Email spoofing is a common way for cybercriminals to launch phishing attacks — and just one successful phishing attack can devastate your nonprofit. That’s why every secure organization has a strategy for detecting and filtering out spoofed emails.
This article will walk you through some of the best methods for preventing email spoofing.
And, if you’re wondering how to prevent your email address or domain from being a spoof, the first step is to enable DMARC. But, even that isn’t enough. Here are the steps nonprofits should take to prevent these attacks further:
Security awareness training
Email spoofing is common in social engineering attacks such as spear-phishing, CEO fraud, and Business Email Compromise (BEC). Social engineering attacks exploit people’s trust to persuade them to click a phishing link, download a malicious file, or make a fraudulent payment.
That means part of the solution lies in educating those who are potential targets.
It’s important to note that cyberattacks target employees at every company level, which means cybersecurity is everyone’s responsibility. Security awareness training can help employees recognize when such an attack is underway and understand how to respond.
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
Looking “under the hood” of an email’s header is a valuable exercise to help employees understand how email spoofing works. For example, you can see if the email failed authentication processes and check whether the “Received” and “From” headers point to different domains.
But it’s not realistic to expect people to inspect the header of every email they receive carefully. So what are some other giveaways that might suggest that an email spoofing scam is underway?
- The email doesn’t look how you expect. The sender might be “paypal.com.” But does the email look like PayPal’s other emails? Most sophisticated cybercriminals use the spoofed company’s branding — but some can make mistakes.
- The email contains spelling and grammar errors. Again, these mistakes aren’t common among professional cybercriminals, but they still can occur.
- The email uses an urgent tone. If the boss emails you urgently requesting that you pay an invoice into an unrecognized account — take a moment. It could be CEO fraud.
It would be best to get your whole team on board to defend against cybersecurity threats, and security awareness training can help you do this. However, research suggests that the effectiveness of security training is limited.
Email provider warnings
Your mail server is another line of defense against spoofing attacks.
Email servers check whether incoming emails have failed authentication processes, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
Many email providers will warn the user if an email has failed authentication. Here’s an example of such a warning from Protonmail:
As part of your company’s security awareness training, you can urge employees to pay close attention to these warnings and report them to your IT or cybersecurity team.
However, it’s not safe to rely on your email provider. A 2018 Virginia Tech study looked at how 35 popular email providers handled email spoofing. The study found:
- All except one of the email providers allowed fraudulent emails to reach users’ inboxes.
- Only eight of the providers provided a warning about suspicious emails on their web apps.
- Only four of the providers provided such a warning on their mobile apps.
As noted by the Virginia Tech study, email providers often allow fraudulent emails through their filters — even when they fail authentication.
But, perhaps more importantly, whether a fraudulent email fails authentication in the first place is out of your hands.
For example, SPF lets a domain owner list which email servers are authorized to send emails from its domain. And DMARC enables domain owners to specify whether recipient mail servers should reject, quarantine, or allow emails that have failed SPF authentication.
So, for domain owners, setting up SPF, DKIM, and DMARC records is an essential step to prevent cybercriminals and spammers from sending spoofed emails using their domain name.
But as the recipient, you can’t control whether the domain owner has correctly set up its authentication records. You certainly don’t want your cybersecurity strategy to be dependent on the actions of other organizations.
Email security software
Effective email spoofing attacks are very persuasive. The email arrives from a seemingly valid address — and it might contain the same branding, tone, and content you’d expect from the supposed sender.
This makes email spoofing attacks one of the hardest cybercrimes to detect manually. Humans aren’t good at spotting the subtle and technical indicators of a well-planned email spoofing attack. Legacy solutions like Secure Email Gateways and native tools like spam filters aren’t either.
The best approach to tackling spoofing — or any social engineering attack — is intelligent technology. Email security solutions powered by machine learning (ML) automate the process of detecting and flagging spoofed emails, making it easier, more consistent, and more effective.