This article shows you how to spot fake emails that have been spoofed to look like they’re coming from a legitimate company.
I’ll use specific examples of spoof emails that pretend they are from PayPal or marketplaces like Amazon and eBay.
If you’re using these sites for transactions, you should understand what spoof emails are and how to spot them.
Table of Contents
What Is Email Spoofing?
Email spoofing is the manipulation of the sender address details within an email to make it look like it’s coming from a different domain. Although this can be for legitimate purposes, it is also a common spam and scam technique used by fraudsters.
The scam is to fool recipients about the sender.
You may receive emails that purport to be from admin@WellKnownBank.com.
Another common target is people who use PayPal for buying and selling on online marketplaces such as eBay. If you do so, you should check out our in-depth article on fake PayPal notifications.
Email Spoofing Is Unfortunately Easy
You may think that it takes ninja hacker skills to send spoof emails. This is far from the case.
Unfortunately, many websites provide a cheap service to send spoofed emails. This allows users to send emails that look as if they’re coming from PayPal or eBay or other legitimate companies.
Users simply provide the fake sender email, the target to receive the email, and the message content.
If you search for “free online email spoofer”, you’ll see what I mean. There are a lot of services in this space.
But I don’t advise that you check any of them out too closely. These are dodgy sites and may have hidden extras such as viruses.
How Does Email Spoofing Work?
These websites are based on the same technology and methods to spoof emails. They start with an email server. This is also called an SMTP server.
Some of the even dodgier sites will hack a legitimate SMTP server and use it to send out their messages. However, this isn’t necessary nowadays.
People can pay about $20 per month to a hosting provider and install SMTP mailing software away from prying eyes. This takes about an hour to install and configure.
The spoofers have to choose the right SMTP software for their task. Their problem is that some mailing programs will only use the domain name on the hosting site. That’s tricky when the domain name is something like “OutToGetYou.ru”.
However, some software programs don’t put restrictions on the “FROM” address at all. Our Russian website example can easily stick in president@whitehouse.gov.
Don’t assume that these software programs are only used for nefarious purposes. There are several legitimate reasons for companies to edit the FROM address. Let’s take a look at that next.
Legitimate Reasons For Spoofing Email Addresses
It’s a common business practice to have different email addresses based on the purpose of the message.
Companies may not want to have every email arriving from service@legitcompany.org.
They may send answers to customer queries from helpdesk@legitcompany.org, while information on returned goods comes from returns@legitcompany.org.
The actual email accounts probably don’t exist. When the customers reply to emails from these different addresses, the incoming software reroutes them to the right destination.
This means that these legitimate companies are faking email addresses within their domain. But clearly, they are not trying to fool or misinform their customers.
Of course, the examples above use the domain owned by a legitimate company.
But shouldn’t they be stopped from sending emails spoofed as @whitehouse.gov or @paypal.com? Shouldn’t the hosting provider put measures in place to monitor and stop this activity?
Multiple domains using the same mail server
It wouldn’t be difficult. The hosting providers monitor all network traffic sent from the servers that they host.
They know which domain is sending out the email, and they can see the sender details in the mail headers. All they’d have to do is stop any that don’t match up.
But they don’t do this for other good business reasons. Let’s say that LargeLegitimateCompany has a subsidiary called SmallLegitimateCompany. Both companies share the same SMTP server.
If we followed the logic of the hosting provider blocking messages that don’t match the domain, then the emails from one of the companies would go down the tube.
Is there no solution for proper monitoring and spoof prevention? Yes, there is. It’s called SPF. I’ll tell you what that stands for in the next section.
Using SPF To Prevent Spoofing
The principle of SPF is that website owners can specify other domains to be part of a family. Every domain in the family is allowed to use the same SMTP server.
The website owners register the list of senders (other domains) who are permitted to send emails from the mail server associated with their main domain.
This means that the hosting provider can compare outgoing email headers to this list. If they don’t match, they can stop the email from going out.
And the protection doesn’t just stop there. It’s also possible on the other side i.e. the receiving side.
The receiving mail software can ping a request to the sending domain to check that the address details are on the list. If the details don’t match, the software can send the email to the junk folder.
A Brief History Of SPF
This strategy of SPF was first documented in 2003 by Wong Meng Weng in Singapore. He called it Sender Permitted From.
Other technologists worked on the framework. For whatever reason, the official label was renamed as Sender Policy Framework. Happily, that still meant the acronym was SPF!
