The original transmission protocols used for email do not have built-in authentication methods: this deficiency allows spam and phishing emails to use spoofing in order to mislead the recipient. More recent countermeasures have made such spoofing from internet sources more difficult but not eliminated it; few internal networks have defences against a spoof email from a colleague's compromised computer on that network. Individuals and businesses deceived by spoof emails may suffer significant financial losses; businesses risk compound losses since email spoofing is one of the primary routes to embed ransomware.
When a Simple Mail Transfer Protocol (SMTP) email is sent, the initial connection provides two pieces of address information:
- MAIL FROM: - generally presented to the recipient as the Return-path: header but not normally visible to the end user, and by default no checks are done that the sending system is authorized to send on behalf of that address.
- RCPT TO: - specifies which email address the email is delivered to, is not normally visible to the end user but may be present in the headers as part of the "Received:" header.
Together these are sometimes referred to as the "envelope" addressing – an analogy to a traditional paper envelope. Unless the receiving mail server signals that it has problems with either of these items, the sending system sends the "DATA" command, and typically sends several header items, including:
- From: Joe Q Doe <firstname.lastname@example.org> - the address visible to the recipient; but again, by default no checks are done that the sending system is authorized to send on behalf of that address.
- Reply-to: Jane Roe <Jane.Roe@example.mil> - similarly not checked
- Sender: Jin Jo <email@example.com> - also not checked
The result is that the email recipient sees the email as having come from the address in the From: header. They may sometimes be able to find the MAIL FROM address, and if they reply to the email it will go to either the address presented in the From: or Reply-to: header, but none of these addresses are typically reliable, so automated bounce messages may generate backscatter.
Although email spoofing is effective in forging the email address, the IP address of the computer sending the mail can generally be identified from the "Received:" lines in the email header. In malicious cases however, this is likely to be the computer of an innocent third party infected by malware that is sending the email without the owner's knowledge.
Malicious use of spoofing
Email spoofing has been responsible for public incidents with serious business and financial consequences. This was the case in an October 2013 email to a news agency which was spoofed to look like it was from the Swedish company Fingerprint Cards. The email stated that Samsung offered to purchase the company. The news spread and the stock exchange rate surged by 50%.
Malware such as Klez and Sober among many more modern examples often search for email addresses within the computer they have infected, and they use those addresses both as targets for email, but also to create credible forged From fields in the emails that they send. This is to ensure that the emails are more likely to be opened. For example:
- Alice is sent an infected email which she opens, running the worm code.
- The worm code searches Alice's email address book and finds the addresses of Bob and Charlie.
- From Alice's computer, the worm sends an infected email to Bob, but is forged to appear as if it was sent by Charlie.
In this case, even if Bob's system detects the incoming mail as containing malware, he sees the source as being Charlie, even though it really came from Alice's computer. Meanwhile, Alice may remain unaware that her computer has been infected, and Charlie does not know anything about it at all, unless he receives an error message from Bob.
How does email spoofing differ from spam and email phishing?
The main difference between spam and a spoofed message is that spammers don't edit email headers to pretend the email was sent from someone else. Both phishing and spoofing emails aim to trick someone to believe the message was sent from a legitimate sender. However, the main phishers' intent is to compromise user personal and financial information, while spoofing emails is just one of the ways they use to do so.
In the early Internet, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP server to send email from the user's foreign address. Since most servers were configured as "open relays", this was a common practice. As spam email became an annoying problem, these sorts of "legitimate" uses fell out of favor. An example of legitimate spoofing would be a scenario where a Customer relationship management system receives an email from a website, and in order to log the incoming email and create a profile for the email that is associated with a new contact, the system would be configured to use the 'sender' of the email to create the profile of the prospect with a name and email address of the sender. A dispatching website would be configured to spoof the outgoing email from the website, and dispatch the email in a way which makes it appear to arrive from the submitter with the submitter's information as sender name and email address. The system would then log it as configured.
