Email spoofing is an attack where hackers make it appear that an email originates from a different address than it does. Phishing allows the attacker to impersonate people or organizations for various reasons. That’s scary, so how does it work?
Why email spoofing happens
Email phishing is a form of phishing and is usually part of a different type of scam or attack. Phishing plays a big role in email-based phishing or so-called 419 scams. An email arrives in your mailbox pretending to be from your bank, an online payment processor, or, in the case of targeted phishing, someone you know personally.
The email often contains a link that you are asked to click, which takes you to a fake version of a real site where your username and password are collected.
In the case of CEO fraud, or when attackers pose as vendors or business partners, the emails request sensitive information or request bank transfers to accounts the hackers control.
How phishing works
Email phishing is surprisingly easy to do. It works by modifying the email “header”, a collection of metadata about the email. The information you see in your mail app is pulled from the email header.
SMTP (Simple Mail Transport Protocol) makes no provision for authenticating email addresses. Hackers then take advantage of this weakness to trick unsuspecting victims into thinking the mail is from someone else.
This is a different form of email spoofing, where the email address is designed to look like the real address of the phishing target. In that case, the attacker creates a separate email address on the same domain and uses methods such as changing letters or numbers that resemble each other in the fake address.
The FROM, REPLY-TO, and RETURN-PATH sections of an email header can be modified without special tools or advanced knowledge. This will result in an email that, on the surface, shows you a spoofed source address.
Email spoofing detection
The easiest way to spot a spoofed email is to open the email header and check if the IP address or URL in the header in the “Received” section is from the source you expect it to be.
The method of viewing an email header varies from one mail application to another, so you’ll need to find the exact method for your email client. Here we will use Gmail as an example as it is popular and easy to use.
Open the email you suspect is spoofed, click the three dots and “Show Original”.
Next to “Received” you will see a server URL and also an IP address. In this case, an email purporting to be from Costco is coming from a server that does not appear to be Costco.
To confirm this, copy the IP address and paste it into DomainTools WhoIs Lookup.
As the results show, this IP address originates from Singapore and comes from a Microsoft domain.
It’s highly unlikely that it’s actually from Costco, so this is probably a scam email!
How to combat identity theft
While checking the email header of a message for suspicious content is a reliable way to confirm that an email has been spoofed, you have to be a bit technical to understand what you’re seeing, so it’s not the easiest way. effective way of helping people in your business or home avoid becoming a victim.
It’s much more effective to apply a few basic rules when dealing with any unsolicited email that asks you to click on a link, transfer money, or request privileged information:
- Please double check any money transfer requests using another channel, such as a phone call.
- Do not transfer money to accounts that are not approved.
- Do not click on links within emails that you have not requested.
- Type any web address into your browser yourself.
Most importantly, always verify high-risk messages with the sender using a separate channel, such as a phone call or secure chat. (However, please do not use any phone numbers provided in the email.) A 30-second conversation can 100% confirm whether you are a victim of phishing or not!
RELATED: How to spot a fraudulent website