Chances are you’ve been the target of email phishing at least once in your life. That’s because email phishing targets everyone from an individual to a multi-million dollar company.
In this article, you’ll find everything you need to know about email phishing: what it is, the reasons behind it, and how to deal with it.
use a secure email provider
- Choose a secure email service provider. Protonmail is widely known and free to use.
- Sign up for the service to get your mailbox personal mail.
- write encrypted email even for non-protonmail recipients.
- use an option to report emails from phishing to avoid these types of scams in the future.
what is email phishing?
Email phishing is the act of sending emails with a forged sender address. It tricks the recipient into believing that someone they know or trust sent them the email. It’s usually a phishing attack tool designed to take over your online accounts, deliver malware, or steal funds.
Spoofed email messages are easy to create and detect. however, the more malicious and targeted varieties can cause significant problems and pose a major security threat.
Reasons for email spoofing
The reasons for email phishing are pretty straightforward. Usually, the criminal has something malicious in mind, like stealing a company’s private data. These are the most common reasons behind this malicious activity:
- phishing. Nearly universally, email phishing is a gateway for phishing. Impersonating someone the recipient knows is a tactic to get the person to click on malicious links or provide sensitive information.
- identity theft. impersonating someone else can help a criminal gather more data about the victim (eg, requesting sensitive information from financial or medical institutions) .
- bypass spam filters. frequently switching between email addresses can help spammers avoid being blacklisted.
- anonymity. Sometimes a fake email address is used to simply hide the true identity of the sender.
dangers of email phishing
Email phishing is incredibly dangerous and harmful because you don’t need to compromise any accounts by bypassing the security measures that most email providers now implement by default . it exploits the human factor, especially the fact that no person double-checks the header of every email they receive. furthermore, it is incredibly easy for attackers and requires almost no technical knowledge to do at a basic level. Not to mention the fact that all mail servers can be reconfigured to be identical or nearly identical.
how do hackers spoof your email address?
Email spoofing is possible by email syntax spoofing in various methods of varying complexity. they also differ in which part of the email the attacker will spoof.
this is the variation you might find when browsing the web.
spoofing via display name
Display name spoofing is a type of email spoofing, in which only the display name of the email sender is spoofed. someone can do this by registering a new gmail account with the same name as the contact you want to impersonate. mind you, mailto: will show a different email address. If you’ve ever received an email from Jeff Bezos asking you to lend him some money, you’ve come across an example of phishing via display name.
This type of email will also bypass all spoofing security countermeasures. It won’t get filtered out as spam, because it’s a legitimate email address. This exploits user interfaces built with ease of use in mind – most modern email client apps don’t show metadata. Hence, display name spoofing is very effective due to the prevalence of smartphone email apps. Often, they only have space for a display name.
phishing via legitimate domains
suppose the attacker is aiming for more credibility. in that case, you can also use a trusted email address in the from header, such as “customer service specialist”. this means that both the display name and the email address will display misleading information.
This attack does not need to hijack the account or penetrate the internal network of the target company. it only uses compromised simple mail transfer protocol (smtp) servers that allow connections without authentication and allow you to manually specify the “to” and “from” addresses. using shodan.io, we can identify 6,000,000 smtp servers, many of which are guaranteed to be vulnerable. furthermore, the attacker can always set up a malicious smtp server himself.
The situation is serious because many business email domains do not use any countermeasures for verification. Still, there are some techniques you could use to protect your domain; we’ll talk about that later.
spoofing via lookalike domains
Suppose a domain is protected and it is not possible to spoof the domain. in that case, the attacker will most likely set up a similar domain. In this type of attack, the scammer registers and uses a domain that is similar to the spoofed domain, for example, “@doma1n.co” instead of “@domain.co”. this change might be small enough to be missed by an inattentive reader. is effective because when exactly was the last time you bothered to read the header of an email?
Using a very similar domain, which also bypasses spam checks due to being a legitimate mailbox, the attacker creates a sense of authority. It might be just enough to convince its victim to reveal their password, transfer money, or send some files. In all cases, email metadata investigation is the only way to confirm whether the message is genuine. However, it’s sometimes plain impossible to do on the go, especially with smaller smartphone screens.
how to stop email phishing?
The reality is that it is impossible to stop email spoofing because Simple Mail Transfer Protocol, which is the basis for sending email, does not require any authentication. that is the vulnerability of technology. Some additional countermeasures have been developed to counter email phishing. still, the success rate will depend entirely on whether your email service provider has implemented them.
more reliable email providers use additional checks:
& conformance (dmarc)
These tools work automatically and, when used effectively, immediately discard spoofed messages as spam.
As a normal user, you can stop email spoofing by choosing a secure email provider and practicing good cybersecurity hygiene:
- use disposable accounts when signing up for sites. That way, your private email address won’t show up on suspicious lists used to send spoofed emails in bulk.
- make sure your email password is strong and complex enough. This will make it more difficult for cybercriminals to access your account and send misleading messages to your contacts.
- Inspect email headers, especially when someone asks to click on a link. Fake emails created by talented attackers can be identical to genuine ones. they can seem indistinguishable even if you are a long time user.
how to protect yourself from email phishing?
If you received a ransom threat email from you, the first step is to stop and recover. We have already mentioned how easy it is to spoof an email. panicking is playing into the hands of the attacker. what you need to do then is investigate the email header and check the ip, spf, dmarc, dkim address validations. this will clarify if the email is from your own account. if the validation fails, there is nothing to worry about. If the email really did come from your own inbox, you should act fast and take every precaution to protect your email and identity.
identify email phishing
By the way, it’s incredibly easy to spot email phishing. Aside from the obvious red flags, you only need to look at the full email header. contains all the critical components of every email: from, to, date and subject. In addition, there will be metadata about how the email was sent to you and where it came from. It will most likely also contain the results of the check your internet service provider used to verify if the sender’s server had the proper authorization to send email using that domain.
How you verify this data is highly dependent on the service you are using and will only work on a desktop computer. for gmail, you’ll need to click the three vertical dots next to the reply button and select “show original” from a dropdown list. for other services you may be using, you can refer to this list.
This is an example of a spoofed email I sent myself pretending to be a billionaire. in this case, the email filter caught it tagging it as spam, so it didn’t show up in my primary mailbox. I had to find it in the spam folder. aside from the big yellow warning, you have to admit it looks pretty realistic.
Suppose I would have picked a lower-profile domain of a lesser-known company with fewer methods to verify. Well, there is still a lot that you can check. If you go to “Show Original“, you can see that SPF is indicated as SOFTFAIL, and DMARC is indicated as FAIL. This is enough to call out the email as spoofed. Some poorly maintained domains do not keep their SPF records up to date, failing validation.
If you want to go deeper down the rabbit hole, at the code level, you’ll see that Received: from, and Received-SPF domains do not match, as well as the IP addresses. This is a clear example of email spoofing. Remember, if IP addresses don’t match and SPF validation fails, this isn’t a genuine email. It doesn’t also hurt to check whether the Return-Path is the same as the sender’s email address.
real world examples of email phishing
Several years ago, all Seagate employees received emails posing as their CEO requesting their W-2s. Most of the employees believed it to be a genuine internal business email, and unbeknownst to them, their annual salaries were leaked.
Messaging giant snapchat was also hit by email phishing when their worker leaked their colleague’s payroll information. an unidentified worker received a letter from the CEO. Since the email used seemed legitimate enough, the person complied with the request.