Spoofing: prevent abuse of your email address

Often, digital fraud starts with sending an email. Criminals forge an email address and use it to distribute fake invoices and phishing emails. What is email spoofing and how do you avoid becoming a victim?

Spoofing is a trick cybercriminals use. There are different forms of spoofing, such as phone number spoofing, website spoofing, and email spoofing.

What is email spoofing?

Email spoofing is a method cybercriminals use to forge the sender's email address. The cybercriminal who sends the spoof email is pretending to be someone else by using their domain name. For example, they use the email address of a company you often do business with. The cybercriminal has your trust because the mail seems to come from a company you know. Criminals use this technique to distribute fake invoices (in Dutch) or phishing emails, among other things. With this method they try to steal money or login details from you or your customers or try to hack your computer.

How does email spoofing work?

Spoofing is quite easy. Tanya Wijngaarde, spokesperson at the Fraud Helpdesk (in Dutch), explains: ”It is quite simple for cybercriminals to send emails on behalf of someone else. Email does not have good security by default. This makes it easy for cybercriminals to fake an existing email address.” For example, the email address of someone you regularly do business with. Criminals use illegal tools to modify the header of an email. The header of an email message contains important information, such as the sender and subject. It is then difficult for the recipient to judge whether the email really comes from the sender, because the email address in the header looks the same. So, you do not realise that the email has been sent by a cybercriminal.

Wijngaarde compares email spoofing to forging a real letter. “That also does not tell you whether the letter actually comes from, for example, your bank or the tax authorities. Anyone can grab a blue envelope and print a letter on behalf of the tax authorities. For mail, the solution is often to sign the letter. But criminals can forge signatures. So, when in doubt, always contact the sender."

‘Looks just like the real thing'

Fraud Helpdesk receives reports from entrepreneurs and consumers about various forms of fraud, including email spoofing. Wijngaarde explains what the impact of email spoofing can be on a company: “For example, we received a report from a company that had been used by criminals to send hundreds of spoof emails. The company received angry responses from all sorts of people, not customers, asking why the company was sending them this. The emails had been sent by criminals on behalf of the company and the attachments were found to contain malicious software, known as malware. The sender address was the company email address. So, the email looked just like the real thing. Fortunately, no one opened the malicious attachment, but it did not do the company's reputation any good."

Prevent email address abuse

To prevent others from sending emails under your name, test the security of your email and install security programs.

Security programs

There are security techniques that you can use to prevent abuse, such as Sender Policy Framework (SPF). Wijngaarde explains: “SPF is easy to install software and reduces the risk of email spoofing. With SPF you control which email servers are allowed to send on behalf of your domain. A domain is anything after "@" in an email address. Emails sent from an unapproved server will be blocked or marked as unsafe.” On the Fraud Helpdesk website you will find a step-by-step plan (pdf, in Dutch) that helps you to install SPF.

In addition to SPF, there are more extensive security techniques, such as DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC), to protect you against email spoofing. Your IT service provider can install these programs for you.

Email test

You will find an email test (in Dutch) on www.internet.nl. This tests the reliability of the most common email security standards such as Sender Policy Framework (SPF). After completing the test, you will receive a report (in Dutch) and a score that indicates how well your email domain is secured. You can improve your email security based on the test result. For example, install a secure mail server connection such as STARTTLS and DANE. Email is sent unencrypted by default. Confidentiality is not guaranteed, and hackers can intercept the mail. By using STARTTLS and DANE, email is encrypted and unreadable for hackers.

Other forms of spoofing

Be aware of other forms of spoofing as well, such as phone number spoofing, url spoofing and text message spoofing.

Phone number spoofing

It looks like a familiar organisation is calling you, for example your own bank. The number is correct. Only, you do not have a bank employee on the line, but a criminal who is trying to scam you. For example, he asks you to make a transfer or to give your PIN code. Do you not expect a call from your bank, or do you not trust it? Disconnect the connection and call your bank yourself.

URL spoofing

A cybercriminal sends you a link (URL) to a website, for example via email or text message. The link looks real, but it goes to a dangerous website. In such a fake URL, the criminal makes clever use of small spelling mistakes and letters that look alike. Example: belastingngdienst.nl instead of belastingdienst.nl. Do not click on the link but enter the real address manually in the address bar of your web browser.

Text message spoofing

You receive a text message from a well-known person or organisation, for example your accountant. The number and the name in the message are correct. Your accountant asks if you want to pay an outstanding invoice immediately. In reality, it is a cybercriminal who has faked a text message from your accountant. Such a message is almost indistinguishable from the real thing, but often a cybercriminal will emphasise that immediate action is needed. Do not respond to the text message or click on any link in it. Contact your accountant yourself, for example by telephone.

Report fraud

Are you a victim of spoofing or another form of fraud? Report this to the Fraud Helpdesk. The Fraud Helpdesk is the national reporting centre for fraud and helps victims of fraud with advice and referrals to authorities such as the police, the Financial Markets Authority (AFM, in Dutch) and Victim Support Netherlands (in Dutch). The Fraud Helpdesk also makes citizens and companies aware of fraud risks and provides practical tips on how to limit those risks.

Has your company been affected by spoofing? We would like to get in touch with you. Share your experience via kvk.cyber@kvk.nl.

Hack helpdesk

Have you been hacked, or do you think you have been hacked? On Business.gov.nl, you will find a step-by-step plan set up by the Digital Trust Center, and practical solutions to prevent further damage.

Do not become a victim of cybercrime. Protect yourself and get started with the digital security of your company.