Spoofing - Who Did That Email Really Come From?

Spoofing - Who Did That Email Really Come From?

What is Spoofing?

Spoofing, particularly "Email spoofing" is a relatively new term used to describe fraudulent emails in which the sender's address and other parts of the email header are altered to appear as though the email originated from a different source. For example, you might receive an email that appears to have been sent from a well-known company (like MicroSoft), a government agency or even Consumer Fraud Reporting. In reality, none of those organizations would be likely to send any unsolicited email (that which you didn't sign up for and expect to receive).  In short, spoofing is a counterfeit email with stolen email addresses used without the real address owner's knowledge or permission.

Spoofing is a technique commonly used by spammers and scammers using phishing to hide the real origin of an email message. By changing certain properties of the email, such as the "From", "Return-Path" and "Reply-To" fields (which are found in the message header), these criminals can make the email appear to be from someone other than the actual sender. And unfortunately, there is nothing that can be done about it at present, no  more than there anything to stop someone from writing a false return address on a postal letter and dropping it in a mailbox.

It is often associated with website spoofing which mimic an actual, well-known website but are run by another party either with fraudulent intentions or as a means of criticism of the organization's activities. The result is that, although the email appears to come from the email indicated in the "From" field (found in the email headers) it actually comes from another email address, probably the same one indicated in the "Reply To" field; if the initial email is replied to, the delivery will be sent to the "Reply To" email, that is, to the spammer's email.

Typically, scammers use phishing and spoofing to get personal information from you in order to steal your identity and then your money, passwords to accounts or benefits. Pretending to be from a legitimate retailer, bank, or government agency, the sender asks to "confirm" your personal information for some made-up reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem.

The most common use is to send an email appearing to be from a bank asking you to go to its site (with the link provided) to reenter your most personal information. The link takes you to a bogus website! Another tactic phishers use is to say they're from the fraud departments of well-known companies and ask to verify your information because they suspect you may be a victim of identity theft! In one case, a phisher claimed to be from a state lottery commission and requested people's banking information to deposit their "winnings" in their accounts.

How does it work?

If you're not a programmer, your only familiarity with email may be as a user of an "email client", like Microsoft Outlook. These programs hide the inner workings from you, so when you send an email, it automatically puts your real return address in the "sender" field. But any programmer familiar with internet protocols can easily manipulate these "email headers" and construct an email manually.  That allows them to insert whatever address they want in the sender field, such as JoeBlow@FBI.gov and it will look as real as any email to the recipient. This technique is now commonly used by mass-mailing worms as a means of concealing the true origin of the propagation.

Unfortunately, it is easy to spoof email because SMTP (the Simple Mail Transfer Protocol, which is the most commonly used technology behind all email) lacks authentication.  A common misconception is that the "IP address" can also be spoofed, to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, etc. That is (generally) not true.  It will work in emails for which no reply is needed or wanted - but then there will inevitably be links in the email for you to buy their products, and those links must be real (although, they may be on hijacked computers, with the owners unaware of the activity.)

How do the spoofers/scammers get the email addresses?

There are many ways:

  • Scammers write programs that gather (or "harvest") email addresses from websites, forums, discussion boards, blogs, anything published on the internet. If you have ever written an email to a forum or other online board that published your address on the page, then odds are good that a scammer is sending out email that appears to come from you, right now.
  • Worms and viruses collect email addresses from the address books on home computers that they infect.
    On infection, worms such as ILOVEYOU, Klez and Sober will often  perform searches for email addresses within the address book of a mail client, and use those addresses in the From field of emails that they send, so that these emails appear to have been sent by the third party. For example:
    • User1 is sent an infected email and then the email is opened, triggering propagation
    • The worm finds the addresses of User2 and User3 within the address book of User1
    • From the computer of User1, the worm sends an infected email to User2, but the email appears to have been sent from User3
  • This can be a particular problem in corporations, where content filtering gateways are in place. These gateways are often configured with default rules that send reply notices for messages that get blocked, so the example is often followed by:
    • User2 doesn't receive the message, but instead gets a message telling him that a virus sent to them has been blocked. User3 receives a message telling him that a virus sent by them has been blocked. This creates confusion for both User2 and User3, while User1 remains unaware of the actual infection.

Newer versions of these worms randomize all or part of the email address. A worm can use various methods to achieve this, including:

  • Random letter generation
  • Built-in wordlists
  • Amalgamating addresses found in address books, for example:
    • User1 triggers an email address spoofing worm, and the worm finds the addresses user2@efgh.com, user3@ijkl.com and user4@mnop.com within the users Outlook address book
    • The worm sends an infected message to user2@efgh.com, but the email appears to have been sent from user3@mnop.com.

