Skip to main content
Skip to article content

How Scammers Spoof Email Addresses

By Ṣọ Email Security5 min read estimated reading time

Email spoofing lets scammers forge the sender field in any email without hacking an account. Learn how the attack works in five steps, how to detect it, and how to stop it with SPF, DKIM, and DMARC.

email spoofingphishingbusiness email compromiseBECSMTPSPFDKIMDMARCemail securitycybersecuritysmall business securityfreelancer security

How Scammers Spoof Email Addresses

What Is the Short Answer to How Email Spoofing Works?

Email spoofing is the act of forging the sender address on an email to make it appear as though it came from a trusted source. Scammers exploit the Simple Mail Transfer Protocol (SMTP), which has no built-in mechanism to verify that a sender is who they claim to be. Any attacker with basic technical knowledge can send a message that displays any name and email address they choose.

What Is Email Spoofing?

Email spoofing is a cyberattack technique in which the "From" field of an email is deliberately falsified to impersonate a legitimate sender. The spoofed address may belong to a real person, a known organization, or a trusted domain such as a bank, an employer, or a government agency.

The attack exploits SMTP, the decades-old protocol that powers email delivery worldwide. SMTP was designed for reliability, not authentication. It does not natively require senders to prove ownership of the address they use. This architectural gap is why email spoofing remains one of the most persistent and cost-effective threats in cybersecurity today.

Why Does Email Spoofing Matter?

Email spoofing is not a niche technical problem. It is the primary mechanism behind some of the most financially destructive fraud schemes on the internet.

According to the FBI Internet Crime Complaint Center (IC3), Business Email Compromise (BEC) attacks, which rely heavily on email spoofing to impersonate executives and vendors, caused losses exceeding $2.9 billion in 2023 alone. BEC is consistently ranked as the highest-loss cybercrime category in the FBI's annual reporting.

The IRS has identified email spoofing as a leading vehicle for tax-related phishing, particularly during filing season. Criminals impersonate the agency to steal Social Security numbers, W-2 data, and direct deposit credentials from individuals and payroll professionals alike. The IRS includes spoofed email schemes on its annual Dirty Dozen list of the most dangerous tax scams.

NIST Special Publication 800-177r1, the federal government's authoritative guide on trustworthy email, identifies spoofing as a foundational threat that must be addressed through domain-level sender authentication. It recommends SPF, DKIM, and DMARC enforcement as baseline controls for all organizations.

One spoofed email is all it takes. Because most recipients rely on the display name and sender address rather than the underlying mail server path, spoofed messages succeed even against experienced, security-aware users.

How Does an Email Spoofing Attack Actually Work?

Understanding the mechanics requires a brief look at how email is structured. There are two sender fields in every email: the envelope sender used during SMTP transmission, and the header sender displayed in your inbox. Attackers manipulate the header sender. Most email clients show only this field, not the envelope path.

Step 1: Select a target domain. The attacker chooses a domain to impersonate, such as the organization the victim trusts most. This could be their bank, a known vendor, a government agency, or their own employer.

Step 2: Forge the From header. Using a standard SMTP client or a widely available mail-sending tool, the attacker sets the "From" header to any address they choose. This field is entirely separate from the actual server that delivers the message and requires no authentication.

Step 3: Route through a relay or permissive server. The email is sent through either a legitimate mail relay with misconfigured authentication settings, a bulletproof hosting service, or a compromised mail server on an unrelated domain.

Step 4: The recipient's mail client displays the forged address. Most email applications show only the display name and the "From" address. The underlying server path and authentication result are hidden by default. The recipient sees what looks like a message from a trusted sender.

Step 5: The victim takes the requested action. This may include clicking a malicious link, wiring funds to a fraudulent account, submitting credentials on a fake login page, or forwarding sensitive documents.

According to Cloudflare's email security documentation, spoofed emails exploit the gap between the envelope sender and the header sender, a distinction the overwhelming majority of email users are never aware of and that most email clients do not surface.

What Does a Real Email Spoofing Attack Look Like?

