How To Stop Email Spoofing (Avoid Phishing & Protect Inbox)

7 min readApr 27, 2023

Have you ever received a spam email that you could clearly tell was untrustworthy? Human intelligence may be the best defense against some phishing attempts. Still, some types of attacks like email spoofing may not be so obvious to catch.

Email spoofing can be done by impersonating someone you know or by using an address that resembles a legitimate domain name. Consider whether any request contained in a message is reasonable or if it sounds like it could be a scam. Avoid email spoofing by verifying the sender of any unsolicited emails.

Let’s dive into what email spoofing is and how it works so that by the end of this article you’ll have the knowledge to be able to consistently recognize and avoid this type of threat.

What is Email Spoofing?

Email spoofing is when email addresses are deliberately falsified to appear to be from a trusted source.

For example, you might receive an email that looks like it’s from someone you know — like a coworker, friend, or family member — when it actually isn’t.

Email spoofing is just one example of phishing, a type of social engineering where an attacker tricks a person into revealing sensitive information. Phishing refers to unsolicited communication from a malicious actor, presented as coming from a legitimate source to access your personal, financial, or other sensitive information.

Criminals count on the ability to trick people into believing that these crafted communications are genuine. This can lead victims to unknowingly download malicious software or send money via an electronic transfer of funds without realizing they’re being duped.

As of 2020, email phishing is by far the most common attack performed by cybercriminals, with the FBI’s Internet Crime Complaint Center acknowledging over twice as many incidents of phishing than any other type of cyber crime.

How To Recognize Phishing & Examples

Phishing scams often come under the pretense of urgency. Perhaps a message will claim that one of your financial accounts is suspended and that you need to divulge information to resolve the situation. A well-crafted spoofed email message must have the appearance of legitimacy, and there are a few approaches to achieve this.

Check the Email Header

The header contains metadata about the email: the sender’s display name, email address, send date, and subject.

Display name spoofing shows the impersonated display name but leaves the sending email address unmodified. If the recipient only sees the display name and doesn’t check the sending address, they might be fooled into giving away sensitive information. This could happen more easily than you think since many email clients show only the display name by default — especially on mobile devices.

Example 1: “Manager Michael” <managername@gmail.com>

Example 2: “First Bank” <FirstBank@gmail.com>

If you only see the name of an entity that you recognize, and you’re in a hurry to reply, you might not realize that the email is coming from a random Gmail account.

Domain impersonation spoofing is when the fraudster uses a domain name (i.e., what follows the @ symbol) that resembles an official domain but is off by a few characters. This impersonation relies on the recipient not paying close enough attention to catch the look-alike characters or not realizing that the domain is not legitimate. Alternatively, the fraudster could add deceptive wording that shouldn’t be there.

Example 1: “PayPal” <paypal@paypa1.com>

Example 2: If an attacker wanted to impersonate “First Bank,” which say has the official domain of “firstbank.com,” that attacker could set up the fake domain “FirstBank@firstbankpayments.com”

However, an attacker could also potentially spoof both the display name AND an official domain name.

Domain spoofing is when an attacker uses a legitimate domain name for the impersonated identity. Let’s think back to our previous examples. Say that we know that our manager’s official work email is “michael@officialcompanysite.com” or that our bank’s official email address is “FirstBank@firstbank.com.” Because of underlying email protocols, there’s still the possibility that an email address that looks identical to the actual email address may be spoofed:

Example 1: “Manager Michael” <michael@officialcompanysite.com>

Example 2: “First Bank” <FirstBank@firstbank.com>

In these cases where both the name and sending address look legitimate, there are still ways to find out whether or not the sender is who they claim to be (which we’ll cover right up ahead).

Question the Message Content

It’s not realistic to expect people to carefully examine the header of every email they receive. Fortunately, most email providers have authentication processes to prevent impersonation attacks like email spoofing. Here are the official support pages for Gmail, Microsoft Outlook, and ProtonMail.

But these checks are not foolproof, and it would be unwise to rely solely on email authentication protocols to protect yourself or your organization.

