HOW FRAUDSTERS SPOOFEMAIL ADDRESSES

By Ṣọ Email Security5 min read

Email spoofing lets scammers forge sender details without hacking any accounts. Learn how it works, why email allows it, and how to protect yourself with the trust-but-verify rule.

Email SpoofingEmail SecurityBusiness Email CompromiseSPFDKIMDMARCEmail Authentication

How fraudsters spoof email addresses

2025-12-19

Last Thursday, a founder approved a payment request that came from his own CFO's email address.

Same name. Same photo. Same signature.

The CFO never sent it.

This is email spoofing, and it's one of the most misunderstood tricks scammers use.

What spoofing actually means

Spoofing doesn't mean hackers broke into the account. It means they forged the sender details so the email appears to come from someone you trust.

Think of it like writing a fake return address on an envelope. The mail still gets delivered. The postal service doesn't verify that you actually live at the address you wrote in the corner.

Email works the same way.

When you receive an email "from" your CEO, your inbox displays whatever name and address the sender claimed. Without additional verification, there's no built-in check that the message actually originated from that person.

The display name (what you see): John Smith, CFO

The "From" address (what you might check): john.smith@yourcompany.com

The actual sender (hidden in headers): scammer@malicious-domain.net

Most people never look past the display name. Scammers count on this.

Why email allows this

Email was invented in the 1970s for a small network of trusted researchers. Identity verification wasn't a concern because everyone knew everyone.

The core protocol, SMTP (Simple Mail Transfer Protocol), was designed for reliability, not security. It assumes good faith. When you send an email, you simply declare who you are, and the system believes you.

This made sense when email connected a few hundred academics. It's a fundamental vulnerability when email connects billions of strangers.

Decades of patches and additions have tried to fix this, but the underlying architecture remains trusting by default.

How fraudsters exploit it

Spoofing is technically simple. Free tools and scripts can send emails claiming to be from any address. The skill isn't in the sending, it's in the targeting.

Executive impersonation: Scammers spoof the CEO or CFO to request urgent wire transfers from finance teams. The email looks internal, feels authoritative, and creates pressure to act fast.

Vendor impersonation: Attackers send invoices that appear to come from real suppliers, with updated bank details. The victim pays the invoice to the scammer's account.

IT department spoofing: Messages claiming to be from internal IT request password resets or credential verification, harvesting login information.

Client impersonation: Fake emails from apparent clients request sensitive documents, project files, or payment information.

The common thread: the scammer borrows the trust you've built with real people and organisations.

The authentication layer: SPF, DKIM, and DMARC

You don't need to memorise these acronyms. Just understand what they do together.

They answer one question: "Is this sender allowed to send email as this domain?"

SPF (Sender Policy Framework)

SPF lets a domain publish a list of servers authorised to send email on its behalf. When an email arrives claiming to be from @company.com, the receiving server can check: did this come from a server company.com has authorised?

If not, the email fails SPF.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. The domain publishes a public key in its DNS records. Receiving servers use this key to verify the signature.

If the signature doesn't match, or the email was modified in transit, DKIM fails.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when emails fail authentication: accept them anyway, quarantine them, or reject them outright.

DMARC also provides reporting, so domain owners can see who's trying to send email as their domain.

When these checks fail

When SPF, DKIM, and DMARC are properly configured with strict policies, spoofed emails get rejected before reaching the inbox.

But here's the problem:

  • Many organisations haven't configured these records at all
  • Others have configured them incorrectly
  • Some set DMARC to "monitor only" mode and never enforce it
  • Email providers vary in how strictly they honour these policies

When those checks are missing or misconfigured, scammers step in. They spoof executives. They spoof vendors. They spoof finance teams. And the inbox often accepts it quietly.

The trust-but-verify rule

Technical defences help, but they're not foolproof. The most reliable protection is behavioural.

If an email asks you to move money, share credentials, or act urgently, verify it outside the inbox.

This means:

Call the sender. Use a phone number you already have, not one provided in the email. A thirty-second call can prevent a five-figure loss.

Message them on Slack or Teams. If your organisation uses internal messaging, confirm the request there. A spoofed email can't fake a Slack DM from a verified account.

Start a new email thread. Don't reply to the suspicious message. Compose a fresh email to the person's known address and ask about the request.

Walk to their desk. If you're in the same office, a face-to-face confirmation takes less time than recovering from fraud.

Spoofed emails rely on one thing: you trusting the name at the top of the message. Break that assumption, and the attack fails.

How to check if you're protected

Want to know if your domain is protected against spoofing? Here's what to check:

For your own domain

Use a DMARC lookup tool to see your current configuration. You're looking for:

  • SPF record exists and lists your legitimate email servers
  • DKIM is configured for your email provider
  • DMARC policy is set to "quarantine" or "reject" (not just "none")

If your DMARC policy is "p=none," you're monitoring but not protecting. Spoofed emails will still be delivered.

For incoming emails

When you receive a suspicious message:

  1. View the full email headers (in Gmail: three dots → "Show original")
  2. Look for SPF, DKIM, and DMARC results
  3. Check if the "Return-Path" matches the "From" address
  4. Look for mismatched domains in the authentication results

This takes practice, but it reveals whether an email actually came from where it claims.

Red flags that suggest spoofing

Beyond technical checks, watch for these patterns:

Urgency without context: "Wire this today" with no explanation of why it can't wait

Unusual requests from familiar senders: Your CEO has never emailed you directly about payments before, why now?

Requests to bypass normal procedures: "Keep this confidential" or "Don't verify with anyone else"

Reply-to address differs from sender: The email appears to come from one address but replies go elsewhere

Slight variations in email addresses: @company.com vs @cornpany.com (m vs rn)

Tone or style that feels off: Even subtle differences in how someone writes can signal impersonation

Protecting your organisation

If you manage email for a business, take these steps:

Configure authentication properly

Implement SPF, DKIM, and DMARC with enforcement. Start with monitoring (p=none), review reports to ensure legitimate email isn't affected, then move to quarantine and eventually reject.

Enable external email warnings

Most email systems can add banners to messages from outside your organisation. This visual cue reminds employees to be cautious with external requests.

Train your team

Regular awareness training reduces successful social engineering. Focus especially on finance teams, executive assistants, and anyone handling payments.

Establish verification procedures

Create clear policies requiring out-of-band confirmation for sensitive actions. Document them, train on them, and enforce them without exceptions.

Monitor for impersonation

Use DMARC reports to see who's attempting to spoof your domain. Consider domain monitoring services that alert you to lookalike domains being registered.

What Ṣọ Catches

Email providers check SPF, DKIM, and DMARC—but their responses vary, and many spoofed emails still get through when authentication is improperly configured or when attackers use lookalike domains instead of direct spoofing.

Ṣọ Email Security adds protection that goes beyond authentication:

  • Sender verification that flags impersonation attempts even when they pass basic checks
  • Domain analysis that catches lookalike addresses designed to deceive
  • Header inspection that reveals mismatches between display names and actual senders
  • Real-time alerts before you act on a fraudulent message

Authentication stops obvious spoofing. Ṣọ stops the sophisticated attempts designed to slip through.

The bottom line

Email spoofing exploits a fundamental weakness in how email works. Scammers don't need to hack accounts—they just need to claim an identity and hope you believe them.

Technical protections like SPF, DKIM, and DMARC help when properly configured. But the most reliable defence is human verification.

Your takeaway today: Never trust an email because of who it appears to be from. Trust it only after you verify the request.

The name at the top of a message proves nothing. A phone call proves everything.

Check your domain's email security →