Spoofing is becoming so sophisticated that legitimate email senders can struggle to get their emails delivered.
One of the questions we get asked a lot from clients is how to spot a spoofed and fake email. So here are the ways that it is done. Here are the authentication methods that are most frequently targeted by scammers. This article covers if an email is sent from the original sender and not if the contents are safe and are not part of a scam or phishing attempt.
Here is what to look for.
Step 1 – Check the from domain
- Check for mis-spelling of the domain such as a Gmail account with the from address firstname.lastname@example.org.
- They will use a free email service like Hotmail, Gmail or Outlook and even obscure email services that you may not even recognise.
- Check for domains that look very similar to a legitimate domain – so a spoof from ‘paypay.com’ may look like ‘paypal-mail-server.com’. Make sure the domain is EXACTLY what you would expect.
- Check the email has not arrived from a sub-domain such as ‘paypal.example.com’ or ‘paypal.com.qweqwe.example.com’. Nothing before the ‘something.com’ is relevant.
- Check that clever typography has not been used so ‘paypal.com’ is not ‘páypal.com’, or for ‘microsoft.com’ they have not used an ‘r’ and an ‘n’ to make it ‘rnicrosoft.com’.
- Check that identical foreign language characters are not being used in the domain – so an ‘a’ in English and an ‘a’ in Cyrillic. Web browsers will show the decoded version in the address bar. This is not picked up in Gmail, Apple or Android Mail Clients. It is picked up in Microsoft 365 Outlook but it is not obvious.
Letter by letter is 100% that the email is coming from the domain you expect and not a derivative thereof.
Step 2 – Spam Techniques
- Check the REPLY-TO: Since the spammers don’t have the original email domain they have to use their own email and domain in the reply-to address. If this is different then that may be a scam. They may use similar-looking emails to deceive the recipient.
- Emails addresses to reply-to may be in the body of the email.
- The email body may well have a ‘Click Here’ link to take you directly to the scammers webpage, thereby circumventing the need to reply to the email.
- The only way to easily check the reply-to email address is to actually hit ‘Reply’ on your email client. But obviously not to press Send.
If the email came from a legitimate domain or company, but the reply-to email address is a free email service, take that as a massive red-flag.