Email spoofing — a reminder to be alert

Malwarebytes Labs’ blog recently posted an article about email spoofing. It’s a good reminder about following best practices — ways to avoid scams.

Email spoofing basically comes down to sending emails with a false sender address. This can be used in various ways by threat actors. Obviously pretending to be someone else can have its advantages especially if that someone else holds a position of power or trust with regards to the receiver.

Phishing campaigns use email spoofing. The article lists other reasons for spoofing as well. Scammers and criminal organizations have different business models (typically to generate revenue) and use cons that have been around for centuries.

There are technical procedures to confirm a spoofed message, but these are not practical for most people. Sometimes I get messages claiming to be from a client. I am immediately suspicious because of the subject of the message (or the lack of a subject). Examination of the raw message usually reveals that it was indeed a spoof and sent to a bunch of addresses stolen from the alleged sender’s address book.

The industry has been working on technical countermeasures to detect and stop spoofed messages. Your Internet Service Provider (ISP) may use some. But they are not foolproof.

Remember that email was designed much like the delivery of paper letters by the United States Postal Service (USPS). Anyone can write any “to” and “from” addresses they like on the envelope. There’s no authentication by the USPS.

Spoofers also rely on “look alike” or “sound alike” names and other words, which can trick anyone not paying close attention.

And remember that Caller ID on your phone may be spoofed as well.