Email Spoofing: What It Is and How To Protect Yourself From It

Don't get tricked by scammers pretending to be friends and family

Person in disguise grabbing an envelope off a computer screen

Lifewire / Theresa Chiechi

Email spoofing is a common online scam. Here's what you need to know about it, and how to protect yourself and your data.

What Is Email Spoofing?

Email spoofing is when someone sends an email with a forged sender address. Typically, the sender’s name or email address and the body of the message are changed to mimic a legitimate source such as a bank, newspaper, or company. They can also mimic messages from friends and family. By pretending to be someone the victim trusts, the scammer directs their victim to a fake website that collects their personal information (a process known as phishing).

How Does Email Spoofing Work?

Scammers alter different sections of an email to disguise the true sender, including the following properties:

  • FROM: Name and email address
  • REPLY-TO: Name and email address
  • RETURN-PATH: Email address
  • SOURCE IP: IP address

The first three properties can be easily altered using settings in Microsoft Outlook, Gmail, or other email software. The IP address can also be altered, but doing so requires more sophisticated technical knowledge.

Spoofed emails that harvest personal information contain a link to a website. The message may look legitimate and may have the logo of a company the victim does business with, so the victim may not think twice about clicking. But, the link goes to the scammer's website. The victim is asked to enter their username and password, then receives a message saying the website is down. Meanwhile, the scammer has collected the recipient's login information for the real site and is busy taking money out of the victim's bank account.

Another scenario involves scammers who run illegitimate businesses. Their email messages get flagged as spam before anyone can read them, so they spoof the email address to make it look like the messages are from a legitimate entity. The emails may appear to be from an ordinary person, a real company, or a government agency. The purpose of this scam is to get recipients to open the messages and read the spam advertising inside.

How Do Email Spoofing Scammers Find Victims?

Many scammers use malware to find email addresses they can target. The malware locates the victim's address book and harvests those addresses. Then, from the victim's computer, the virus sends an infected email to those contacts, spreading the scam to more and more potential victims. Scammers can also use those email addresses in their forgeries.

How Do I Avoid Getting Involved In This Scam?

You can avoid falling victim to spoofed emails in a number of ways:

  • Turn on your email program's spam filters, and use features like Priority Inbox.
  • Never click unfamiliar links and don't download unfamiliar attachments.
  • Check the email for errors. Messages that masquerade as official correspondence from banks and other institutions usually give themselves away with bad spelling and grammar, or with an email address that's slightly off.

I’m Already a Victim. What Should I Do?

If you think you've fallen for a spoofed email, there are a number of steps you can take to safeguard your accounts and your personal information:

  • Run anti-virus and anti-malware programs to clean any infections on your computer.
  • Change your passwords.
  • Contact your bank or credit card company and explain the situation. They will likely issue you new cards.
  • Check your accounts regularly for any strange charges.
  • Notify your friends and family so they can be on guard as well.

How Do I Avoid Being Targeted With Spoofed Emails?

As with any con game, your best defense is skepticism. If you don’t believe an email is truthful or the sender is legitimate, delete it immediately. Don’t click the link or enter your login information. If there's a file attachment, don’t open it. If an emailed offer seems too good to be true, it probably is. Keep your anti-virus and anti-malware software updated. Finally, study examples of phishing and spoof email scams to train your eye to distrust these messages.