These random word generators are why you often see emails in your inbox with gibberish sentences followed by an ad or link for Viagra, Cialis, or other medications and products.

Extent of the problem

Gartner Group reports that, from May, 2005, over 1.8m consumers have been conned by phishing attacks into revealing sensitive information. The majority of that was in 2004 to present. Spoofing emails have increased by 4000 % in the past 6 months. The average consumer victim loses $1200 when his bank account is taken over. The United States Treasury even has a warning about Spoofing scams.

In short,

  • Spoofing almost always involves sending out fake email messages that either contain advertisements, links to websites selling products (usually "male enhancement" drugs) or ask the recipients to enter personal financial information, such as bank account numbers, credit card numbers, passport numbers, etc. into forms on Web sites that are designed to resemble the bank, credit card, or other company who they are claiming to be.
  • Spoofing can also happen by phone. You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.

There are a number of examples of Spoofing emails to look at on this page.

What Can you Do to Protect Yourself from Spoofing Theft

  • First, DON'T click on the link in an email that asks for your personal information. It will take you to a phony Web site that looks just like the Web site of the real company or agency. Following the instructions, you enter your personal information on the Web site - and into the hands of identity thieves. To check whether the message is really from the company or agency, call it directly or go to its Web site. If you don't have the telephone number, get it from the phone book, the Internet, or directory assistance. Use a search engine to find the official Web site. Banks wouldn't ask for your mother's maiden name.  Also, look for misspellings in the bogus email. If you get an email that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email using a telephone number or Web site address you know to be genuine.
  • If someone contacts you and says you've been a victim of fraud, verify the person's identity before you provide any personal information. Legitimate credit card issuers and other companies may contact you if there is an unusual pattern indicating that someone else might be using one of your accounts. But usually they only ask if you made particular transactions; they don't request your account number or other personal information. Law enforcement agencies might also contact you if you've been the victim of fraud. To be on the safe side, ask for the person's name, the name of the agency or company, the telephone number, and the address. Then get the main number (see tip above) and call to find out if the person is legitimate.
  • Check out the list of recent Spoofing attacks and the information about Spoofing Pop-ups!
  • Look at these examples of Spoofing emails to be familiar!
  • Job seekers should also be careful. Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for your social security number and other personal information. Follow the advice above and verify the person's identity before providing any personal information.
  • Be suspicious if someone contacts you unexpectedly and asks for your personal information. It's hard to tell whether something is legitimate by looking at an email or a Web site, or talking to someone on the phone. But if you're contacted out of the blue and asked for your personal information, it's a warning sign that something is "phishy." Legitimate companies and agencies don't operate that way.
  • Act immediately if you've been hooked by a phisher. If you provided account numbers, PINs, or passwords to a phisher, notify the companies with whom you have the accounts right away. For information about how to put a "fraud alert" on your files at the credit reporting bureaus and other advice for ID theft victims, contact the Federal Trade Commission's ID Theft Clearinghouse, www.consumer.gov/idtheft or toll-free, 877-438-4338. The TDD number is 202-326-2502.
  • Avoid emailing personal and financial information. Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.
  • Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
  • Even if you didn't get hooked, report Spoofing. Tell the company or agency that the phisher was impersonating. Send the actual spam to and spam@uce.gov. You can also report the problem to law enforcement agencies through the National Fraud Information Center/Internet Fraud Watch, www.fraud.org or 800-876-7060, TDD 202-835-0778. The information you provide helps to stop identity theft.    

Reporting a Possible Spoofing Attack

If you need advice about an Internet or online solicitation, or you want to report a possible scam, use the Online Reporting Form or call the NFIC hotline at 1-800-876-7060.

To report to the organization impersonated in the email you received, write directly to the company or organization.  Here are the real websites, email addresses and phone numbers of some of the more common targets of spoofing / phishing:

Company name and link to their website

Email address to report spoofing and phishing





AmSouth Bank



Bank Of America



Bank Of The West


















Federal Trade Commission



Fifth Third Bank



FlagStar Bank



LaSalle Bank















TCF Bank



US Bank



Washington Mutual



Wells Fargo




For More Information About Phishing, See:

And please let us know about any suspicious calls or emails you receive.  We look for patterns so that we can alert the authorities and victims to new scams, before it is too late!




For a comprehensive list of national and international agencies to report scams, see this page.