Courtney Road

Tiverton, Devon, EX16 6EE

+44 1884 664 004

Mon - Fri: 9:00 - 17:00

Online portal and guides 24/7

September 2018 Return of the Spoof

Email spoofing used to be a thing of the past, but it is back!

The basic’s of email spoofing is to send an email from address A, but make it look like it was send from address B. This was stopped by a lot of technologies like SPF, DKIM and DMARC.

Unfortunately a newer version is hitting at present, and this is currently hard to stop.

What is the new version?

The idea is the same, but instead of pretending to be from a different address they are using just the name.

As an example, I might send an email from my account of johndoe@example.com which normally has my name of “John Doe” attached.

What the spammers are doing is sending an email from fakeaddress@someonesdomain.com but providing the name of “John Doe”.

People see this email is from “me” and hopefully trust it and click on the link provided etc…

How can we spot this?

This is very easy to spot if we all take just 5 seconds to look at the email. Here is a sample email we actually received. (Actual real names/address removed, but spammer stuff remains)

Fake Email printed via Microsoft Outlook

Hopefully after my brief description above you have already spotted the main way of telling if an email is spoofed or not. If not, do not worry as below we shall go through this in full detail.

As with above, here is the same email with some coloured boxes over certain areas. These boxes explained below the picture show how we know this is a spoof.

Fake email with errors highlighted

Blue shows part of the from field on an email, this part is the name of the sender. In this case saying John Doe which is the spoofed information.

Orange shows us the section of the email before the @ symbol. In the from field of the email it states it is jifitzgerald where the signature states it is JDoe. The from field shows the real sender of the message which is clearly not JDoe.

Yellow shows the senders domain name (section after the @ symbol). If you look you will see in the from field is shows us it is roofwcohd.com, but in the signature they are saying it is realcompanydomain.co.uk. Once again these do not match and the from field is the actual sender.

Red shows the senders signature. I know the spoofed sender John Doe, and due to this I know this is not his email signature. Knowing your contacts and what they normally send is an extremely good giveaway that this is fake.

Green shows the information the spammer wants me to access to infect my machine with a virus or other form of malware. This is another big giveaway as the link is to a service that John Doe does not use or has nevered used in the past.

What is being done to protect us?

Customers who have our spam filtering system at present will hopfully see less of these due to the protection systems we have in place. We are always working to protect people on our platform from receiving these emails.

Unfortunately, if your name is being used to spoof others we do not have a way of stopping this has your name has been captured by the spammers in one way or another. Hopefully the phase of using your name will pass as spammers move on when people learn.

Share this post