The goal of Weng and his colleagues was to fight the rising tide of spam on the internet. They mightn’t have got anywhere if it wasn’t for the fact that Bill Gates had directed Microsoft to work on a counter-measure to email spam as well.
Microsoft is never shy from borrowing the work of others (and they fully credited it in this instance). The silicon giant added SPF to their mailing software in 2005.
So, why are we still receiving spoof emails now? Let’s explore that next.
Using Email Headers To Validate Who The Email Is From
To understand spoof emails, we need to take a closer look at what’s known as email headers.
The top of every email has a standard list of information. Here’s a typical notification from PayPal.
My email software is only showing a subset of the information. To understand spoofing, we should examine the full header.
How to do so will depend on your email software. It could be something like “View Message Source” or “View Full Header”.
Here’s a typical header of an email from Amazon. I’ve removed some pieces to make them easier to digest. And the parts in bold are what’s important.
Received: from DK5EUR07HT234.eop-EUR07.prod.protection.outlook.com
smtp.mailfrom=bounces.amazon.com; hotmail.com;
dkim=pass (signature was verified)
Received-SPF: Pass (protection.outlook.com: domain of bounces.amazon.com designates 57.240.12.173 as permitted sender)
Date: Wed, 31 Oct 2021 10:07:28 +0000
From: “Amazon.com” <store-news@amazon.com>
To: redacted
Did you notice that there are actually two different sender addresses in the header? The first is the MailFrom address. The second is the “From” address.
You usually see the “From” address in your email client. They tend not to show the MailFrom details.
It’s important to understand that SPF only checks the “MailFrom” address. As I mentioned in a previous section, legitimate senders often change the From address displayed by email clients.
The example above shows that the receiver checked the SPF record. The receiving software checked the I.P address of the incoming domain against the list of permitted senders:
“the domain of bounces.amazon.com designates 57.240.12.173 as permitted sender”
All this checking is great. So, why am I still getting spam? The reason is that SPF hasn’t been universally accepted.
SPF Isn’t Used By Many Companies
Let’s take a look at a legitimate email that arrived in my inbox.
This one is sent by a company called Advance Photography (I’ve slightly altered the company name and domain).
Received: from DK5EUR07HT234.eop-EUR07.prod.protection.outlook.com
smtp.mailfrom=advancephotography.com; hotmail.com;
dkim=none (message not signed)
Received-SPF: None (protection.outlook.com: advancephotography.com does not designate permitted sender hosts)
Date: Wed, 11 Oct 2021 18:25:49 +0000
From: Ben <ben@advancephotography.com>
To: redacted
The receiving software sees that the domain is advancephotography.com. Now the software sends a request for the SPF record that lists the other domains that can send emails from the mail server.
However, this company doesn’t use SPF records. You’ll see that note in the header (“advancephotography.com does not designate permitted sender hosts”).
I’m using Outlook as my email client, and it’s a Microsoft product. I mentioned that Microsoft added SPF validation to their software way back in 2005.
The mailing software puts a note into the header to report a lack of information. But they certainly don’t stop the email from being delivered. And in this case, it wasn’t marked as spam (which was correct).
Why most mailing software doesn’t enforce SPF
The problem is that the attempts by various international consortiums to push SPF as a universal protocol have failed.
If Microsoft or any other company changed the mailing software to reject emails without SPF validation, a vast number of legitimate emails would not get through to the recipients.
So, they allow domains that don’t have SPF records to get through.
The scammers know this and will set up their domains and mail servers to avoid having SPF records.
Manual check
It’s still useful to have the knowledge to do a manual check yourself.
Open the email header and look first to see if validation has taken place.
If their SPF records are missing, then you can take a closer look at the From address and the MailFrom address to see if they match.
If you’re doing a visual check by squinting at the screen, then there’s one more trick that you need to know about.
Spoofing Emails With Homoglyphs (Words That Look The Same)
A homoglyph is a word that looks the same as another but is slightly different.
Some examples? Here’s two:
- Amazon.com and Amazom.com (m has replaced n in the latter name).
- PayPal.com and PayPa1.com (there’s a figure 1 in the latter name).
A scammer may register PayPa1.com as the domain and send emails with the From address manipulated to represent the giant payment processor.
Let’s say you’re visually inspecting the MailFrom and the From address. It’s not always easy to see the tiny difference in one character. This is particularly a problem with long names.
