An Email Spoofing Disaster is Just a Click Away

April 29, 2021
a warning sign in yellow with email spoofing written on it in black.

One of the most prominent forms of social engineering that cybercriminals use to mount phishing attacks these days is email spoofing. The FBI’s Internet Crime Complaint Center (IC3) just released their annual report detailing the cybercrime activity that they noted in 2020. IC3 disclosed that they received an average of 2,000 cybercrime complaints per day with reported losses topping $4.1 billion in 2020 – and nearly $217 million of these losses were the result of email spoofing.  


Add to your security team and your defense without adding to your headcount! LEARN MORE>>


Social Engineering and Email Spoofing Go Hand in Hand


Email spoofing is a tricky foe. This method of phishing involves bad actors carefully crafting a phishing lure to make it appear to be a legitimate message from a trusted source. These scams typically utilize information gathered from dark web sources. The poisoned messages will use an email address that looks believable or is in fact stolen from the legitimate organization that the bad actors claim to represent. But it’s really a phishing message, and your staffer has been tricked into opening it and interacting with it, leading to cybersecurity pitfalls like credential compromise and ransomware

Some of the biggest brands that employees encounter in their daily lives are common victims of email spoofing and brand impersonation. It doesn’t take much effort for a cybercriminal to clone an email from a legitimate sender and alter the details enough to garner an unsuspecting click. Bad actors don’t spare the creativity when choosing lures either.

In just the last few years, major campaigns have included: 

  • PayPal phishing 
  • Amazon phishing 
  • FedEx phishing 
  • Lastpass phishing 
  • Walmart phishing 
  • Walgreens Phishing 
  • USAA phishing 

Is That Really Your Alma Mater?

Every year we’re seeing more major email spoofing scams that use the simulated email addresses, branding and communication style of big, trustworthy organizations like banks, charities, alumni organizations, professional groups, specialty stores, political groups, government agencies and other entities to perpetrate phishing attacks. This increasing stream of cyberattacks is supported by vast quantities of dark web data, and that risk grows as more data accumulates on the dark web from a constant parade of breaches – 22 million new records were added to the dark web in 2020, full of information that cybercriminals can leverage to mount phishing expeditions.

Here are a few notable recent examples: 

  • Sometimes, phisher men use an intermediary address to make the message seem more credible, like in a recent phishing campaign spoofing DHL and FedEx emails that were really Microsoft phishing attacks that targeted more than 10K users. 
  • Spoofing government entities is popular. The US IRS (Internal Revenue Service) released an official warning in early April 2021 to alert tax professionals about spoofing emails supposedly sent from “IRS Tax E-Filing” with the subject line “Verifying your EFIN before e-filing.”  
  • Scams using email addresses that purport to be from university domains like Oxford and Perdue are a widely used tactic because they can be easily slipped past traditional corporate email security. Cybercriminals can quickly determine a mark’s alma mater from social media to personally tailor attacks on high-value targets

Automated security isn’t a luxury. See why Graphus is a smart buy. LEARN MORE>>


Uncover Email Spoofing with Graphus


This constant stream of shadowy, potentially dangerous incoming messages can be a challenge for even the most security-conscious employees to navigate. Cybercriminals have been increasingly relying on this tactic through the pandemic era too. Phishing attacks that employed email spoofing ballooned by more than 220% in 2020. Beyond phishing for credentials, these lures can also be used to disseminate malware or as part of a business email compromise scheme with potentially devastating consequences. 

No matter how good cybercriminals may be at spoofing domains and mimicking legitimate communications from businesses, schools or government agencies, Graphus is better at detecting them. Graphus isn’t fooled by “almosts”, using a patented algorithm and more than 50 points of comparison to examine an email inside and out. That’s one reason why Graphus catches 40% more phishing messages than conventional security. Graphus also doesn’t need human intervention to find new risks and gain new threat intelligence. The best part? All of these benefits happen automatically after a simple installation process. In just a few clicks, anyone can get Graphus online and on the job protecting an organization – even a CEO.   

Contact our antiphishing software experts today to set up a personalized demo and see how Graphus can benefit your business.  



Contact our solutions experts today to see how you’ll benefit from putting Graphus to work for you.