What Is Email Spoofing?

September 23, 2022

One of the most devious and effective ways bad actors use to create believable phishing emails is through a technique called email spoofing. Learning more about this practice, how to spot a spoofed email and how to defend against spoofing can help keep businesses out of trouble.


Learn the ins and outs of today’s wide variety of phishing attacks & how to stop them in Phishing 101. DOWNLOAD IT>>

What does email spoofing mean?

In an email spoofing cyberattack, bad actors try to trick targets into providing personal information, handing over money or financial data, or downloading malware by sending malicious emails that appear to be coming from trusted sources like a legitimate brand, organization, government agency or business associate.

Spoofing vs. phishing

Email spoofing is a technique that is commonly used as part of a phishing attack. While not all phishing attacks involve spoofed email messages, a spoofed message is a good indicator that an unusual message is a phishing attempt.

Spoofing vs. impersonation

Brand impersonation or brand fraud is typically a component of an email spoofing attack. Using this technique, bad actors will attempt to mimic a message from a well-known brand, like Microsoft, DHL or UPS, to create a false sense of security in their victims and make their malicious message seem like authentic, routine communication.


Looking for a security rockstar? Get 5 superstar benefits for half the cost of the competition! SEE THE BENEFITS>>


Why do hackers use spoofed emails?


Bad actors use email spoofing in phishing attacks for a variety of reasons including:

To benefit from the good reputation of a trusted individual or organization

Hackers love to use someone else’s good reputation to make themselves seem trustworthy. Spoofing is a quick way for them to do that. The most commonly spoofed brands are also brands that people interact with every day. These brands are familiar and generally trusted. DHL, Microsoft, WhatsApp, Google and LinkedIn are the five most spoofed brands.

To avoid spam filters and block lists

By spoofing messages from companies or people that the victim regularly corresponds with, bad actors have a better chance of sliding past common defenses like spam filters or blocked sender lists. Spoofed messages, especially new scams, can also sneak through secure email gateways more easily.

To convince victims to download malware

Presenting a trustworthy front is a great way to get victims to trust the links and attachments that come with a malicious message. That makes it easy for the bad guys to use spoofed messages to deploy malware like ransomware.

To conduct business email compromise attacks

Spoofing is a common tactic used in business email compromise. Cybercriminals choose to spoof messages from inside a company because employees will not look too closely at them. Sometimes, those messages will appear to come from executives that employees will want to please, making those employees more likely to provide requested information. Bad actors will also spoof messages from a company’s suppliers and partners to trick employees. Business email compromise (BEC) is the most expensive cyberattack a business can experience. It’s 64x worse than ransomware according to the U.S. Federal Bureau of Investigation Internet Crime Complaint Center.

To pose as a government agency

Spoofing a government message is a go-to tactic for phishing operations because government messages have a higher chance of seeming trustworthy. People are also easily frightened by government messages creating urgency that will drive victims to provide financial or personal data. For example, cybercriminals often pose as the U.S. Internal Revenue Service near income tax deadlines to snag unwary taxpayers.

To take advantage of emergencies or disasters

Bad actors will not hesitate to take advantage of a stressful situation to make a profit. During the COVID-19 pandemic, cybercriminals spoofed messages from the World Health Organization (WHO) to persuade victims to download a COVID-19 exposure map that was actually ransomware.


Follow the path business takes to a ransomware disaster in The Ransomware Road to Ruin. DOWNLOAD IT NOW>>


How common is email spoofing?

Email spoofing is extremely common. An estimated 25% of all branded email that people receive are actually malicious spoofed messages. It’s also a risk that is growing exponentially. Spoofing has skyrocketed by more than 360% since 2020.

How does email spoofing work?

Bad actors could take a number of routes when it comes to creating and using a spoofed message. Typically, this process starts with the cybercriminal creating a believable fake domain from which to send their spoofed message. Then, they may send an actual branded message and simply change the copy and the links. Alternatively, they could construct their fake message themselves, aiming for a similar look and feel to a legitimate message from the supposed sender. Once they’re ready, they’ll send the message to potential victims, often using email address lists and files obtained from the dark web.

What is an example of a spoofed email?

