What Is Email Spoofing? How Does Spoofing Work?

Don't Fall for an Email Con

youngID/Getty Images

The word “spoof” means “falsify.” A spoofed email is one in which the sender purposely alters parts of the email to look as though it was written by someone else. Typically, the sender’s name or email address and the body of the message are formatted to appear as though they are from a legitimate source such as a bank, a newspaper, or a legitimate company on the web. Sometimes, the spoofer makes the email appear to come from a private citizen.

In many cases, the spoofed email is part of a phishing attack—a con. In other cases, a spoofed email is used to dishonestly market an online service or sell you a bogus product.

Why Would Someone Fraudulently Spoof an Email?

There are a couple of reasons people spoof the emails you receive:

  • The spoofer is trying to phish your passwords and login names. Phishing occurs when the dishonest sender tries to lure you into trusting the email. A false (spoofed) website may be waiting off to the side, cleverly disguised to appear to be a legitimate online bank website or paid web service such as eBay. Far too often, victims unwittingly believe the spoofed email and click through to the false website. Trusting the spoofed website, victims enter their password and login identity, only to receive a false error message that the website is unavailable. During all of this, the dishonest spoofer captures the victim’s confidential info and uses it to withdraw the victim’s funds or perform dishonest transactions for monetary gain.
  • The email spoofer is a spammer trying to hide his true identity while still filling your mailbox with advertising. Using mass-mailing software called ratware, spammers alter the source email address to appear to be from an innocent citizen, a legitimate company, or a government entity. The purpose, like phishing, is to get people to trust the email enough so that they open it and read the spam advertising inside.

    How Is Email Spoofed?

    Dishonest users alter different sections of an email to disguise the true sender. Examples of properties that can be spoofed include:

    • FROM name/address
    • REPLY-TO name/address
    • RETURN-PATH address
    • SOURCE IP address

    The first three properties can be easily altered by using settings in Microsoft Outlook, Gmail, Hotmail, or other email software. The fourth property, the IP address, can also be altered but doing so requires sophisticated user knowledge to make a false IP address convincing.

    Is Email Spoofed Manually by Dishonest People?

    While some spoof-altered emails are falsified by hand, the great majority of spoofed emails are created by special software. The use of mass-mailing ratware programs is widespread among spammers. Ratware programs sometimes run massive built-in word lists to create thousands of target email addresses, spoof a source email, and then blast the spoof email to those targets. Other times, ratware programs take illegally acquired lists of email addresses and then send spam to them.

    Beyond ratware programs, mass-mailing worms also abound. Worms are self-replicating programs that act as a type of virus. Once on your computer, a mass-mailing worm reads your email address book. Then the worm falsifies an outbound message that appears to be sent from a name in your address book and proceeds to send that message to your entire list of friends. This not only offends the dozens of recipients but tarnishes the reputation of an innocent friend of yours. 

    How Do I Recognize and Defend Against Spoof Emails?

    As with any con game in life, your best defense is skepticism. If you don’t believe that an email is truthful or that the sender is legitimate, don’t click on the link and type your email address. If there is a file attachment, don’t open it lest it contains a virus payload. If the email seems too good to be true, then it probably is, and your skepticism will save you from divulging your banking information.

    Study examples of phishing and spoof email scams to train your eye to distrust these kinds of emails.