Security Tips for Spotting and Protecting Against a Spoofed Email

You might think you're cyber-savvy enough to avoid email-based phishing attacks. But what if the messages appear to come from a trusted company or friend?

Email spoofing refers to the forgery of an email header, making the message look like it’s from a different source. It's a technique used in spam and phishing attacks to convince victims the correspondence came from a trustworthy entity.

A spoofed email might be made to look like it's from an online retailer, a known service provider, your bank, a friend or a coworker. But in reality, it's sent by a scammer. The goal of email spoofing is simply to get you to let your guard down, jeopardizing your data and device security.

Spoofed email addresses are among the most common tactics scammers use to gain their victims' trust. Despite many red flags such as impersonal greetings, misspelled URLs and fear-inducing messages that make a spoofed email easy to spot, countless varieties trick recipients every day.

For example, a spoofed email might pretend to come from an online retailer asking you to update your billing information or from your bank alerting you to a security issue with your account. By abusing users' trust and using official logos and email templates, the scammers steal login credentials and financial data, and even spread malware.

How to spot a spoof

You should question any unsolicited correspondence in your Inbox, especially if it asks you to log in, update your data, download an attachment or access a link.

Analyze the email header of the message. Don't rely on the name displayed. Look carefully at the sender's address and check the domain name. You should inspect these details from a PC and not a mobile device, since this information is often hidden and can be harder to spot on your smartphone.  

For example, if you receive an email from LinkedIn, the domain name should end with @linkedin.com and not other variations. To put you off his track, the attacker might even spoof the "From" section to incorporate the name of the social media platforms alongside an official email address such as notifications-noreply@linkedin[.]com.

No legitimate company, service provider or bank will send you email notifications using an email address from a free email service provider such as Gmail or Yahoo Mail. Even if the sender’s name looks familiar, you can always take an extra second to check it’s spelled correctly.

Security tips

• Don't click on links to access a website that asks you to log in or authenticate. Type the official domain in your browser to log in instead.
• View the email header in your email client and check the email addresses
• Check for poor spelling and grammar
• Don't open attachments from unknown senders
• Don't act on emails that create a sense of urgency or promise you a great prize
• Be wary of messages warning of pending account closures, payment failures or suspicious activity on one of your financial accounts
• Visit the website directly from your browser and not the link in the email
• If the email seems suspicious but appears to be sent from a friend, coworker, or family member, call them before acting upon any request
• Install a security solution on your device to ward off malicious threats and alert you whenever you access a phishing or fraudulent link