Most of us know fake emails when we see them—your spam folder is probably brimming with these—but it may be confusing to get an emergency message from a familiar source. Beware: These may be spoofed emails, which are messages manipulated by criminals to appear sent from a recognizable business, government office or friend.
“That’s to make them look legitimate,” said Steve Weisman, an expert in cybersecurity and founder of Scamicide.com. “The scammer alters the email address to make it appear it’s from some entity that you trust, be it a government agency like the IRS or a person you know or your bank.”
It’s a common tactic that’s usually paired with “phishing,” an email crafted to get the victim to divulge personal information or to send money. Phishing emails are a serious problem for people who fall for the trick, as thousands of these attacks are sent every day and cost victims nearly $30 million in 2017 alone, according to a report from the FBI’s Internet Crime Complaint Center.
Here’s how email spoofing works and how to avoid this type of scam.
How email spoofing works
A spoofed email relies on familiarity. It has a fake header, using the name of a person or business you know, with the idea you’ll likely open an email from a recognized source.
But technically a header is more than the “to/from” addresses, subject line and date. To sleuth out whether the email is bogus, one way is to check under the hood of the full header code.
To examine the full header in Gmail, open the email (but not any links or attachments), click “More” (the icon is three vertical dots) and click “Show original.” In Yahoo! Mail, open the email, click “More actions” (also shown with three horizontal dots) and click “View raw message.”
Two pieces to look for:
- The “from” field is displayed to the email recipient and contains a name and email address.
- The “mailed by” section contains the email address where replies are delivered. This is sometimes referred to as the “return path address,” “envelope from address” or “bounce address.”
Scammers can alter the “From” field sections of an email to disguise the sender and gain your trust.
Here’s a screenshot from a phishing email, which was altered to appear like it came from Fidelity Life Insurance. However, the “from” field reveals it was sent by an obscure address (not Fidelitylife.com, as you would expect):
Spoofing software scammers use
While email addresses can be spoofed manually, the vast majority use software.
For example, scammers may use “ratware,” which is a type of software program that generates and sends spam emails in bulk. These programs use built-in word lists to create thousands of email addresses and spoof the source address. Or, the fraudster may illegally purchase real email addresses from data leaks. Using the ratware and the email list, they blast the message to thousands of targets.
The spoofer may also use mass-mailing worms, which act like a virus. Once the worm is on your computer, it goes through your email address book. The scammer sends an outgoing message that looks like it’s from a contact in your address book, then sends spam messages to your entire contact list.
Signs an email has been spoofed
Here’s how to spot a spoofed email:
- Look for spelling errors. That goes for the email message along with the sender’s email address. “The email address might look like it’s from Apple, but instead of an ’l’ they might use an ‘I,’” Weisman said. “Someone who’s not looking carefully might not notice it.”
- Check the logo. If a fraudster is trying to pass off an email from Netflix, for example, they may use a logo that doesn’t exactly match the real company’s image.
- Double check email addresses and links. When you move your cursor over the text of an email address or link, a pop-up should appear, indicating the name and email address of the sender. If that pop-up text doesn’t match the text of the email, it may be a spoofed email. You can hover your cursor over links, too, to make sure the text of the link matches the URL.
- Trust your spam filters. Email providers have created powerful algorithms designed to detect, filter and block emails sent from abnormal or faulty addresses. So if a message lands in your spam folder, it’s probably spam. If it looks like a legitimate email has landed in your spam folder, check it carefully. Most email providers let you mark these as “not spam” for future messages.
How to catch a phishing attempt:
- Look for urgent language. The email may say there’s a problem with your account, such as an expired log-in, suspicious account activity or missing payment information.
- Check for (and don’t open) attachments. These may be marked as an invoice or coupon for free stuff—which could be loaded with malware.
- Consider whether the offer is too good to be true. The message may say you’re eligible for a prize, government refund or other type of free product. Chances are, it’s fake.
- Be skeptical of requests. If the message beckons you to click on a link, confirm personal information or unsubscribe from a list, simply don’t.
If you’re unsure whether a message in your inbox is the real deal, contact the organization using an email address or phone number you’ve found on its official website or social media pages.
How to stop email spoofing
Your first line of defense is your own skepticism.
“Be very very careful when anyone calls, texts or emails you if they’re asking for money or personal information or asking you to click on a link,” Weisman said. “You’ve got to initially be skeptical.”
If you get an email from someone you’re unsure about, you can run a reverse email lookup to verify the sender is legitimate. If you don’t get the right results, the email address may well have been fabricated to dupe you. If you believe your email account has been compromised, immediately run a full system virus scan and reset your email password. This will lock out a third party from your email account. You should also report any fraud to the Internet Crime Complaint Center (IC3).
To head off phishing attempts, pay attention to the information you share on social media. Although young people are more savvy about spotting the signs of scams, they’re more likely to become victims of fraud because they tend to share the most on social media, Weisman said. When you post messages about your hometown, favorite band, vacation spots and hobbies, scammers may be able to view that info and use it in a targeted phishing email.
“Often, we’re our own worst enemies,” Weisman said. “We put so much information out there on social media and other places that the scammers can harvest this info.”
However, by learning to spot the signs of spoofing, you can avoid falling victim to the scams.