Email Scammers are getting smarter
Email spoofing is a common type of email scam in which the criminal actor sends out a misleading email message with a fake sender address that is made to represent the email address of a person or organization that the receiver is likely to know and trust.
Email spoofing can be used in a lot of harmful ways. It is one of the most common methods used for facilitating phishing scams. This type of scam tactic could be damaging to both the person who receives the email and to the person (or organization) that is impersonated by the scammer who sends out the message. On the one hand, the message receiver could be tricked to share sensitive personal or professional data, download malware onto their computer, provide the scammer with remote access to his or her system, and more. On the other hand, the impersonated person/organization could get wrongfully accused of misleading the message’s receiver and committing the cybercrime that was performed by the scammer.
Consequences for the impersonated individual or entity
Since scammers who use spoofed emails most commonly try to impersonate well-known companies and big businesses in order to use their public image to create trust in the targeted recipients, thus making it more likely for the scam to work, the impersonated individual or organization could suffer serious damage to the way they are perceived by the public. If, for instance, you are the owner and/or head of a big and popular customer-facing business and someone uses the name of that business to send out scam emails that lead to financial loss and other issues for the recipients, the trust in your brand would go down and its public image will suffer. At the very least, people would be less inclined to open legitimate emails sent out from your company which could make running your business more difficult and lead to potential loss of clients.
Another possible consequence is that the spam filters of different email services may start to flag legitimate letters sent from your company as spam, making it less likely for those letters to ever be opened by their recipients.
Statistics show that this type of online scam is often detrimental to business relations and customer base in cases where the scammers try to impersonate companies (e.g. retailer, financial institutions, service providers, etc.). Large scale spoof email campaigns can have severe consequences for businesses, especially if the business owner remains oblivious to the ongoing impersonation for a long time and/or doesn’t do anything to put an end to it. The good news is that there’s a highly effective way to neutralize such the possibility of someone sending out fake emails on your behalf and that is the implementation of the DMARC protocol. If you are interested in making sure that everybody knows if someone is trying to impersonate you or your company through spoofed email letters, then you should definitely implement this protocol and this will make it much less likely that scammers would successfully use your name/brand to trick people and thus affect your public image.
Consequences for the recipient
As far as the receiver of the email is concerned, they, too, could face some particularly unpleasant consequences if they fail to recognize the nature of the scam email and end up trusting its content.
As we already pointed out, phishing is one very common form of Internet scam that is often associated with spoofed emails. Phishing is when the scam victim gets tricked into disclosing sensitive information (such as credit or debit card numbers) online, thinking they are doing so on a secure webpage. An example of a spoofed phishing email would be if you receive a letter that is made to seem like it’s from your bank and that requires you to authenticate yourself by providing the sender with details about your bank account and/or your credit/debit card numbers. In cases like these, the scammer tries to make it seem like the email is legitimate and is from your bank. They usually claim that there’s some sort of problem with your account and that you are required to disclose the aforementioned details in order to verify your identity. Obviously, if you fall for the trap and disclose the requested information, you could quickly end up having all your money from your bank account withdrawn by the scammer. If you are lucky and your bank has adopted adequate cybersecurity precautions, you may not lose a lot (or any) money, but it’s better to not count on that. Spoofed phishing email letters impersonating financial institutions are only one example of how a spoofed email could be used for phishing purposes – there are many other possible ways scammers could employ such a scheme.
Phishing isn’t the only way spoofed emails can be used – another possibility that is quite common is when the scammer attempts to get their victim to download a malicious program on their computer. In such cases, the misleading message would usually contain a direct download link that downloads the malware when clicked upon. In other instances, the link may redirect to a page from where the user could download the malicious program. Either way, the spoofed message would make it seem like the sender is a person or entity that the user trusts and would use a convincing premise to persuade the recipient to download the malware file. A possible example is if the victim receives a spoofed letter in which the sender impersonates a friend or acquaintance of the recipient and tells the latter to download the linked file. Obviously, the recipient would be more inclined to download the file if the sender is someone they know which is why this is one of the most commonly used tactics.
- If you are wondering how a scammer could know who your friends and acquaintances are, you’d be surprised to learn just how diligently some scammers research their potential victims and use social engineering tactics to acquire such data. In many cases, all the information they need about who you are most likely to trust is readily available on the Internet, so there’s no need for any advanced hacking skills to get their hands on such information.
How are spoofed emails sent?