When multiple software systems communicate with each other via email, spoofing may be required in order to facilitate such communication. In any scenario where an email address is set up to automatically forward incoming emails to a system which only accepts emails from the email forwarder, spoofing is required in order to facilitate this behavior. This is common between ticketing systems which communicate with other ticketing systems.
The effect on mail servers
Traditionally, mail servers could accept a mail item, then later send a Non-Delivery Report or "bounce" message if it couldn't be delivered or had been quarantined for any reason. These would be sent to the "MAIL FROM:" aka "Return Path" address. With the massive rise in forged addresses, best practice is now to not generate NDRs for detected spam, viruses etc. but to reject the email during the SMTP transaction. When mail administrators fail to take this approach, their systems are guilty of sending "backscatter" emails to innocent parties - in itself a form of spam - or being used to perform "Joe job" attacks.
The SSL/TLS system used to encrypt server-to-server email traffic can also be used to enforce authentication, but in practice it is seldom used, and a range of other potential solutions have also failed to gain traction.
However a number of defensive systems are now widely used, including:
- Sender Policy Framework (SPF) – an email authentication method designed to detect forging sender addresses during the delivery of the email.
- DomainKeys Identified Mail – an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.
- DMARC – (Domain-based Message Authentication, Reporting and Conformance), an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.
To effectively stop forged email being delivered, the sending domains, their mail servers, and the receiving system all need to be configured correctly for these higher standards of authentication. Although their use is increasing, estimates vary widely as to what percentage of emails have no form of domain authentication: from 8.6% to "almost half". For this reason, receiving mail systems typically have a range of settings to configure how they treat poorly-configured domains or email.
Business email compromise attacks are a class of cyber crime that use email fraud to attack commercial, government and non-profit organizations to achieve a specific outcome which negatively impacts the target organization. Examples include invoice scams and spear phishing spoof attacks which are designed to gather data for other criminal activities. A business deceived by an email spoof can suffer additional financial, business continuity and reputational damage: fake emails are a favored route for ransomware that can stop operations unless a ransom is paid; consumer privacy breaches can also be enabled.
Typically an attack targets specific employee roles within an organization by sending a spoof email (or series of spoof emails) which fraudulently represent a senior colleague (CEO or similar) or a trusted customer. (This type of attack is known as spear phishing.) The email will issue instructions, such as approving payments or releasing client data. The emails often use social engineering to trick the victim into making money transfers to the bank account of the fraudster.
The worldwide financial impact is large. The United States's Federal Bureau of Investigation recorded $26 billion of US and international losses associated with BEC attacks between June 2016 and July 2019.
- Dublin Zoo lost €130,000 in a such a scam in 2017 - a total of €500,000 was taken, though most was recovered.
- The Austrian aerospace firm FACC AG was defrauded of 42 million euros ($47 million) through an attack in February 2016 - and subsequently fired both the CFO and CEO.
- Te Wananga o Aotearoa in New Zealand was defrauded of $120,000 (NZD).
- The New Zealand Fire Service was scammed out of $52,000 in 2015.
- Ubiquiti Networks lost $46.7 million through such a scam in 2015.
- Save the Children USA was the victim of a $1 million cyberscam in 2017.
- Australian organisations that reported business email compromise attacks on the Australian Competition and Consumer Commission suffered approximately $2,800,000 (AUD) in financial losses for the 2018 year.
- In 2013, Evaldas Rimasauskas and his employees sent thousands of fraud emails to get access to companies email systems.
