How to Prevent Email Spoofing Attacks?
Have you received an email that appears to have been sent by someone you know but you had a feeling there was something just off with it? That email could have been sent by someone else entirely and you might have been a victim of an email spoofing attack.
If that happened and you’ve already been caught once in this scheme, this article will help you not make the same mistake twice. If it didn’t, you’ll also find it beneficial to know how to spot email spoofing in your inbox.
What is Email Spoofing?
To understand what is email spoofing, you need to understand what spoofing in general is.
Spoofing is an attack in which cyber-intruders imitate a legitimate user or a device in order to launch an attack against the network.
There are 5 types of spoofing attacks, including email spoofing.
- Email Spoofing
Of course, in this article, we are primarily concerned about email spoofing so we’ll place the majority of attention here.
Email spoofing is an attack in which a criminal sends an email impersonates another, legitimate sender. “Spoofing” in this case, refers to the sender showing fake contact details in the sender field.
Usually, the attacker will imitate an administrator of the website you trust and will ask for your login details in the email. This will of course give them access to your account, with which they can then do as they please.
How does this usually look?
One of the most common tactics attackers use is to send an email pretending to be the support or admin of a website or service you are using. In the email, they will warn you that someone has tried (or is trying) to hack into your account so you will need to reset your password.
Of course, if you fall for that, they will now have full access to your account and any accounts connected to it.
- IP Spoofing
In an IP address spoofing attack, the hacker pretends to be another user by impersonating their IP address. This is done by sending packets from a fake source address, which are then sent to devices in the network. As the attacker sends multiple of these packets, the device is eventually clogged with too many of them, like in a DoS (Denial-of-Service) attack.
- DNS Spoofing
A DNS (Domain Name System) spoofing attack also relies on IPs, but in a different way than a straight IP spoofing attack.
In this case, the attacker mixes up public IP addresses and changes domain names, which then get rerouted to new IP addresses.
That way, when you enter the domain or website URL in your browser, you will instead be sent to a spoofed domain and not the website you wanted to go to.
- MAC Spoofing
In this case, MAC has nothing to do with Mac computers, but instead to a MAC address that acts as an identifier for all network endpoints.
Every device connected to the Internet has a unique MAC address, which can’t be altered. What the hacker can do, however, is create a fake MAC address and implant it into communications going from the rogue device.
- ARP Spoofing
ARP (Address Resolution Protocol) spoofing attack is an attack in which the hacker attempts to connect his MAC address with the IP address of a staff member by sending out ARP messages throughout the network.
If the attack was a success and the IP address was cracked, the attacker can now hijack data going between the router and the computer. This means that any data sent to the member of the staff whose IP address has been spoofed will end up on the attacker’s IP address instead.
Fortunately, this type of spoofing attack only works if your LAN uses the ARP protocol.
What is the Difference Between Email Spoofing, Spamming and Phishing?
In order to prevent email spoofing, it’s important to first know the difference between email spam, email-based phishing and email spoofing.
Email spam and email spoofing are similar in that they are both unsolicited. However, whereas spoofers will edit the email header to make it look like the message came from a specific organization, spammers won’t do that. Instead, they’ll use an address that looks almost identical to the one a legitimate organization would use.
When it comes to the difference between phishing and spoofing, they both aim for the same – tricking the victim into thinking they got an email from a legitimate source. However, spoofing is just one of the many tactics that hackers will use in phishing to trick users into revealing their personal information.
How to Prevent an Email Spoofing Attack?
Okay, now that you understand what is email spoofing, know how to recognize it and can tell the difference between spoofing, spamming and phishing, it’s time to learn how to stop email spoofing.
This can be done by:
Checking the Email Header
The easiest way to spot a spoofed email is to check the email header first.
For instance, here is an email I recently received from Google about certain policy changes in my Google account.
Now, this email was legitimate and if you’re a Gmail user, you probably received one like it these days. However, spoofers might create a similar, knowing that Google is already sending these emails to its users.
To know if the email really did come from who it says it came from (in this case Google), you need to look at the email header.
To do this, on the top-right of the email message look for the three dots (the text will display “more” when you hover over them).
Click there to reveal a drop-down menu and go to “Show Original”.
This will open a new window, titled “Original Message”. Here, you should look for the “Return-Path” to see if it is the same as the sender’s address. If not, the email is most likely spoofed.
Another thing you should look at is the originating IP address. You can use an IP lookup service to check if the source is legitimate.
In this case, for instance, the IP is 22.214.171.124. When I enter it into an IP lookup, these are the Whois details that I get. This tell me that it’s legitimate and is indeed from Google:
Use SFP, DKIM and DMARC to Prevent Email Spoofing Attacks
Email users should be very familiar with these three acronyms as they are often what prevents email spoofers from using their domain.
Of these three, pay special attention to SPF, or Sender Policy Framework. That’s because attackers will most often use it to spoof an email.
Here’s what they stand for and what is their purpose in an email:
- SPF is necessary to validate an approved IP address that can send an email to a particular domain.
- DKIM (Domain Keys identified Mail) updates DNS entries for an email domain and adds a digital signature to the email message header. Thanks to this, the recipient knows that the message has not been altered on the way from the sender to them.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy protocol for email authentication and reporting that uses SPF and DKIM to provide info on the email domain.
Use an Email Signing Signing Certificate
The purpose of an email signing certificate or a S/MIME certificate is to instil ltrust and confidence in the recipient that you are who you say you are.
An email signing certificate serves two purposes:
- It provides end-to-end encryption via public keys for your outgoing emails and,
- It affirms your identity as the sender by giving you a unique digital signature.
As a result, when they see that your email has a certificate like this, your recipients will be more likely to open it, reply and engage with you and not think that you’re a spammer.
Educate Your Employees to Recognize and Avoid Email Spoofing Threats
Of course, your battle against cyberthreats, including email spoofing, will only be successful if you and your employees know how to deal with it.
This is why it’s important to pay close attention to teaching your employees to recognize these threats and to raise their cyber awareness.
Make sure that everyone in your company from top to bottom knows not to respond to emails that:
- Use poor grammar, language and punctuation.
- Try to invoke a sense of urgency and fear to compel the user into taking an action without considering it.
- Contain inaccurate information in the “form” field, like the sender’s name not matching the email address.
- Don’t have a sender name.
- Using your own name in the sender field.
- Or, are coming from an unrecognized and unverified sender.
Email was not really designed to be secure, but to provide a simple messaging protocol for people using different types of devices. Unfortunately, this means that you have to be constantly on your toes against threats like scammers, phishers and spoofers as they are always finding new ways to trick you into revealing your personal and other sensitive information.
Hopefully, this article has given you another tool that will help you in preventing email spoofing attacks.
Looking for a secure and private email? Sign up for CTemplar: Armored Email and protect your emails with the strongest 4096-bit OpenPGP end-to-end encryption currently available in the industry.