There are two basic ways to do this – the simpler and less advanced one is to send the message from an email address that is made to look very similar to the official email of the individual or organization that the scammer is trying to impersonate. However, the official and the spoofed email addresses wouldn’t be identical and so it’s much easier to check the sender’s legitimacy and, in turn, the chances of falling for the scam are lower.
However, in other instances, the scammer can try something a bit more advanced and use a specialized script to make it seem like the email address they are sending the spoofed message from is the exact same address of the impersonated person or organization. In those cases, users are more likely to get tricked by the spoofed email because even if they try to compare the sender’s address with the email address of whoever is getting impersonated, they’d see that the addresses are identical and would be more inclined to believe the contents of the message. Some email services employ security protocols that are designed to recognize and filter spoofed email messages, but there’s no guarantee that would work every time – in many cases, spoofed emails do get through despite any security filters that the email provider may have in place. There are, however, certain precautions you can take and tips that you can adhere to in order to recognize scammer emails and avoid falling victim to them – you can learn about them down below.
Tips for spotting a spoofed message and avoiding it
If you are reading this post because you want to lessen the chances of ever falling victim to a spoofed email, know that there isn’t a single surefire method that would nullify this possibility. Instead, there are many different precaution measures that, when implemented together, would greatly reduce the risk of you getting deceived by a spoof email scammer. Below, we’ve tried to summarize the most important and effective of those measures and explain why they would work and how to implement them.
- Don’t trust too-good-to-be-true offers – This one is a no-brainer, but we have to get it out of the way. In fact, this should be a general tip for staying safe on the Internet as a whole (and probably in real life too!). In almost all cases, if something sounds/seems too good to be true, that’s because it is indeed that way. Scammers love to target their victims with such offers, and therefore you should always watch out for them.
- Pay attention to the way the email is written – Lots of online scammers are sloppy and don’t pay too much attention to finer details such as grammar, punctuation, spelling, etc. In other cases, bad writing could be the result of automated software creating the message and sending it out without human interaction. This is used in large-scale spam email campaigns when the goal is to target as many users as possible and in such cases it is not efficient for a human to manually do all the work. However, such automated software tends to make lots of easily-noticeable mistakes that stick out like a sore thumb. In either case, if an email that is supposedly sent by a respected company or organization would probably not have any such bad writing in it.
- Don’t let panic set in – Many scammers try to put you into a state of panic by stating that their request is urgent and that if you do not follow the instructions they’ve given, there would be some serious consequence. No matter how urgent and pressing the matter seems to be, always take a few moments to critically assess the situation. More often than not, you’d quickly realize that you have simply been targeted by an email scammer.
- Never follow links to authentication forms – if you are asked to follow a link from an email that will take you to an authentication form, don’t click that link even if it seems legitimate. Instead, manually go to the site from which the email has supposedly been sent and authenticate from there. This is because the link from the email could redirect to a phishing site made to look exactly like the legitimate one and designed to steal your information.
- Avoid downloading attachments – It is recommended that you only download an email attachment if you know for a fact that it has been sent from someone you can trust. We suggest always trying to get confirmation via another means (e.g. a phone call or an instant message) that the file you’ve been sent is indeed from the person whose email address you see in the From field of the email message.
- Copy-paste the email text in your search engine – Doing this could sometimes help figure out if the message is spoofed. Fake emails typically get sent out to thousands or even millions of users at a time, and it is likely that people have already reported the scam and your search engine should instantly find those reports.
- One of the best and most advanced ways of spotting a spoofed message is if you pay close attention to the SPF status in the header of the received message. Depending on the email service that you use, this is done a bit differently, so you may have to find out by yourself how to do it for your specific email provider. Below, we’ve shown how to do this with Gmail:
- Open the letter that you think may be spoofed.
- Click on the three dots next to the Reply
- Select the Show Original option.
- Press Ctrl + F from the keyboard and type SPF in the search field.
- Check what’s written next to each “SPF” instance on the page. If all of them have a “PASS” status, this means that the message is probably not spoofed. If one or more have a “FAIL” status, then the message is almost certainly spoofed, and you shouldn’t interact with any of its contents.
- Repeat steps 4 and 5 with the phrases “DKIM” and “DMARC”. Again, the status next to any of their instances on the page is “fail”, then you shouldn’t trust the email message.
Pretty much the only difference between how you can check the SPF status in Gmail and in another email service is getting to the “Original Message” page where you can see the SPF status. Still, a quick Google/Yahoo/Bing search for “How to check email header for *enter your preferred email service*?” should instantly give you the information that you need.