Domain Spoofing: What It Is, What It Does, And What You Can Do To Prevent It

What Is Domain Spoofing?

Domain spoofing is a common phishing technique where an attacker impersonates a company domain, posing as either the company itself or a specific employee. They do this by “spoofing” an email header’s contents, so the email looks as though it has come from another location.

This is done with the aim to acquire personal or sensitive information from the target, or for financial gain. Targets can be tricked into giving log-in credentials, payments for invoices, and company data, either by directly responding to the sender with information or clicking a malicious link. This can cause widespread and irreparable damage to the company and, potentially, its clients.

How Does Domain Spoofing Work?

Mimecast reported a 64% rise in email threats in 2020, as attackers took advantage of the global shift to working remotely, making email-based attacks on companies one of the more pressing problems. If that’s the case, how does email domain spoofing work?

There are three types of domain spoofing: email, website, and IP.

To talk more in depth about how email spoofing works, let’s talk about emails. Emails are made up of lots of parts, but only three are relevant here:

The envelope: this informs the email server of who is the sender and who is the receiver. This part is often not seen by the recipient.
The header: this part contains all the metadata, which includes sender name and email address, subject, date and time stamps, and a replying address. This part is visible to the recipient.
The body: the email’s contents.

In a domain spoofing attempt, the attacker will “spoof” the header part of the email, making it appear that the email has come from a different source.

The “From”, “Reply-To”, and “Return-Path” headers in an email can all be forged, if technical controls are not in place or are not configured properly, It’s these headers that configure what display name is given in an email.

We’ll look steps you can take to prevent email spoofing attacks from hurting your business later in this article.

What Is The Difference Between Domain Spoofing And Domain Impersonation?

While the two appear to be exactly the same, they each refer to two similar looking but fundamentally nuanced phishing tactics. Domain impersonation refers to the act of attackers impersonating an individual or business by creating similar-looking domains to use to interact with their targets.

Relying on social engineering, attackers will pay for domains that look legitimate at first glance, but on closer inspection are slightly different. This can be from adding extra characters or swapping characters around in a domain, or subtly adding in full stops.

It’s less sophisticated and technical than domain spoofing, but no less damaging. Read our blog here on domain impersonation for a more in-depth analysis on what it is, how it works, and how you can prevent impersonated-based phishing attacks.

Domain Spoofing And Its Impact

Domain spoofing is a form of phishing attack – one of the most harmful email threats around today. Since March 2020, 81% of organizations have seen an increase in phishing attacks. But in what ways does domain spoofing negatively impact companies?

Loss of company data: A common form of domain spoofing-based phishing is to trick end-users into handing over company data or money. This is usually done by the attacker sending a fake invoice from a spoofed domain. This is accompanied with the sender insisting the end-user bypass the usual channels for authorizing payments by requesting urgency. Feeling pressured, unwitting employees then pay the invoice. These breaches are costly, with IBM putting the average financial loss of a data breach at around $3.8 million.
Stolen credentials: Aside from asking for data and information directly, particularly savvy attackers will send fake log-in pages from spoofed domains for end-users to “log in” to, giving them access to log-in credentials. This leads to data being stolen or leaked, which can also become very costly, as well as causing embarrassment that can hurt your brand.
Malware: Emails from spoofed domains often contain malicious attachments or URLs under fake domains to employees. Once opened, software can become infected by malware or ransomware. Expensive to remedy, installed malware can prove difficult to remove, especially if the malware in question is designed to install follow up attacks.

How To Prevent Domain Spoofing Phishing Attacks

Having The Correct Controls Configured

As spoofing is a technological problem with email, luckily there are some technological solutions for it. It mainly lies in making sure that the right protocols are in place and are configured correctly.

Spoofing is common and successful because Simple Mail Transfer Protocol (SMTP) doesn’t provide recipients with address authentication. SMTP is the basic standard that servers use to send emails to accounts using different email clients. It’s used by most email clients, including Outlook and Apple Mail. It’s widespread use – and its fallibility – makes adding extra defensive measures to your email client a key step in preventing employees from falling prey to domain spoofing phishing attacks.

So to make sure spoofed emails are flagged and dealt with accordingly, it’s good to make sure these protocols are in place and configured correctly:

DomainKeys Identified Mail (DKIM): Essentially an email authentication protocol, DKIM helps the recipient verify that the sender is who they say they are. DKIM assigns emails with an encrypted digital signature that is added to the message. This form of verification cannot be usually seen by end-users, but can be seen by admins.
Sender Policy Framework (SPF): This protocol validates the email sent. It helps domain managers authorize individual hosts who use a domain in an email. A list of approved and verified domain names are held, and are used to verify the user.
Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC an email authentication, policy, and reporting protocol. It authenticates an email by aligning the two DKIM and SPF mechanisms. It works in two ways: reporting and enforcing. DMARC can request authenticity verification, alerting admins to spoofed email domains in real-time and prevent the message from reaching the recipient’s inbox.
Sender ID (SID): A protocol created and used to detect spoofing, Sender ID takes the received SMTP header (i.e. the part of the email that can’t be spoofed) and queries the DNS records for the sender’s domain to find out if the email is coming from a spoofed address.

All these controls in place will help admins be able to detect emails from spoofed domains in real-time. From there, they can react accordingly, starting with blocking that email address and alerting employees.

Email Provider Warnings

Of course, having admins hovering and checking to see whether any spoofed mail has come in isn’t a fail-safe option. With busy working lives and attention usually drawn elsewhere, it’s vital to make sure other measures are in place.

IRONSCALES warning banner — An example email warning banner from IRONSCALES

Many secure email servers can scan incoming mail to see if they’ve failed the authentication steps listed above. While these email servers prevent most of these emails from reaching the end-user’s inbox, a few still slip through the cracks. If that happens, it will still usually provide a warning banner to the recipient, letting them know that the email has failed authentication steps and could be spoofed, prompting them to take care when considering action.

You can read our guide to the top email security solutions here.

Security Awareness Training (SAT)

Yet having warnings in place also doesn’t quite work if your staff don’t take heed. Having your staff properly trained of the dangers of domain spoofing can help them pay attention to these warnings and deal with it accordingly, usually by flagging an incoming spoofed mail by alerting their IT department.

SAT coaches employees on how to spot potential phishing threats in their inbox, as well as covering other security topics. Usually virtual, these programs encourage staff to identify suspicious emails they receive – regardless of whether it comes with a warning banner. With spoofing, it can be hard for end-users to tell whether an email is genuine or spoofed – how could they if they can’t see the sender details? What they can do, however, is learn how to spot suspicious requests within the email itself, as well as recognise any dubious links that may be embedded.

The most effective programs are ones that take a comprehensive, kinesthetic approach. Good programs will include scenario-based videos and quizzes that cover topics such as phishing, social engineering, and potential insider threats. Check out our blog for more about security awareness training and what to look for when choosing the right one for your business:

Phishing Awareness Training: Why It Works And How To Choose The Right Platform

Summary

While domain spoofing can sound like a terrifying, undetectable threat, having the right controls in place strengthens your business against these kinds of attacks. Making sure that the right protocols are configured, as well as training your staff to be aware of suspicious email content and encouraging them to act accordingly, is a good way to safeguard your data, clients, and finances.

Journalist & Content Writer

An experienced writer with a background in journalism and editorial, Lottie has written for a range of publications and companies covering everything from cybersecurity, real estate, and fashion to environmentalism and other social causes. She holds an M.Sc. in Political Science from the University of Amsterdam/Universiteit van Amsterdam. She enjoys cooking, yoga, and traveling.