Skip to main content

What is email spoofing?

As phishing attempts grow more advanced, so do the efforts to imitate real organizations, which make it easier to trick unsuspecting recipients into divulging valuable information or assets. A common tactic here is spoofing an email, or making it look like it came from somewhere it didn’t.

Let’s take a look at what email spoofing means, how it affects you, and what to watch for.

Woman using a laptop next to a latte.
Image used with permission by copyright holder

What is email spoofing?

Spoofing occurs when an email is sent with a faked sender address, designed to make it look like the email came from a source that it did not.

Recommended Videos

Email spoofing is frequently used in phishing attacks, attempts to get unsuspecting people or businesses to divulge personal information or even send money. Phishing attempts can be far more sophisticated than the classic “Nigerian prince” email. Some types of phishing work very hard to make emails really seem like they come from trusted institutions like a bank, a government agency, or a nonprofit, right down to faking logos and staff information. Part of the forgery also includes a spoofed email address to make it look like the email really did come from the institution in question.

In other cases, spoofing is sometimes used to automatically create fake email address for each message as a way to get around spam filters. More benign versions of spoofing can also help users keep their privacy, which is why services offer the ability to create disposable email addresses.

What is an example of email spoofing?

For an average online user, a spoofing attack may look like an email from a large national bank, like Wells Fargo or U.S. Bank. It will have its logo in the email, often at the top to make it look authentic, and will be from an email address associated with that bank, like wellsfargoemail.com. The email will begin with an urgent header like “Account Fraud Warning” or “Overdraw Limit Exceeded” and then will ask the recipient to take immediate action. That action could include sending over valuable account information, even account numbers, selecting a link that leads to a malicious website, or downloading a file that contains malware.

There are many other examples of how spoofing can work this way. Some may imitate credit bureaus and warn about credit score problems. Others can be even simpler — this example from Microsoft Outlook warns of an expired password.

Outlook Phishing email example.
Image used with permission by copyright holder

On the business side, spoofed emails may go to great lengths to appear that they are from legitimate parties requesting a wire transfer or a change in payment information that could lead to the theft of millions of dollars.

Is email spoofing legally a cybercrime?

Creating disposable email addresses to, say, sign up for a free trial is technically a form of spoofing. However, the law gets involved when spoofing actively tries to impersonate another sender, especially when the goal is to steal valuable information or money. In these cases, the FBI asks people to report spoofing and phishing attempts.

Contoso Phishing email example.
Image used with permission by copyright holder

Can someone spoof my email address?

People who spoof emails can set the apparent email address to be anything they want. That means that scammers who have your email address can use it in a spoofed email. Some scammers or spammers get lists of real emails from data theft caches online and use them for this purpose. However, since most scammers want to appear legitimate when creating phishing emails, it’s less likely that they will use the email address of an average online user.

If your email is spoofed, you may know by all the bounced back “can’t deliver” emails that are a result of spamming bots. It’s not easy to stop these, except to filter them out and wait for the spamming attempt to stop.

And, of course, keeping your email as private as possible can help decrease your risk, which ironically means making use of disposable email addresses.

How can I spot a spoofed email?

It can be difficult, but the best way is to always follow up and ask for more information without clicking on anything in the email or sending back a message. Find contact information for the organization in question directly from their website, and call them directly or send a question to support to see if the request is real.

Check both the sender’s name and the full email address in the received section of the email, too. Often, spoofing attempts don’t extend to additional sections of the email, and the received notation in an email is an easy way to check.

Always be wary of any email asking for money in any form. Institutions don’t use email as a method of sending invoices or asking for wire transfers, etc. If an email looks authentic, always take the time to call the organization and find a contact there to check if it’s legitimate.

Can I stop spoofed emails?

Not easily. However, many email clients do have built-in ways to spot and remove spoofed emails. Use an updated email app to help cut down on spoofing spam as much as possible. Don’t create filters for spoofed addresses, as you may want to receive emails from the authentic sender at some point.

Tyler Lacoma
Former Digital Trends Contributor
If it can be streamed, voice-activated, made better with an app, or beaten by mashing buttons, Tyler's into it. When he's not…
A new phishing scam pretends to be your boss sending you an email
A Dell laptop connected to a hard drive on a couch.

One of the latest email scams is a simple yet masterful ploy that gets companies to give up money under the guise of communicating with senior members of an organization within an email chain.

As reported by ZDNet, the scam is called a business email compromise (BEC) campaign and is described as a prompt where a nefarious actor, disguised as a company boss, sends an email that looks like a forwarded email chain, with instructions to an employee to send money. Targets of this type of scam are typically employees in the finance department or someone who has the ability to send wire transfers.

Read more
Selling something online? Watch out for this clever new scam
An individual holding a phone and card.

A credit/debit card stealing scheme that was initially discovered in 2020 has now been detected in Singapore.

As reported by Bleeping Computer, threat analysts at cybersecurity company Group-IB link it to "Classicscam," a global operation that has targeted individuals in Europe, Russia, and the U.S.

Read more
Hackers have found a way to log into your Microsoft email account
A depiction of a hacker breaking into a system via the use of code.

Account holders for Microsoft email services are being targeted in a phishing campaign, according to security researchers from Zscaler's ThreatLabz group.

The objective behind the threat actors’ efforts is believed to be the breaching of corporate accounts in order to perform business email compromise (BEC) attacks.

Read more