How to Prevent Email Spoofing Attacks

The underlying protocol that handles email sending—SMTP (Simple Mail Transfer Protocol)—is dangerously outdated. Initially developed in 1982, SMTP remains the de facto standard for sending emails because of its simplicity, compatibility, and efficiency.

However, SMTP can be easily abused by threat actors. One simple way to do this is to “spoof” email addresses, which is using a fraudulent email address to impersonate a legitimate one. To deal with some of these vulnerabilities, key authentication protocols bolster SMTP and make it less exploitable, giving organizations more security when it comes to email.

Let’s dive into what email spoofing is exactly, and what steps you can take to avoid becoming the victim of an email spoofing campaign.

What is email spoofing?

Email spoofing is a specialized form of fraudulent email where fraudsters manipulate the “From” address of an email to make it seem like it’s from a trusted individual. Let’s imagine your CEO uses the address jane.ceo@example.com. In a spoofed email, a hacker might send the email from hacker@hacker-domain.com, but your email client would display the “from” as jane.ceo@example.com.

BEC (Business Email Compromise), phishing, and spear phishing use spoofing as part of their attack method, making it an essential tool for threat actors.

Many email clients have protocols in place to prevent and/or flag these emails but if an organization is using a legacy email service that’s less security-minded, these spoofed emails may get through.

SMTP itself has zero requirements for authentication with a username and password, so it’s up to email servers and email clients to implement authentication and checks to prevent email spoofing.

Preventing spoofing attacks

If your outgoing emails aren’t properly configured, cybercriminals can piggyback off your domain and defraud your customers through spoofed emails.

You also need to protect yourself against incoming spoofed emails to avoid becoming the victim of a malware or ransomware campaign.

DMARC, SPF, and DKIM—the anti-spoofing trio

The three protocols of DMARC, SPF, and DKIM represent the largest effort on the part of the email ecosystem to prevent spoofed emails.

Let’s define each of these simply.

SPF—Sender Policy Framework

SPF requires a DNS record that specifies what IP addresses are allowed to send mail from a domain.

SPF, on its own, contains limitations, which is why it’s necessary to use it in combination with the other two protocols.

The primary limitation of SPF is that it checks the “MailFrom” value, and not the “From” value. End users never see the “MailFrom” value. This is the email address of the person actually sending the email. But the “From” address—what the user sees—can still be manipulated even when using SPF.

DKIM—DomainKeys Identified Mail

DKIM complements SPF by using cryptographic keys to verify that an email genuinely comes from the stated domain and that its content hasn’t been altered. While SPF focuses on the “MailFrom” address, DKIM provides additional security by authenticating the “From” address, which is what the end user sees.

DMARC—Domain-based Message Authentication, Reporting, and Conformance

DMARC is the final layer of anti-spoofing protection and requires SPF and DKIM settings to be in place first.

DMARC compares the SPF and DKIM domains to ensure they match. DMARC additionally implements a policy of what to do with emails that fail checks. Using DMARC, you can specify that any emails that fail DMARC checks will get rejected or sent to a spam folder.

DMARC also implements a reporting feature that sends feedback to email servers about failed and passed checks.

Email filtering, spam detection, anti-phishing tools

The usual tools that help prevent spam and other types of malicious emails can also be used to flag potential spoof emails. Regardless of where an email originates, fraudulent emails almost always contain telltale signs that automated software can detect, such as links to malicious or blacklisted websites.

You can also implement a natural language processing (NLP) AI solution that analyzes the text of emails to flag any anomalies so that even a sophisticated spoofed email can still be detected.

Security awareness training

The most significant challenge with SPF, DKIM, and DMARC settings is that they’re complicated to configure. They also don’t fully guarantee the security of email, although they do help.

The best security program must always include security awareness training. Technology is constantly advancing, and hackers work diligently to find ways to circumvent the latest detection and authentication methods.

By training employees to recognize telltale signs of spoofed emails or compromised email accounts, you can protect yourself against one of the weakest links in any security setup: human error.

How a managed security program provider can help

Protecting against spoofed emails requires properly configured SPF, DKIM, and DMARC records that are neither overly permissive nor too restrictive. Being too permissive is a common point of failure for many organizations trying to set up these procedures themselves. To minimize any operational disruption, businesses put looser protocols in place that don’t offer sufficient protection.

A managed security program can help you with the vital tasks of security awareness training and building a strong security culture in your business. All while providing comprehensive protection that can even address the issues that might arise if a spoofed email gets through.

SolCyber offers all of these services, from fundamental coverage to extended coverage, depending on what you need. To learn more about SolCyber’s managed security program, and how it can help you protect yourself against spoofing, contact us today for a no-obligation discovery call.