Spoofing - Who Did That Email Really Come From?
What is Spoofing?
Spoofing, particularly "Email spoofing" is a relatively new term used to
describe fraudulent emails in which the sender's address and other parts of the
email header are altered to appear as though the email originated from a
different source. For example, you might receive an email that appears to have
been sent from a well-known company (like MicroSoft), a government agency or even Consumer
Fraud Reporting. In reality, none of those organizations would be likely to send
any unsolicited email (that which you didn't sign up for and expect to receive). In short, spoofing is
a counterfeit email with stolen email addresses used without the real address
owner's knowledge or permission.
Spoofing is a technique commonly used by spammers and scammers using phishing
to hide the real origin of an email message. By changing certain properties of
the email, such as the "From", "Return-Path" and "Reply-To" fields (which are
found in the message header), these criminals can make the email appear to be
from someone other than the actual sender. And unfortunately, there is nothing
that can be done about it at present, no more than there anything to stop
someone from writing a false return address on a postal letter and dropping it
in a mailbox.
It is often associated with website spoofing which mimic an actual,
well-known website but are run by another party either with fraudulent
intentions or as a means of criticism of the organization's activities. The
result is that, although the email appears to come from the email indicated in
the "From" field (found in the email headers) it actually comes from another
email address, probably the same one indicated in the "Reply To" field; if the
initial email is replied to, the delivery will be sent to the "Reply To" email,
that is, to the spammer's email.
Typically, scammers use phishing and spoofing to get personal information
from you in order to steal your identity and then your money, passwords to
accounts or benefits.
Pretending to be from a legitimate retailer, bank, or government agency, the
sender asks to “confirm” your personal information for some made-up reason: your
account is about to be closed, an order for something has been placed in your
name, or your information has been lost because of a computer problem.
The most common use is to send an email appearing to be from a bank asking you to go to its site (with
the link provided) to reenter your most personal information. The link takes you
to a bogus website! Another
tactic phishers use is to say they’re from the fraud departments of well-known
companies and ask to verify your information because they suspect you may be a
victim of identity theft! In one case, a phisher claimed to be from a state
lottery commission and requested people’s banking information to deposit their
“winnings” in their accounts.
How does it work?
If you're not a programmer, your only familiarity with email may be as a user
of an "email client", like Microsoft Outlook. These programs hide the inner
workings from you, so when you send an email, it automatically puts your real
return address in the "sender" field. But any programmer familiar with internet
protocols can easily manipulate these "email headers" and construct an email
manually. That allows them to insert whatever address they want in the
sender field, such as JoeBlow@FBI.gov and
it will look as real as any email to the recipient. This technique is now commonly used by
mass-mailing worms as a means of concealing the true origin of the
Unfortunately, it is easy to spoof email because SMTP (the Simple Mail
Transfer Protocol, which is the most commonly used technology behind all email)
lacks authentication. A common misconception is that the "IP address" can
also be spoofed, to hide your IP address while surfing the Internet, chatting
on-line, sending e-mail, etc. That is (generally) not true. It will work
in emails for which no reply is needed or wanted - but then there will
inevitably be links in the email for you to buy their products, and those links
must be real (although, they may be on hijacked computers, with the owners
unaware of the activity.)
How do the spoofers/scammers get the email addresses?
There are many ways:
- Scammers write programs that gather (or "harvest") email addresses
from websites, forums, discussion boards, blogs, anything published on
the internet. If you have ever written an email to a forum or other online
board that published your address on the page, then odds are good that a
scammer is sending out email that appears to come from you, right now.
- Worms and viruses collect email addresses from the address books on
home computers that they infect.
On infection, worms such as
will often perform searches for email addresses within the address
book of a mail client, and use those addresses in the From field of
emails that they send, so that these emails appear to have been sent by the
third party. For example:
- User1 is sent an infected email and then the email is opened,
- The worm finds the addresses of User2 and User3 within
the address book of User1
- From the computer of User1, the worm sends an infected email
to User2, but the email appears to have been sent from User3
- This can be a particular problem in corporations, where
content filtering gateways are in place. These gateways are often
configured with default rules that send reply notices for messages that get
blocked, so the example is often followed by:
- User2 doesn't receive the message, but instead gets a message
telling him that a virus sent to them has been blocked. User3
receives a message telling him that a virus sent by them has been
blocked. This creates confusion for both User2 and User3,
while User1 remains unaware of the actual infection.
Newer versions of these worms randomize all
or part of the email address. A worm can use various methods to achieve this,
- Random letter generation
- Built-in wordlists
- Amalgamating addresses found in address books, for example:
- User1 triggers an email address spoofing worm, and the worm
finds the addresses firstname.lastname@example.org, email@example.com and firstname.lastname@example.org within the users Outlook address book
- The worm sends an infected message to email@example.com, but the
email appears to have been sent from firstname.lastname@example.org.
