• Your IP: (VA, United States)
  • Your ISP: Amazon.com
  • Your Status: Unprotected
  • Get Protected

August 29, 2019

Everything You Need to Know About Email Spoofing

Posted by

Most email services have excellent spam filters. Even if a few spam emails slip through the cracks, we’ve gotten pretty good at recognizing them. If the subject line says “CLICK THIS LINK TO CLAIM YOUR LOTTERY WINNINGS,” chances are, you would delete it immediately because you know it’s fake. But what if you get an email allegedly from your bank telling you there’s a problem with your account? Even though it looks real, it could be an example of spoofing. Spoofing is a trick designed to convince you to send sensitive information to those who would misuse it. To avoid falling into that trap, here’s everything you need to know about email spoofing and protecting yourself against it:

  • What is spoofing?
  • Why do people do it?
  • How is email spoofing done?
  • How do I protect myself against it?

What is Spoofing?

Spoofing happens when internet users forge the header/originating address of emails. This makes it look like that message originated from a different source. The emails may look like they’ve come from a legitimate business such as a popular online store, or a banking institution. They may also look like they come from people you know personally like friends or coworkers. By allegedly originating from a trustworthy source, these messages have a higher likelihood of being opened than other spam emails.

Why do People do it?

There are a few reasons people use email spoofing, but they normally boil down to two purposes: phishing, and spam. Phishing is when someone online is trying to obtain sensitive information from you. Phishing emails are most likely to ask you to input some sort of data within the email itself. For example, a phishing message that appears to be from your bank may request that you sign in to your account to address a problem, right from the email itself (or through a link provided in the email). If you do, the person on the other side of the message might see your username and password. They can then access your account in future.

Another possible phishing message can appear to be from your boss or a coworker asking for system access credentials. If you respond with the information, then the security of your company (and your job, for that matter) becomes compromised.

The other main reason for email spoofing is spam. Because these messages look more trustworthy when compared to other types of spam, they’re more likely to be clicked. If you’re lucky, the inside of the email will just be apparent spam that you will recognize and delete. However, many of these emails contain links that, if clicked, can download malware onto your device.

Spoofing may also be used for committing identity theft or tarnishing the reputation of an email user. However, these reasons are less common.

How is Email Spoofing Done?

While we all like to think that criminal geniuses run spoof attacks, the truth of the matter is that it’s actually very easy to do. All a person needs is a Simple Mail Transfer Protocol server and an email service such as Gmail or Outlook. With these two pieces of tech, the user can edit different fields within the email such as the header and originating address. Although many email systems have developed tools for detecting and filtering spoofed messages, these methods still need improvement have been adopted very slowly.

How do I Protect Myself Against Spoofing?

Because some spoofed messages are extremely sophisticated, many people have difficulty picking them out from real ones. However, there are some best practices you can implement with every email you open to stay protected in every eventuality.

  • Keep Your Anti-Malware Software Up-to-Date: If you accidentally click a malicious link in a spoofed email, your anti-malware software should be able to detect it and block it (or warn you about the link even before you click it).
  • Don’t Share Sensitive Info: Even if you trust an email 100 percent, you should never share sensitive information through emailed messages. Once you’ve sent the message, its security and privacy is out of your hands and anything can happen to it. Whether you suspect spoofing or not, implement a policy of never sending personal data, like financial information, through email.
  • Use Strong Spam Filters: Many email services allow you to set the strength of your spam filters. Use the strongest possible settings to protect yourself from spoofed emails.
  • If You’re Not Sure, Don’t Click: If you don’t have full confidence in an email link or download, just don’t click it until you’re positive it’s safe. For an email from your bank, call the bank and ask about the validity of the message (but don’t use any phone number found within the email itself in case it’s fraudulent). If a coworker has sent you an email, you can also check with them that they were the one to send it before you open any links or start any downloads.
  • Check That Links Are Secure: If you do trust a link enough to open it, check its level of security once it is open. If the URL starts with HTTP instead of HTTPS, it isn’t secure and you should never input any personal information into that website.
  • Look at the Email Address, Not Just the Display Name: Most email servers allow you to choose or change which name you want to appear alongside your message. However, you should always compare the display name to the actual address. If the display has the name of your great aunt but the address says “customerservice@madeupcompany.com” then you’re probably being spoofed.
  • Examine the Email’s Content: While some spoofed messages can appear indistinguishable from a legit one, there are a few signs to watch out for that can tell you if a message is real or not. If the subject line is designed to frighten you or spur you into an action (for example: your account has been suspended), it could be a spoof. Another sign of a fake message is spelling mistakes. One mistake might not be cause for alarm but several is more likely to indicate danger. A third trick to try is to hover over links in the email. If you hover over the link, there should be a little pop-up to tell you the URL the link will take you to. If it’s suspicious, you’ll know not to click it. Finally, if the email is too vague or too jargon-y, stay on your guard and verify its authenticity if possible before taking any action with it.
  • Get Technical: While visual signs of spoofing are great to look out for, sometimes those signs just aren’t there. If that’s the case, you can take a technical look at the email. First, examine its header. The email address in the header should match the address you expect it to be from. In the header, you can also take a look at the “received” field. The email address there should match the name of the sender. Finally, take a look at the return path, which should also match the expected address of the sender. You can also conduct a reverse IP address lookup, to see where the sender of the email originates from. If the email should come from Detroit, Michigan but the IP address is somewhere in Nigeria, it’s probably a spoof.

Email spoofing is a real threat to online privacy and security but it doesn’t have to be. By understanding how it works and how to avoid it, you can stay protected.

To protect yourself further, use a VPN to encrypt all of your internet traffic.

Posted by

More Blog Posts

Everyday online activities

January 21, 2021

3 Tips for Safe and Sound Everyday Online Activities

Would you ever leave your wallet out in the open in the middle of a busy street? Probably not. Most of us have cash, credit cards, and some of our most valuable ID tucked away in those small slots and pockets. Risking wallet theft is enough to upend a life. But did you know that […] Read more
Limits to private browsing

January 19, 2021

Privacy Tip of the Week: Understand the Limits to Private Browsing

Almost everyone uses private, or incognito, browsing at some point in their digital lives. It’s a convenient feature that enhances your privacy online. Most commonly, users take advantage of private browsing to access adult-themed content, look up possibly embarrassing medical issues, or shop for loved ones without the surprise being given away. Unfortunately, many people […] Read more
Privacy Tip of the Week: Don't Use Incognito Mode

January 15, 2021

Privacy Tip of the Week: Don’t Use Incognito Mode

Watching a steamy video? Searching up an embarrassing medical question? Looking for that perfect gift that you need to keep secret? Most people hide their browser history with incognito mode. The name generates an expectation of privacy. However, going incognito online actually doesn’t protect you as much as you may believe. While the setting stops […] Read more

Grab the limited deal now!

Our best price ever! Get HotBot VPN for 70% off today. Our app can be used on up to 6 devices at a time, doesn't limit speeds, and increases security and freedom when using the internet.

3 Year Plan



SAVE 70%

USD 359.64 USD 107.64

billed one time

1 Year Plan



SAVE 30%

USD 119.88 USD 83.88

billed every year

1 Month Plan



USD 9.99

billed every month

Get the HotBot VPN Mobile App.

Download our apps for iOS and Android