Here are real-world examples of email spoofing used as part of successful phishing attacks.

  • Employees at technology company Seagate received emails from someone claiming to be the company’s CEO that requested them to provide new W-2 forms. The message looked legitimate, and many employees sent their personal and financial data to cybercriminals.
  • Cybercriminals faked messages from Union Bank sent to businesses and consumers offering COVID-19 relief payments and loans to capture personal and financial data.
  • The U.S. Department of Transportation published a notice about fraudulent emails disguised as official Office of the Senior Procurement Executive (OSPE) correspondence, including fake Requests for Proposal (RFPs) and Requests for Information (RFIs).

Explore today’s biggest threats & what’s next in The State of Email Security 2022 GET IT>>


Can email spoofing be detected?

Email spoofing can be detected if you’re aware of the signs that indicate spoofing and take care to look for them in unexpected messages. It’s also important to be aware of which brands are most commonly spoofed to know when to be especially on guard. Unfortunately, 97% of employees cannot recognize sophisticated phishing threats like spoofing.

How can you tell if an email is spoofed?

These red flags can indicate that a message is spoofed.

Check the email header information

  • Does the “from” email address match the display name? If the email address associated with the display name is actually coming from someone else, the message may be spoofed.
  • Does the “reply to” header match the source? If the reply to address does not match the sender or the site that they claim to be representing, there is a good chance that it is forged.
  • Determine where the “return path” goes. This identifies where the message originated from, and if it seems unusual, it may indicate a spoofed message.

Look at the physical characteristics

Take a good look at the format, logos, colors and fonts used in the message to spot inconsistencies. If anything seems off, trust your instincts and stop interacting with that message.

Consider the Content

Does the message seem like others you’ve received from this sender in spelling, grammar and language? If not, it may be spoofed. Is the message driving you to do something urgently to avoid a consequence? This is a common technique used by bad actors in spoofed messages used for phishing.


See 10 reasons why Graphus is just better than other email security solutions. SEE THE LIST>>


How can you avoid falling victim to a spoofed email

While it’s not possible to prevent bad actors from sending spoofed emails, with the right tools you can protect your organization from falling prey to these tactics.

Secure email gateways (SEGs)

A SEG uses data from threat intelligence reports to detect email spoofing and stop phishing messages to prevent spoofed messages from reaching their destination.

Authentication protocols

These common authentication protocols can also stop spoofing:

DomainKeys Identified Mail (DKIM): DKIM is a standard email authentication protocol that uses asymmetric encryption to create a private and public key pair, with the public key published in the domain’s DNS record. This is accomplished by adding a digital signature to the header of an outgoing email. When the receiving server receives the email with the signature in its header, it asks for a unique public key TXT record to verify the authenticity of the sender’s domain.

Sender Policy Framework (SPF): SPF is an email authentication protocol that enables organizations to specify the mail servers or IP addresses approved to send emails on their behalf. Once the recipient’s server receives the email, the DNS records are checked to identify whether the IP address is listed in the SPF record. If it isn’t, that email is not authenticated.

Domain-based Message Authentication, Reporting and Conformance (DMARC): DMARC brings visibility to whether the spoofed email should be accepted or rejected by recipients based on a set of established criteria in tandem with SPF and DKIM email standards.

Security awareness training: Security awareness training helps employees become savvy about phishing threats like spoofing. It also helps employees learn to practice good cyber hygiene and be aware of dangers like opening suspicious messages or providing sensitive information to the wrong person. Through phishing simulations, employees gain experience in spotting trouble like spoofing using real-world examples.

Antimalware and Anti-phishing Software: Email security software that includes anti-phishing and antimalware protection offers strong protection against spoofing and other malicious phishing messages. AI and security automation technologies make that protection even more substantial by using machine learning to eliminate the need for uploaded threat reports, enabling the software to detect new threats and zero-day threats as well.

Prevent email spoofing with Graphus

API-based Graphus protects businesses from spoofing with smart AI that prevents sophisticated phishing attacks from being seen employees automatically. Graphus is cloud-native, quick to deploy and will go to work on its own or augment your Microsoft 365 or Google Workspace native email security. And all of this protection comes at half the price of our competitors.  Learn more about Graphus today.


Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus