How to Protect Your Email Address from Spoofing
Hypothetically speaking, let’s say you receive an email that looks like it’s from your boss, your email service provider, maybe even your best friend.
You’d naturally be inclined to open it, right? Think again.
When you open an email that’s crafted to look like it came from someone you trust, consider yourself “email spoofed.” Email spoofing refers to the sending of email messages with a forged “from” address. This is a common tactic that cyber scammers use to gain the trust of their victims — a.k.a., you.
While recent studies suggest almost 30,000 email spoofing attacks each day, its ubiquitous nature does not mean it shouldn’t be taken seriously. Because cybercriminals know you’re more likely to engage with trusted email content, whether that’s clicking on a link or opening a file attached, this makes it way easier for them to pull off a successful scam. And by pretending to be someone you know or are familiar with, these scammers can ultimately trick you into handing over vital info such as your credit card details, social security information, the list goes on.
So, what do spoofers want, and how do you protect your email address from being spoofed in the future? That’s why we’re here: to impart some easy and practical ways to stay safe.
What spoofers want
While the true intentions may vary from case to case, the perpetrator ultimately wants to do some kind of damage, such as:
- Convincing you to send money online
- Convincing you to provide your login/password details
- Giving away sensitive business and personal information
In some instances, though, the intent is highly personal. Well-spoofed emails can gain access to their target’s computer data, business contacts, even their social media accounts. Ever see those Instagram stories where someone says their Instagram account was hacked? Case in point.
Ultimately, email spoofing is disruptive and malicious by nature. And once a bad actor has fooled their recipient, they can run wild and do various damage along the way.
How to combat email spoofing
- Use a sub-domain. If you send any emails using a subdomain, it’s way harder to spoof your email. For example, we recommend using @help.yourcompany.com instead of @yourcompany.com.
- Use anti-malware software. Anti-malware software can help to prevent email spoofing by identifying, then blocking, suspicious websites and detecting spoofing attacks. Once the software has identified a suspicious sender or email, it can stop the spoofed email from ever reaching your inbox.
- Use email spam filters. While it’s common for email service providers to include spam filters, like Namecheap’s Jellyfish, this means you can rest a little easier knowing that any email deemed suspicious is automatically thrown into the spam folder.
- Use a reverse IP lookup. To verify the real sender of the email you’ve received, use the reverse lookup tool to identify the domain name associated with the IP address. If the IP address is different from where the email supposedly came from, you’re looking at an email spoofing attack.
- Protect your password. Hate remembering multiple passwords for multiple accounts? Turn to Dashlane or RememBear. When a strong password just isn’t enough, consider Two-Factor Authentication. Namecheap has a few Two-Factor Authentication options for free such as U2F service, TOTP, and OneTouch (SMS).
- Audit your email. Domain-based Message Authentication, Reporting & Conformance (DMARC) is used to check the credentials of an email. With DMARC, it lets email senders and receivers figure out whether a message is from a legitimate sender and how to treat the email if it’s not.
If we’re getting technical, part of the DMARC process involves the Sender Policy Framework (SPF), which authenticates sent messages. If the sent message fails to pass the SPF test, it will fail the DMARC process and be rejected.
DMARC also uses the DomainKeys Identified Mail (DKIM) method for message authentication. DKIM allows you to establish greater trust by preventing spoofing emails from being sent as outgoing messages from your domain. If a sent message doesn’t pass the DKIM test, it will also fail DMARC and be rejected.
Are you a Namecheap DNS customer? Learn how to add SPF, DKIM, and DMARC records to your domain name.
In our increasingly digital world, the threat of email spoofing and phishing is all too real.
And because emails are still the primary route for cyberattacks, one wrong click on the wrong link or attachment can lead to a whole slew of problems.
Cybercriminals are always coming out with new ways to scam people and businesses and the most valuable currency to them is your information. Whether it’s personal or business-related, it’s crucial to do everything you can to keep it out of cybercriminals’ hands.
Have you been email spoofed? Let us know about your experience in the comments below.