According to Verizon’s 2021 Data Breach Investigations Report, 85% of investigated breaches involved the human element. Being aware of email spoofing can help you better identify and thus avoid social engineering scams that might compromise important information.

Even if you’re only doing a cursory inspection of a message’s content, there are some things you might pick up on that suggest an email spoofing scam:

Is the content suspicious? Would the sender really ask for something like this? Does this email make sense?
Were you expecting this message? Or is it an unsolicited request for personal information?
Does the email use an urgent tone? Are you being pushed to act quickly?

While it’s crucial to be vigilant when you notice mail coming from an unknown sender, you should remember that cyber criminals may try to trick you by presenting themselves as someone trustworthy.

In their message content, scammers attempt to present information they’ve gathered about you to improve the credibility of their impersonation and subsequently have you lower your guard. This type of phishing attack is known as spear fishing.

Scammers send generic messages in their emails, hoping that a few people will fall for their tricks or open an unsafe link or attachment containing malware. Some phishing scams attempt to target many recipients at once, known as “bulk fishing.” But because the content of the email messages is impersonal, these attacks are relatively easy to spot.

Spear fishing, on the other hand, involves the attacker gathering personal information on you from wherever they can find it, like on any social networks you may post on.

P.S. On that note, feel free to check out some of our posts on social media usage if you’re interested in reflecting on some of your online habits:

To clarify: this doesn’t mean that you need to avoid all social media at all costs. But it does mean that you should try to be careful of what information you put online.

To bring it all together, let’s summarize our tips so far and go over some more general advice. By the time you’re done, you’ll be effectively equipped with the knowledge you need to avoid phishing emails and protect your inbox.

Tips For Protecting Your Inbox

Email spoofing involves sending emails from a misleading sender address. This type of phishing attack attempts to trick you into doing something the attacker wants — sending over money or personal information — by pretending to be someone you know and trust.

A preliminary way to recognize if an email is a phishing attempt is to carefully examine the sender’s email address and sender name for inconsistencies. After you’ve checked the email header, ask yourself if the message content of the email makes sense.

Some things to keep in mind for general digital safety:

Never give out your personal data to anyone you don’t know.
Remember that companies generally don’t contact you for your username and password.
Download software only from sources you know and trust.
Avoid websites that produce browser alerts that advise against access.
Check what URL you’re redirected to before clicking a link by hovering over it.
Protect your devices by using anti-virus and anti-malware software.
Use a strong password and change it as required.
Use two-factor authentication on any account that allows it.
Never share sensitive personal information like credit card numbers unless you can verify the recipient is who they claim to be.
Be careful of what you post online, especially on social media (you might be revealing personal information that makes you a more vulnerable target).

Here are some more easy tips to help protect yourself from phishing attacks and malware that are email-specific:

Do NOT open email attachments or click links from unknown senders.
If you’re an email administrator for an organization, make sure to set up email authentication.
Emails that are automatically filtered into your Spam folder may end up being legitimate, but since they’re triggering your email provider’s spam filter, it’s worth being extra cautious.
Tired of receiving spam emails in general? One way to fight spam messages is to use email forwarding services, or you could even set up a temporary, disposable email address.
Be wary if a message looks significantly different from other legitimate messages that you’ve received from the organization or company.
This may be an obvious one, but many fraudulent emails contain poor grammar and obvious spelling mistakes (and the reasons behind that are very interesting).
Report suspicious emails. Most email providers allow you to report phishing — here’s how to do that for Google, Microsoft, and ProtonMail. You can also report scammers directly to the entity they are impersonating. For example, if a fraudster is trying to obtain money from you by impersonating PayPal or Venmo, you can report it to those companies directly.
Any email promising something that sounds too good to be true is likely a scam. Similarly, beware of emails that emphasize a sense of urgency or danger.
Don’t assume that an unsolicited email message that looks like it came from a friend or business associate is real. Instead, use a known phone number or email account to contact that person and confirm if they sent the message.

This article originally appeared on Data Overhaulers. Read on to learn more tips to help you control your digital life.