Email spoofing: How brand impersonation really works

Anatomy of an email spoofing scam

Ever wondered how email spoofing actually works? Check out how bad actors use brands to abuse the inbox in this infographic.

Click to view a larger graphic

What is email spoofing and brand impersonation?

Email spoofing is a form of phishing in which scammers send fraudulent emails designed to look like they came from a trustworthy, recognizable brand. The goal is to collect account credentials, financial information, or other data that lets cybercriminals carry out dirty deeds like identity theft. A spoofed email could also contain malware or ransomware that gets installed on the victim’s device.

You may hear the term “domain spoofing” used in a similar context. That’s because bad actors impersonate sending domains and websites.

How email spoofing works

After receiving a malicious email, recipients are urged to click a link that takes them to a webpage, which is also designed to look like the real thing. These fake webpages are often very convincing login pages where unsuspecting victims enter account credentials. Bad actors may also persuade people to reveal other sensitive data such as bank account information or credit card numbers.

Here’s a fake PayPal login page. It’s probably hard to tell the difference between the design of the phishing website and PayPal’s real login page. But take a closer look at the URL in the address bar. That’s a little fishy (or phishy) with those double dashes. Yet it could be easy to miss.

Fake PayPal login page for brand spoofing

All a scammer needs are some basic design tools and your logo. Then it’s awfully easy to spoof your brand and fool your customers or employees. Yes, you should be concerned about spoofing’s negative impact inside your organization too.

Mailgun was able to thwart an SMS phishing attack, which attempted to spoof a brand that provides a service that everyone in the company uses. Unfortunately, other organizations aren’t always as vigilant about cybersecurity.

Many times, an email spoof will contain a sender name or domain name that is close to but not quite the same as your brand’s. For example, it may include hyphens in places where they wouldn’t normally be (mail-jet.com).

However, if a cybercriminal is able to hack SMTP passwords or access your secret API keys, they can literally send as your brand. In this case, they’ve essentially hijacked your email program. And that could be a major disaster.

Which brands are most likely to get spoofed?

Scammers do have some favorite targets for brand impersonation. Microsoft and LinkedIn top the list of most spoofed brands. Fintech companies and financial institutions in general are frequently spoofed. The same goes for ecommerce companies like Amazon as well as shipping and logistics companies like DHL. Social media and software as a service (SaaS) brands are also phishing favorites.

There’s one thing these different types of brands have in common: They all send a lot of transactional emails. That includes order confirmations, password resets, billing, and account creation emails. These kinds of communications are often used in spoofing because they deal with the kinds of sensitive information bad actors want.

An example of Amazon brand spoofing

There are a few telltale signs of phishing in the fake Amazon email:

• Sender name: “Amazon Head Office” sounds totally made-up.

• Sender address: It’s not even related to the brand.

• Subject line: The scammer tried to use the brand/sender’s name here instead, which isn’t normal.

• Sense of urgency: Presenting a problem that needs to be fixed is a common way to get people to click. Ironically, fraudsters use fake fraud alerts often.

• Link text: It says amazon.com, but that’s not where it will take you.

This Amazon brand impersonation attempt counts on the possibility that the recipient has an active Amazon order. Of course, a lot of people will be waiting for an order. To hit a payday, all scammers need is one person to fall for the spoof.

Of course, you don’t have to be a Fortune 500 company to become the target of brand spoofing. Security experts say that smaller brands are vulnerable because they are less likely to have the right email authentication protocols in place.

We’re not immune either. Scammers have even tried spoofing Mailjet in an attempt to fool our customers.

As you can see, this phishing attempt aimed to get people to enter credit card information. When we found out about this, we quickly took steps to alert and educate our subscribers about the threat.

How to stop email spoofing

There is some good news. Thankfully, there are ways to fight back against bad actors trying to impersonate your brand. Here are some of the tips you’ll find in Mailgun’s email security guide:

1. Use strong email authentication

Email authentication helps mailbox providers like Gmail, Outlook, and Apple Mail identify fraudulent emails and decide what to do with them.

This means using SPF (Sender Policy Framework) and setting up DKIM (Domain-keys Identified Mail). But the best way to stop email spoofing is to use DMARC (Domain-based Message Authentication, Reporting, and Conformance) with a policy set to either quarantine or reject.

If you plan to start using Mailjet as your new ESP, you’ll find information on setting up authentication in our help center.

2. Protect and update SMTP credentials and API keys

If bad actors can crack SMTP passwords or gain access to your API keys, then even email authentication won’t stop spoofing. That’s because they’ll be able to send as your domain.

Protecting SMTP credentials and API keys should be a top priority for email security. Update them regularly and never share them. Mailjet users can find out how to update API keys here.

3. Use multifactor authentication

Multifactor authentication (MFA) provides an additional layer of security. If your customers log in to access their accounts or use your application, multifactor or two-factor authentication (2FA) helps mitigate the impact of phishing emails. This way, even if a bad actor obtains account credentials, they can’t get in without access to the user’s mobile device or email.

To protect employees, consider implementing Single Sign-on (SSO) or Security Assertion Markup Language (SAML) as a company-wide security solution.

4. Educate employees and subscribers about the risks

Many organizations have annual email security training for all employees. However, teaching your customers about email spoofing can help keep them safe while protecting your brand’s reputation.

If there’s certain information your company never asks for via email communication, make sure your subscribers know that. If you learn about phishing attempts that impersonate your brand, tell your customers about them.

The security experts at Mailgun say being proactive is a good idea. But if you do get spoofed, you should use it as an opportunity to maintain and regain trust in your brand.

Why you can trust us with email security and compliance

Mailjet and Sinch Mailgun are committed to providing our customers with best-in-class security. We’re also serious about data privacy, including strict adherence to GDPR compliance. That’s why we have ISO certification and SOC 2 Type II security audits for both brands.

The bottom line? This means you can send from our platforms knowing that we’re working to protect your privacy as well as the people on your email lists.

Find out more about what makes Mailjet a secure email solution as well as how Mailjet protects your data.