Simply put, phishing emails are designed to trick the recipient into believing that they are legitimate. A common way of accomplishing this is by making the emails appear to come from someone that the recipient knows and trusts. Email spoofing is one way of accomplishing this. A spoofed email is designed so that the display name of the email belongs to someone that the email recipient trusts.
How Email Spoofing Works
An email can be broken into two main sections: the headers and the body. The purpose of the headers is to provide metadata and the information required to route the email to its destination. The body of the email is the actual message being conveyed.
The Simple Mail Transfer Protocol (SMTP) defines the structure of emails and how computers communicate over email. When SMTP was developed, security was not a priority, and the protocol was designed with no way to verify the authenticity of email headers.
Email spoofing takes advantage of this by changing the value of the FROM header, which should contain the email address of the sender. This value is used only to inform the recipient of the sender’s identity, so modifying it won’t cause the email to fail.
However, the FROM address may be used to direct replies to an email, which could be a problem for some phishing campaigns. However, the SMTP standard also includes a REPLY-TO header where the sender can specify that replies to an email should be sent to a different address. This field is commonly used in marketing email blasts but can also be used by a phisher to receive replies to phishing emails where they have spoofed the address.
How to Identify a Spoofed Email
Spoofed emails are part of phishing campaigns, which are designed to trick the recipient into taking some action that helps the attacker. If an email has an embedded link to click, an attachment, or requests some other action, then it is wise to check it for spoofing.
In some cases, the attacker may use a real, lookalike address, such as substituting cornpany.com for company.com. In others, the value of the FROM header may be replaced with a legitimate address that is not under the sender’s control.
While the first case can usually be detected by taking a careful look at the sender’s email address, the second might require more digging. Spoofed FROM addresses can be identified based on:
- Context: Phishing emails are designed to look legitimate, but they may not always succeed. If an email doesn’t sound like it came from the alleged sender, it may be a spoofed phishing email.
- Reply-To: A Reply-To address enables replies to an email from one address to be directed to another. While this has legitimate uses (such as mass email campaigns), it is unusual and should be cause for suspicion for emails coming from a personal account.
Received: The RECEIVED header in an email indicates the IP addresses and domain names of the computers and email servers along the path that the email traveled. An email from and to email addresses within the same company should only pass through the company’s email server.
How to Protect from Email Spoofing
- Label External Emails: Spoofed emails often pretend to be from internal addresses but come from outside the company. Adding a warning banner to all external emails helps recipients to identify attempted email spoofing attacks.
- Enable Email Protection: Email protections like DMARC and SPF add authentication information to emails. This makes it more difficult for an attacker to send spoofed emails from a company’s domains.
- Check Email Address: Phishers often use lookalike addresses to make their emails look more legitimate. Verify that an email sender’s address is correct before trusting it.
- Check Email Headers: Spoofing works by modifying the SMTP headers within emails. If an email looks suspicious, check the headers for inconsistencies.
Email Spoofing Protection with Check Point
Spoofed emails are designed to be deceptive, meaning that employees may struggle to identify sophisticated phishing attacks. A single click on a malicious link or opening a malware-laden attachment can cause significant harm to the enterprise. Phishing emails are a leading cause of data breaches and one of the top delivery mechanisms for ransomware and other malware.
For this reason, corporate cybersecurity training for phishing email detection should be augmented with a strong anti-phishing solution. Check Point, along with Avanan, has developed Harmony Email and Office, which provides comprehensive protection against phishing scams. To learn more about Harmony Email and Office and how it can help to mitigate the threat of spoofed phishing emails to your organization, you’re welcome to sign up for a free demo.