Frequently Asked Question

Email Spoofing and Fraud
Last Updated 2 hours ago

Email spoofing is the practice of sending an email that appears to come from a real person or organisation, even though it was sent by somebody else. It is commonly used in phishing and fraud because people are more likely to trust a message that looks familiar.

How email spoofing works

Email was originally designed with openness and compatibility in mind, not strong sender verification. Because of this, parts of an email can be forged unless modern protection standards are in place and correctly enforced.

A spoofed email usually relies on one or more of these techniques:

  • Forging the visible sender address so the message appears to come from a trusted person
  • Using a lookalike domain that resembles a real one
  • Compromising a genuine mailbox and sending real emails from it
  • Altering the display name so it shows a trusted person’s name even if the actual email address is different

Common ways attackers make an email look genuine

1. Forging the From address

The sender can set the visible From field in an email header to almost any address they choose. For example, an attacker may send a message with a From address such as:

managing.director@company.co.uk

Even if the message did not come from that company’s mail server.

If the receiving mail system does not properly check authentication records, the spoofed message may still be accepted and delivered.

2. Using a lookalike or typo domain

Instead of spoofing the exact domain, attackers often register something very similar, such as:

barvlays.co.uk
peps1.com
hsbcbankinguk.co.uk

This works because many recipients do not check the full email address carefully. This is technically not true spoofing if the attacker owns the domain, but it is a common fraud method.

3. Display name spoofing

Mail clients often show only the sender name first, such as:

John Smith

The actual email address may be hidden unless the recipient expands the details. Attackers abuse this by setting the display name to a trusted contact while using a completely different address.

4. Using a compromised account

In some cases the attacker does not need to spoof anything. If they gain access to a real mailbox through password theft, malware, or reused credentials, they can send genuine emails from the correct account. These messages are much harder to detect because they often pass all normal checks.

How spoofed emails are used for fraud and phishing

Spoofed emails are effective because they create false trust and urgency. Common examples include:

  • Fake invoice requests
  • Bank detail changes
  • Payment diversion fraud
  • Password reset scams
  • Requests to open attachments or click malicious links
  • Messages pretending to be from senior staff asking for urgent action
  • Supplier impersonation
  • Internal impersonation, such as pretending to be HR, payroll, or IT

A typical fraud attempt may claim:

  • a supplier has changed bank details
  • an executive needs an urgent transfer
  • a user must re-enter their password immediately
  • a document needs urgent review through a malicious link

The goal is usually one of the following:

  • steal usernames and passwords
  • install malware
  • redirect payments
  • collect confidential information
  • gain a foothold for further attacks

Why spoofing was historically possible

Traditional email transfer using SMTP did not require strong proof that the sender was authorised to use a domain. A sending server could present a message claiming to be from almost any domain, and a receiving server might accept it unless additional checks were configured.

This means email trust has long depended on extra layers of protection being added over time.

How SPF, DKIM and DMARC help prevent spoofing

Modern email security relies heavily on three standards:

  • SPF
  • DKIM
  • DMARC

These do not make spoofing impossible in every case, but they greatly reduce successful impersonation when correctly configured and enforced.

SPF

SPF stands for Sender Policy Framework. It allows a domain owner to publish a DNS record listing which mail servers are allowed to send email on behalf of that domain.

A receiving mail server checks whether the sending server’s IP address is authorised by the domain’s SPF record.

Example concept:

  • Domain publishes approved sending servers in DNS
  • Receiving server checks whether the sender matches that list
  • If not, SPF fails

SPF helps block basic domain spoofing, but it has limits:

  • it checks the sending server, not the full visible message in every context
  • forwarded emails can fail SPF even when legitimate
  • it does not by itself tell the receiver what policy to apply after failure

DKIM

DKIM stands for DomainKeys Identified Mail. It adds a digital signature to outgoing email. The sending server signs parts of the message using a private key, and the receiving server validates the signature using a public key published in DNS.

This confirms that:

  • the message was authorised by the sending domain
  • selected parts of the message were not altered in transit

If the signature is valid, the message is more trustworthy.

DKIM helps because:

  • forged messages usually cannot be signed correctly for a domain the attacker does not control
  • recipients can verify message integrity

However, DKIM also has limits:

  • it must be configured correctly on the sending platform
  • some message modifications by intermediate systems can break signatures
  • DKIM alone does not define what to do when checks fail

DMARC

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It builds on SPF and DKIM and tells receiving systems how to handle messages that fail authentication checks.

A domain owner can publish a DMARC policy in DNS to instruct recipients to:

  • do nothing special
  • quarantine suspicious messages
  • reject failed messages outright

The main DMARC policies are:

  • none – monitor only
  • quarantine – treat as suspicious, often send to junk
  • reject – refuse delivery

DMARC also introduces alignment. This means the domain used in the visible From address must align with the domain validated by SPF or DKIM. This is important because it stops attackers from passing checks using unrelated domains while pretending to be somebody else.

Why SPF, DKIM and DMARC are effective together

These standards are strongest when used together:

  • SPF checks whether the sending server is authorised
  • DKIM checks whether the message is signed by the domain and unchanged
  • DMARC checks alignment and tells receivers how to handle failures

When all three are implemented properly:

  • direct spoofing of a protected domain is usually rejected or quarantined
  • domain owners gain reporting visibility
  • recipients are better protected from impersonation

For most mainstream business email providers, messages that fail these checks are far less likely to reach the inbox.

Why spoofed emails can still be delivered

Even with modern protections, spoofed messages can still appear for several reasons.

Weak receiving systems do not validate properly

Some email providers, especially 'free' or legacy ones, appliances, or self-hosted servers do not fully check SPF, DKIM and DMARC, or they check them incorrectly. In these cases, a spoofed message may still be accepted.

The sending domain has weak or missing records

If the genuine domain owner has not configured SPF, DKIM or DMARC properly, protection is limited. In these cases, receivers have little reliable information to validate the message.

Compromised real accounts pass checks

If an attacker sends mail from a genuinely compromised mailbox, the message often passes SPF, DKIM and DMARC because it is being sent through the legitimate provider. This is not spoofing in the strict sense, but to the recipient it may look similar. This is one of the largest risks of the Microsoft Ecosystem, where account compromise is common place, and hard to detect. 

Forwarding and mailing list behaviour can complicate validation

Some legitimate email forwarding setups can cause SPF to fail. Although DKIM and DMARC are designed to help with this, poor implementations can lead to inconsistent results. Some providers therefore choose to be less strict to avoid rejecting valid messages, which can create a gap that spoofed mail exploits.

How to identify likely spoofed or fraudulent emails

Common warning signs include:

  • unusual urgency or secrecy
  • requests to change bank details
  • requests for gift cards or payments
  • login links asking for credentials
  • unexpected attachments
  • sender name looks correct but address is different
  • slight spelling changes in the domain
  • reply-to address differs from sender address
  • tone or wording does not match the real person
  • message arrives outside normal business patterns

This website relies on temporary cookies to function, but no personal data is ever stored in the cookies.
OK
Powered by GEN UK CLEAN GREEN ENERGY

Loading ...