In 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Alert AA20-245A documenting a wave of BEC attacks targeting the healthcare sector. Attackers spoofed the email addresses of hospital CFOs and supply chain directors to redirect vendor payments. In one documented case, a hospital network transferred over $840,000 to a fraudulent account based on a single spoofed invoice email that appeared to come from a known supplier.

The attacker never compromised any account. No password was stolen. No system was breached. They forged the sender field and used urgency to accelerate the transfer before anyone verified it.

This attack pattern is not limited to large organizations. Freelancers receiving spoofed client emails, nonprofits targeted with fake grant or vendor communications, and small businesses receiving counterfeit supplier invoices face the same mechanics at smaller scale with equally devastating proportional impact.

How Can You Tell If an Email Address Has Been Spoofed?

Use this checklist when you receive an unexpected email requesting action, payment, or credential input.

  • Check the full email header, not just the display name. In most email clients, select "Show Original," "View Source," or "View Raw Message" to access the complete header.
  • Look for a mismatch between the "From" address and the "Reply-To" address. Scammers often set Reply-To to an account they control.
  • Examine the Received header chain. The originating IP address should match the legitimate mail servers for the sending domain.
  • Confirm authentication results. Look for dmarc=pass, dkim=pass, and spf=pass in the authentication-results header. A fail or none result is a red flag.
  • Inspect the sending domain closely. Lookalike domains such as paypa1.com instead of paypal.com or micro-soft.com instead of microsoft.com are a common variation of spoofing.
  • Be alert to urgency. Requests for immediate wire transfers, gift card purchases, W-2 documents, or password resets are the most common payloads in spoofed email campaigns.

What Steps Can Prevent Email Spoofing?

Prevention requires action at the domain level by IT administrators and at the individual level by all email users.

For domain owners and IT administrators:

Publish an SPF (Sender Policy Framework) record in your domain's DNS. SPF specifies which mail servers are authorized to send email on behalf of your domain. Any message sent from an unauthorized server will fail SPF validation.

Implement DKIM (DomainKeys Identified Mail). DKIM adds a cryptographic signature to outgoing messages that receiving mail servers use to verify the message has not been altered in transit and genuinely originated from an authorized source.

Enforce a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy. DMARC tells receiving mail servers what to do with messages that fail SPF and DKIM checks. NIST SP 800-177r1 recommends setting DMARC to p=reject or p=quarantine as a baseline control for all organizations. Cloudflare's email security platform notes that domains publishing an enforced DMARC policy experience measurable reductions in spoofing of their brand across the global email ecosystem.

For individuals and end users:

Never act on urgent financial or credential requests without verifying through a separate, independently confirmed channel. Call using a number you already have on file. Do not use contact information included in the suspicious email.

Use an email security tool that automatically inspects authentication headers on every incoming message so you do not have to check manually each time.

Trust Aside: Ṣọ Email Security checks SPF, DKIM, and DMARC authentication on every email you receive, processed locally on your device. Your email data never leaves your device and is never stored on external servers.

What You Need to Know About Email Spoofing

Email spoofing is a low-effort, high-return attack that exploits a design gap in a protocol built before cybersecurity was a consideration. It is the engine behind $2.9 billion in annual fraud losses according to the FBI. The technical countermeasures exist in the form of SPF, DKIM, and DMARC, but adoption remains uneven, particularly among small businesses, freelancers, and nonprofits who are disproportionately targeted precisely because they are less likely to have these controls in place.

Until every domain enforces sender authentication, individual vigilance and intelligent, privacy-first tooling remain your most reliable first line of defense.

Built for your privacy. Ṣọ never stores your email data.

Sources: FBI IC3 2023 Annual Report  |  NIST SP 800-177r1 Trustworthy Email  |  IRS Dirty Dozen 2024  |  Cloudflare Email Security Learning Center  |  CISA Alert AA20-245A

#EmailSecurity #Phishing #BEC #EmailSpoofing #Cybersecurity #SmallBusiness #Freelancers #Nonprofits #SoEmailSecurity