We use cookies to create a secure website, and deliver the best service possible. For more information, click here.

Email spoofing is a trick used by cyber criminals to make you believe that an email is from someone else. They then use social engineering to gain access to your data, or to trick you into paying fake invoices.

Spoofing 'masks' the From name in an email, so that when an email lands in your inbox, it looks like it is from someone you know.

Email spoofing is considered a computer crime and when used to carry out fraudulent activity, can lead to prosecution.

Examples of Email Spoofing

American Tooling Center Inc.

In 2015, the Vice President of American Tooling Center Inc. sent a request to one of its vendors for any outstanding invoices. The reply email contained instruction to pay several valid outstanding invoices, but to a new bank account.

The VP did not verify the new bank details and ordered a wire transfer of the outstanding funds, totalling about undefined,000. Turns out, this bank account was controlled by a cyber criminal and not the vendor. ATC’s insurers wouldn’t pay out, so they had to then pay another $400,00 to the vendor to cover the still outstanding invoices.

That’s $400,000 that was lost because of poor data security. There was no email security in place to avoid email spoofing, and new bank details weren’t verified!

Conveyancing Fraud

Conveyancing fraud targets people who are about to purchase property, by posing as the buyer’s solicitor in order to steal their deposit.

Cyber criminals will hack into solicitors email accounts and wait until they see emails about property purchase. When it is time for money to be transferred from the buyer to the solicitor, the hacker will send a spoofed email with their bank details.

The buyer will transfer the money to the spammer’s account, and often it is too late to stop the transfer by the time they discover the details are fraudulent.

‘Mary Smith’, lost £60,000 when she fell victim to email spoofing during a house purchase in London. There’s a link to the full story at the bottom of this email.

How to Prevent Email Spoofing

There are 3 core methods of email security that can prevent your email domain from being spoofed. As with most technology, they’re fairly complex to describe, so we’ve summed up the principles of the technology below.

Essentially, they work so that recipient email servers can identify the emails you send from your domain as valid, and prevent spammers from sending fraudulent emails using your domain.

Sender Policy Framework (SPF)

An SPF record identifies which mail servers are permitted to send emails on behalf of your domain. The purpose of the SPF record is to prevent spammers from sending emails with a forged From address using your domain.

For example, if you use Gmail for all of your email domain sending, you would create an SPF record that identifies G Suite mail servers as your authorised servers.

Your recipient’s mail servers would then check that the message purporting to be from your domain has come from the authorised mail server, or an unauthorised sender. If the mail server didn’t match that of the SPF record, the recipient would reject it as spam.

Without an SPF record, some recipient domains will reject messages from your users as spam, as they cannot validate that the message has come from your authorised mail server.

DomainKeys Identified Mail (DKIM)

DKIM works by adding a digital signature to your outgoing email headers. A private domain key encrypts your outgoing email header, and a public key is added to the domain’s DNS records. The recipient’s email server can then use the public key to decrypt the incoming email header to see that it has been sent from you and hasn’t been changed along the way.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC or Domain-based Message Authentication, Reporting and Conformance is a protocol launched in 2012 designed to reduce domain spoofing, through email authentication, policy and reporting.

It makes it easier for senders and receivers to communicate by identifying if the email is legitimately from the sender, and what to do if it isn’t. The owner of the domain can also request that phishing and spam emails masking their domain go straight into the junk folder or be rejected altogether.

When the HMRC introduced DMARC protocols, it reported that in one year, 300 million fewer phishing emails purporting to be from the agency were sent.

How to Avoid being A Victim

Follow our advice on avoiding email fraud to prevent becoming a victim of email spoofing.

You can also use Two Factor Authentication to make it harder for cybercriminals to access your email accounts.

Usually, an invoice payment request is coming from a vendor, supplier or business that you already have a relationship with. Always double check that the bank details are the same, and if they’re different, double check the details via telephone, or in person if possible.


Date published: 01/08/2017

Contact us