Skip to main content

What is email spoofing?

As phishing attempts grow more advanced, so do the efforts to imitate real organizations, which make it easier to trick unsuspecting recipients into divulging valuable information or assets. A common tactic here is spoofing an email, or making it look like it came from somewhere it didn’t.

Let’s take a look at what email spoofing means, how it affects you, and what to watch for.

Woman using a laptop next to a latte.

What is email spoofing?

Spoofing occurs when an email is sent with a faked sender address, designed to make it look like the email came from a source that it did not.

Email spoofing is frequently used in phishing attacks, attempts to get unsuspecting people or businesses to divulge personal information or even send money. Phishing attempts can be far more sophisticated than the classic “Nigerian prince” email. Some types of phishing work very hard to make emails really seem like they come from trusted institutions like a bank, a government agency, or a nonprofit, right down to faking logos and staff information. Part of the forgery also includes a spoofed email address to make it look like the email really did come from the institution in question.

In other cases, spoofing is sometimes used to automatically create fake email address for each message as a way to get around spam filters. More benign versions of spoofing can also help users keep their privacy, which is why services offer the ability to create disposable email addresses.

What is an example of email spoofing?

For an average online user, a spoofing attack may look like an email from a large national bank, like Wells Fargo or U.S. Bank. It will have its logo in the email, often at the top to make it look authentic, and will be from an email address associated with that bank, like wellsfargoemail.com. The email will begin with an urgent header like “Account Fraud Warning” or “Overdraw Limit Exceeded” and then will ask the recipient to take immediate action. That action could include sending over valuable account information, even account numbers, selecting a link that leads to a malicious website, or downloading a file that contains malware.

There are many other examples of how spoofing can work this way. Some may imitate credit bureaus and warn about credit score problems. Others can be even simpler — this example from Microsoft Outlook warns of an expired password.

Outlook Phishing email example.

On the business side, spoofed emails may go to great lengths to appear that they are from legitimate parties requesting a wire transfer or a change in payment information that could lead to the theft of millions of dollars.

Is email spoofing legally a cybercrime?

Creating disposable email addresses to, say, sign up for a free trial is technically a form of spoofing. However, the law gets involved when spoofing actively tries to impersonate another sender, especially when the goal is to steal valuable information or money. In these cases, the FBI asks people to report spoofing and phishing attempts.

Contoso Phishing email example.

Can someone spoof my email address?

People who spoof emails can set the apparent email address to be anything they want. That means that scammers who have your email address can use it in a spoofed email. Some scammers or spammers get lists of real emails from data theft caches online and use them for this purpose. However, since most scammers want to appear legitimate when creating phishing emails, it’s less likely that they will use the email address of an average online user.

If your email is spoofed, you may know by all the bounced back “can’t deliver” emails that are a result of spamming bots. It’s not easy to stop these, except to filter them out and wait for the spamming attempt to stop.

And, of course, keeping your email as private as possible can help decrease your risk, which ironically means making use of disposable email addresses.

How can I spot a spoofed email?

It can be difficult, but the best way is to always follow up and ask for more information without clicking on anything in the email or sending back a message. Find contact information for the organization in question directly from their website, and call them directly or send a question to support to see if the request is real.

Check both the sender’s name and the full email address in the received section of the email, too. Often, spoofing attempts don’t extend to additional sections of the email, and the received notation in an email is an easy way to check.

Always be wary of any email asking for money in any form. Institutions don’t use email as a method of sending invoices or asking for wire transfers, etc. If an email looks authentic, always take the time to call the organization and find a contact there to check if it’s legitimate.

Can I stop spoofed emails?

Not easily. However, many email clients do have built-in ways to spot and remove spoofed emails. Use an updated email app to help cut down on spoofing spam as much as possible. Don’t create filters for spoofed addresses, as you may want to receive emails from the authentic sender at some point.

Editors' Recommendations