These random word generators are why you often see emails in your inbox with
gibberish sentences followed by an ad or link for Viagra, Cialis, or other
medications and products.
Extent of the problem
Group reports that, from May, 2005, over
1.8m consumers have been conned by phishing attacks into revealing
sensitive information. The majority of that was in 2004 to present.
Spoofing emails have increased by 4000 % in the past 6 months. The average
consumer victim loses $1200 when his bank account is taken over.
The United States Treasury even has a
- Spoofing almost always involves sending out fake email messages that
either contain advertisements, links to websites selling products (usually
"male enhancement" drugs) or ask the recipients to enter personal financial
information, such as bank account numbers, credit card numbers, passport
numbers, etc. into forms on Web sites that are designed to resemble the bank,
credit card, or other company who they are claiming to be.
- Spoofing can also happen by phone. You may get a
call from someone pretending to be from a company or government agency,
making the same kinds of false claims and asking for your personal
There are a number of examples
of Spoofing emails to
look at on this page.
What Can you Do to Protect Yourself from Spoofing Theft
- First, DON'T click on the link in an email that asks for your personal
information. It will take you to a phony Web site that looks just
like the Web site of the real company or agency. Following the
instructions, you enter your personal information on the Web site – and
into the hands of identity thieves. To check whether the message is
really from the company or agency, call it directly or go to its Web
site. If you don’t have the telephone number, get it from the phone
book, the Internet, or directory assistance. Use a search engine to find
the official Web site. Banks wouldn't ask for your mother's maiden name.
Also, look for misspellings in the bogus email. If you get an email that
warns you, with little or no notice, that an account of yours will be shut
down unless you reconfirm your billing information, do not reply or click on
the link in the email. Instead, contact the company cited in the email using
a telephone number or Web site address you know to be genuine.
- If someone contacts you and says you’ve been a victim
of fraud, verify the person’s identity before you provide any personal
information. Legitimate credit card issuers and other companies may
contact you if there is an unusual pattern indicating that someone else
might be using one of your accounts. But usually they only ask if you
made particular transactions; they don’t request your account number or
other personal information. Law enforcement agencies might also contact
you if you’ve been the victim of fraud. To be on the safe side, ask for
the person’s name, the name of the agency or company, the telephone
number, and the address. Then get the main number (see tip above) and
call to find out if the person is legitimate.
- Check out the list of recent
Spoofing attacks and the information about
- Look at these examples of Spoofing emails to be familiar!
- Job seekers should also be careful. Some phishers
target people who list themselves on job search sites. Pretending to be
potential employers, they ask for your social security number and other
personal information. Follow the advice above and verify the person’s
identity before providing any personal information.
- Be suspicious if someone contacts you unexpectedly and
asks for your personal information. It’s hard to tell whether
something is legitimate by looking at an email or a Web site, or talking
to someone on the phone. But if you’re contacted out of the blue and
asked for your personal information, it’s a warning sign that something
is “phishy.” Legitimate companies and agencies don’t operate that way.
- Act immediately if you’ve been hooked by a phisher. If you provided account numbers, PINs, or passwords to a phisher, notify
the companies with whom you have the accounts right away. For
information about how to put a “fraud alert” on your files at the credit
reporting bureaus and other advice for ID theft victims, contact the
Federal Trade Commission’s ID Theft Clearinghouse,
www.consumer.gov/idtheft or toll-free, 877-438-4338. The TDD number
- Avoid emailing personal and financial information. Before
submitting financial information through a Web site, look for the "lock"
icon on the browser's status bar. It signals that your information is secure
- Review credit card and bank account statements as soon as you
receive them to determine whether there are any unauthorized charges. If
your statement is late by more than a couple of days, call your credit card
company or bank to confirm your billing address and account balances.
- Even if you didn’t get hooked, report Spoofing. Tell the company or agency that the phisher was impersonating.
Send the actual spam to
email@example.com. You can
also report the problem to law enforcement agencies through the National
Fraud Information Center/Internet Fraud Watch,
www.fraud.org or 800-876-7060, TDD 202-835-0778. The information you
provide helps to stop identity theft.
If you need advice about an Internet or online
solicitation, or you want to report a possible scam, use the
Reporting Form or call the NFIC hotline at 1-800-876-7060.
To report to the organization impersonated in the email you received, write
directly to the company or organization. Here are the real websites, email
addresses and phone numbers of some of the more common targets of spoofing /
For More Information About Phishing, See: