature, which blocks malicious downloads before they can get onto your computer.

• Keep an eye out for threats, a sense of urgency, and offers that seem too good to be true. Scammers get what they want by nudging you to act without thinking twice. For that reason, spoofed emails often include messages that prompt strong emotions, such as joy ("Congratulations, you've won the special lottery!" or fear ("Your account has been compromised; act quickly to recover it"). If an email contains threats, creates a sense of urgency, or sounds too good to be true, it's a scam nine and a half times out of ten.

How to stop email spoofing

While you can’t completely prevent email spoofing, you can fortify your cybersecurity to reduce the chance of encountering and falling victim to this type of cyberattack. Here’s how you can stop (or limit) the risk of email spoofing:

• Use and regularly update anti-malware tools. Software such as an antivirus can help prevent you from catching a computer virus. Ensuring your email app is up to date is crucial in safeguarding yourself from cyber threats. 

• Consider enabling NordVPN's Threat Protection Pro™ feature. This tool helps identify malware-ridden files, stops users from landing on malicious websites, and blocks trackers and intrusive ads on the spot.

• Use complex passwords to protect your accounts. The stronger the password, the less vulnerable your account will be to brute-force attacks. It's also a good idea to change them regularly. If you're not a huge fan of thinking of complex passwords (and remembering them afterward), check out NordPass for a safe and comfortable experience.

• Avoid using your personal and work email addresses. You may want to register for various online services and social media accounts. However, instead of using your personal or work email, create a separate email address for these purposes. Also, try to keep your primary email addresses as private as possible. It will help reduce spam and limit exposure to potential phishing attacks.

• Do not give your email to people you don't trust. Doing otherwise is just asking for trouble.

• Use email service providers with strong authentication or cryptographic protocols (such as SMTP, DMARC, SPF, and DKIM). Do proper research to find out if a provider you use is secure. You can also check out our recommended privacy-oriented email providers, which will better protect your emails.

• Carefully check the email address. If it looks odd or has spelling mistakes, report it.

• Contact the sender directly by using other means of communication. Typically, corporate email addresses are available on the company’s official website.

• Perform an immediate antivirus scan if you suspect you've just downloaded malware. It will save you time and prevent headaches if your suspicions are true.

• Refrain from clicking on links and attachments from sources you don't trust. Instead, use a link checker tool to test suspicious links and learn to recognize a spoofed link.

• Install an email security gateway. An email security gateway is an additional solution a business installs on its email system to filter, monitor, and protect inbound and outbound email traffic from email threats. Using one can reduce the chances of phishing, email spoofing, and BEC attacks.

• Train employees about cyber awareness. Knowledge is power. In this case, it gives people the power to safeguard themselves (and the company) from potential cyber risks. So consider training and testing workers to improve their understanding of email cybersecurity.

• Make use of threat intelligence. This cybersecurity field is concerned with monitoring and updating information about the most common cyber threats for businesses and individuals. Keeping up with the latest trends can help you safeguard your company’s online systems and reduce the risk of cyberattacks.
  
• Use email encryption. It adds a layer of security to your emails by ensuring that only the recipient can read them, making email encryption a good way to avoid email spoofing and other cyber threats.