Email spoofing involves the creation of fake emails that seem legitimate to trick users into taking action that will benefit the attacker. This can be downloading malware, providing access to systems or data, offering up personal details, or transferring money.

Often times, these “spoofed” emails appear to come from reputable organisations, putting not only the targets at risk but the reputations of those corporations whose domain was abused.

What’s more, spoofed emails can be part of larger, multi-stage attacks, such as those to dox corporations. And these attacks are on the rise.

From April to May 2021, the total number of email spoofing attacks nearly doubled from 4 440 to 8 204.  These types of attacks can be done in multiple ways. The easiest is what’s called “legitimate domain spoofing”. This is where someone inserts the domain of the organisation being spoofed into the “From” header, making it incredibly difficult to distinguish a fake email from a real one.

However, if a company has implemented one of the newer mail authentication methods, then attackers must resort to another method.  This can be in the form “display name spoofing”, whereby attackers spoof the individual sending the email – that is making it look as if it’s been sent by a real employee of the company.

More sophisticated spoofing attacks involve lookalike domains: the attackers use specific registered domains that look similar to those of legitimate organisations.

Often spam mails can be identified by the fake domain name used to send it – however, this is not possible with Unicode spoofing.

Unicode is a standard used to code domains, but, when domain names use non-Latin elements, these elements are converted from Unicode to another encoding system. The result is that, at a code level, two domain names may look different – say kaspersky.com and kaspersky.com with a Cyrillic y – but when the emails are sent, they’ll both appear as “kaspersky.com” in the “From” header.

“Spoofing may seem primitive when compared to some of other techniques used by cybercriminals, but it can be very effective,” comments Roman Dedenok, security expert at Kaspersky. “It can also just be the first stage of a more complex business email compromise (BEC) attack – attacks that can lead to identity theft and business downtime, as well as significant monetary losses.

“The good news is that there are a range of anti-spoofing protection solutions available and new authentication standards that can keep your business email secure.”