Have your friends received an email from you that they thought was spam? Or worse, a virus or malware? Your first thought may be that your email has been hacked! But before you panic, take a closer look at the details. Because your email address may have been spoofed. It can even happen to you, resulting in emails ending up in your mailbox that seem to have been sent by yourself.
What is email spoofing?
First of all, spoofing is more common than most people think. It basically means that the sender of an email is not who they pretend to be. Using external mail servers and special software, spoofers can easily forge any email address without ever accessing the account. Because spoofed emails often come from trusted sources such as friends, relatives or official institutions, they are harder to detect. Spoofing is commonly used with phishing, where you are asked to provide personal details or sensitive data or to transmit viruses and other malware.
Does spoofing mean I got hacked?
No, there is a huge difference between being spoofed and your email being hacked. The latter is far more worrisome, as it means that someone actually gained access to your emails by;
- Accessing your computer manually.
- Using malicious software, which can then be spread through your social networks.
- Accessing your email provider by using your password.
- Hacking into your email providers mail server.
With email spoofing, nobody actually accessed your account. All they did was forge your email address. Email spoofing becomes a problem when the people who receive the emails fall for it and reveal details such as passwords, credit card info or if the spoofed email contains malicious software, which enables hackers to access the computer.
Is there anything to prevent email spoofing?
To deal with the increasing number of spam and scams at the beginning of the century, a Sender Permitted Form or Sender Policy Framework (SPF) was established in 2004. The SPF is supposed to help mail servers verify that an IP address, the unique number with which computers are identified on the internet, is actually authorized to send emails on behalf of a specific domain such as @energise.co.nz.
Over the last few years, most of the big players on the internet such as Gmail, Yahoo or Facebook have implemented the latest technology to tighten their security standards to decrease the amount of phishing, spam and spoofing emails. It has been partially successful, but more than half of all internet users still receive at least 1 phishing email per day
How to protect yourself
Vigilance is the key. Make sure you have a functional antivirus and anti-malware software installed as well as a firewall and router with the right configuration. With any email you receive, always double-check the sender and look for signs that the message might be forged before opening it or clicking any links.
In order to prevent your personal email address from being spoofed, the first step is to keep it private. Don’t reveal it online where it can be copied and misused. Obviously, this isn’t so easy for business emails that we want to be more accessible! If you do suspect you have been hacked, check your SEND folder for suspicious activity. You can also find out if your emails have been compromised in a known data breach through Have I Been Pwned.
Use the strongest settings to ensure tests such as the SPF match are carried out. Most spoofing, spam and phishing emails can be filtered out that way.
Check header information
Spelling mistakes in the sender’s email address such as switched letters are a sure giveaway that something is not right. You can also double-check if the sender’s details are the same as in the past, for example, does their full name show?
Check the language
Your friend has sent you an email that just doesn’t sound like him/her? Bad spelling and grammar are another sign of spoofing. If in doubt, call your friend or the institution the message is supposedly from and ask for confirmation.
Never open attachments
Always double-check with the sender using a different medium to see if they actually meant to send what they did.