What is Email Spoofing in Cyber Security?

Identity theft is one of the most common techniques used by cybercriminals to obtain personal data from users. In this article, we will analyze a very common type called email spoofing and learn how to identify it to avoid being a victim of this attack.

Have you ever received an email from your bank asking you to please download a file or access a link? You have every reason to be suspicious if it seems suspicious, as it is most likely a type of social engineering attack known as phishing.

Thousands of scams are sent via email spoofing daily, and while most are stopped by spam filters, many end up in users’ inboxes. We can look at several elements to identify this type of attack, and one of the most recommended is to check the sender of the email. However, this is not a deciding factor, as there are increasingly phishing attacks in which mail has been spoofed due to email spoofing. 

Spoofing, which in English means falsifying or deceiving, is a very common identity theft technique, especially through email, although there are other modalities.

Email spoofing is carried out using a fraudulent email in which the attacker has changed the sender address and subject line to make it look like real communication. 

Also Read: Big Data and Analytics

Usually, cybercriminals carry out scams and deceive their victims to obtain personal data from users (passwords, credit card numbers, bank accounts, ID, emails, and other personal data) and obtain an economic benefit.

We must also bear in mind that there are two profiles when it comes to becoming a victim of this cyberattack:

• Direct victim: We may receive fraudulent emails from an entity or service whose identity has been supplanted.
• Indirect victim: We may have been impersonated, and a cybercriminal may be using our email to deceive our contacts or other users. In addition, we may not know that we are being impersonated since we are not the ones receiving the mail.

How Does Email Spoofing Work?

This type of spoofing is characterized by masking the attacker’s original email address with that of the indirect victim, which can be a user an entity, or a service. We could interpret it as if a third party, the attacker, committed identity theft and pretended to be someone we can trust to obtain some benefit, such as money or personal information, through a second fraud.

This is possible because the Simple Mail Transfer or SMTP protocol, the main protocol used to send emails, does not include authentication mechanisms. Someone with certain computer skills is capable of entering commands in the email headers to alter the information that will later appear in the message.

Consequently, the attacker can send a message that appears to be from anyone from anywhere. 

How Can We Identify Email Spoofing?

There are different guidelines and key elements regarding knowing if we are victims of email spoofing. As we have seen, there are two different profiles when it comes to being victims: the direct victim and the indirect victim; but in any case, the attacker’s objective remains the same: to deceive his direct victims to obtain an economic benefit or personal or financial data, under the pretext that it is something urgent, through a fraudulent link to a fake website or attachments with malware.

The most important thing when identifying these fraudulent emails is to be patient and take a few minutes, especially when dealing with hundreds of daily messages. By interpreting the headers of the emails, we can collect very valuable information for our investigation:

• Data relating to the sender and the receiver.
• The message has passed through the intermediate mail servers since it was sent.
• The mail client used to send the email.
• The dates of shipment and receipt.
• Although this information may remain hidden from the naked eye, it is possible to view it easily from our mail manager.

Let’s see it:

Microsoft Outlook

We will double-click on the message to open it in a new window.

Next, we select File > Info > Properties.

In the opened window, in Internet Headers, we will see all this information:

Gmail

We will open the mail to analyze.

Next, we’ll click the three dots icon and select View Message Source :

However, the information we collect from these headers can be somewhat confusing. For this reason, some tools facilitate this interpretation, such as MessageHeader. Pasting the header into this tool will break down the information as follows:

From this information, we can interpret the following:

1. Shipping time: The image shows that the message took 20 seconds from when it was sent until it arrived in our inbox. The more time passes, the more suspicious it will be. In this case, it may be nothing, but it should already alert us.
2. Sender: In the From field, we see that the company has written to us through a domain that does not coincide with them.
3. Records: The SPF and DKIM fields are used to check if they pass the verification control. In this case, it has managed to pass the SPF but has obtained an error in DKIM.

If we analyze all the information collected, the conclusion is that it is probably a case of email spoofing. We must bear in mind that, at the slightest warning sign, we must distrust and delete the message and not click on any link or download any attached file. On our website, you will find a very detailed infographic with the steps to follow to identify any type of malicious email. 

Finally, some extra tips that will help us protect our personal information are:

• Block suspicious users: If we have received one of these suspicious emails, it is recommended that we include the sender of the same in our block list.
• Do not share personal information: If we doubt the email’s authenticity, it is advisable not to share any personal information, not to click on links, and not to download any attachments.

In addition, we can always contact the entity or the user by phone to ensure that the email is original.