- Chain letter – Letter written in succession by a group of people
- Computer virus – Computer program that modifies other programs to replicate itself and spread
- Computer worm – Standalone malware computer program that replicates itself in order to spread to other computers
- Cyber-security regulation
- Cybercrime – Term for an online crime
- Domain name#Domain name spoofing – Identification string in the Internet that may be compromised
- DMARC – System to prevent email fraud
- Email authentication – Techniques aimed at providing verifiable information about the origin of email messages
- Hoax – Deliberately fabricated falsehood made to masquerade as the truth
- Joe job – Spamming technique that sends out unsolicited e-mails using spoofed sender data
- Phishing – Act of attempting to acquire sensitive information by posing as a trustworthy entity
- Prank call – Call intended to prank the person who answers
- Social engineering (security) – Psychological manipulation of people into performing actions or divulging confidential information
- Website spoofing – Creating a website, as a hoax, with the intention of misleading readers
- Siebenmann, Chris. "A quick overview of SMTP". University of Toronto. Retrieved 2019-04-08.
- Barnes, Bill (2002-03-12). "E-Mail Impersonators". Retrieved 2019-04-08.
- "e-mail impersonators: identifying "spoofed" e-mail". Archived from the original on 2017-06-21. Retrieved 2019-04-08.
- "Fraudsters' fingerprints on fake Samsung deal". Retrieved 2019-04-08.
- See RFC3834
- "Transport Layer Security for Inbound Mail". Google Postini Services. Archived from the original on 2016-11-11. Retrieved 2019-04-08.
- Carranza, Pablo (16 July 2013). "How To use an SPF Record to Prevent Spoofing & Improve E-mail Reliability". DigitalOcean. Archived from the original on 20 April 2015. Retrieved 23 September 2019.
A carefully tailored SPF record will reduce the likelihood of your domain name getting fraudulently spoofed and keep your messages from getting flagged as spam before they reach your recipients. Email spoofing is the creation of email messages with a forged sender address; something that is simple to do because many mail servers do not perform authentication. Spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message.
- Bursztein, Elie; Eranti, Vijay (2013-12-06). "Internet-wide efforts to fight email phishing are working". Google Security Blog. Retrieved 2019-04-08.
- Eggert, Lars. "SPF Deployment Trends". Archived from the original on 2016-04-02. Retrieved 2019-04-08.
- Eggert, Lars. "DKIM Deployment Trends". Archived from the original on 2018-08-22. Retrieved 2019-04-08.
- "In First Year, DMARC Protects 60 Percent of Global Consumer Mailboxes". dmarc.org. 2013-02-06. Retrieved 2019-04-08.
- "Prevent spoofed messages with spoofed senders detection". Retrieved 2019-04-08.
- "Anti-spoofing protection in Office 365". Retrieved 2019-04-08.
- Joan Goodchild (20 June 2018). "How to Recognize a Business Email Compromise Attack". Security Intelligence. Retrieved 11 March 2019.
- "Tips to Avoid Phishing Attacks and Social Engineering". www.bankinfosecurity.com. Retrieved 2020-11-17.
- "Business Email Compromise Is Extremely Costly And Increasingly Preventable". Forbes Media. 15 April 2020. Retrieved 2 December 2020.
- "Dublin Zoo lost €500k after falling victim to cyber-scam". 22 December 2017.
- "Austria's FACC, hit by cyber fraud, fires CEO". Reuters. 26 May 2016. Retrieved 20 December 2018.
- "Te Wananga o Aotearoa caught up in $120k financial scam". NZ Herald. Retrieved 20 December 2018.
- "Fire Service scammed out of $52,000". RNZ News. 23 December 2015. Retrieved 20 December 2018.
- Hackett, Robert (August 10, 2015). "Fraudsters duped this company into handing over $40 million". Fortune magazine. Retrieved 20 December 2018.
- Wallack, Todd (13 December 2018). "Hackers fooled Save the Children into sending $1 million to a phony account". The Boston Globe. Retrieved 20 December 2018.
- Powell, Dominic (27 November 2018). "Business loses $300,000 to 'spoofed' email scam: How to protect yourself from being impersonated". Smart Company. Retrieved 14 December 2018.
- "Sentence in BEC Scheme". Federal Bureau of Investigation. Retrieved 2020-02-01.
- "2002 Tech Tip: Spoofed/Forged Email". SEI Digital Library. Carnegie Mellon University. 2002-01-01. Retrieved 2019-12-19.