Carnegie Mellon University

image of mail inbox on phone

July 29, 2020

How to Identify Email Spoofed Phishing Attacks

Did you know that email scammers can easily forge the email from address?  It’s called email spoofing and it can make the job of spotting scams more difficult.

Email spoofing is a form of impersonation where a scammer creates an email message with a forged sender address in hopes of deceiving the recipient into thinking the email originated from someone other than the actual source. Scammers will use email spoofing to help disguise themselves as a supervisor, professor, or financial organization to trick users into performing some type of action. Scammers use this method of deception because they know a person is more likely to engage with the content of the email if they are familiar with who sent the message.

There are various types of email spoofing.

Display name spoofing portrays a display name of the person being impersonated while leaving the actual sending email address intact.

Example 1: "John Doe" <jd23950@gmail.com>
Example 2: "John Doe" <johndoe.cmu.edu@scammersite.net>

Scammers can also spoof the entire email address as well or just the domain name, i.e., what follows the @ symbol.

There are a few things you can do to help determine if an email is coming from a spoofed email address or is otherwise malicious.

Check the Email Header Information

The email headers contain a significant amount of tracking information showing where the message has traveled across the Internet. Different email programs display these headers in different ways. Learn how to view the email headers for your mail client by visiting the Information Security Office: Display Email Headers webpage.

Please note that email headers can be spoofed and are not always reliable. Use all of the ISO's suggested tips on identifying a phishing message and if still unsure, report the message to iso-ir@andrew.cmu.edu.

The following tips can help identify a spoofed message in the email headers.

  • Identify that the 'From' email address matches the display name. The from address may look legitimate at first glance, but a closer look in the email headers may reveal that the email address associated with the display name is actually coming from someone else.
  • Make sure the 'Reply-To' header matches the source. This is typically hidden from the recipient when receiving the message and is often overlooked when responding to the message. If the reply-to address does not match the sender or the site that they claim to be representing, there is a good chance that it is forged.
  • Find where the 'Return-Path' goes. This identifies where the message originated from. While it is possible to forge the Return-path in a message header, it is not done with great frequency.

Example: In this example, a scammer impersonates a faculty member of the university to send a fake job offer to students.  Assume that John Doe is an actual professor at CMU with an email address of johndoe@andrew.cmu.edu.  The message requests personal information including an alternate communication path so that if someone else reports the message to the ISO and blocks are implemented, the criminal can continue to scam any victims that responded with an alternate email or phone number. Once the scammer has an interested individual, he can request that the individual provide personal financial information for the “job” such as a social security number or bank account, cash a fake check, or open a malicious attachment.

From: Professor John Doe <johndoe@andrew.cmu.edu>
Subject: Research Assistant Job

Do you want to work remotely from home as a research assistant and earn $250 weekly? If interested, indicate by providing the required information below. You will receive a folow up detailing work schedule. This job requires little to no prior experience.

Full Name:
Cell Phone #:
Alternate Email:

Regards,
Professor John Doe
Carnegie Mellon University

When looking at the headers of this message, it can be observed that the scammer spoofed the display name and domain name to show the actual faculty member's name and university email address. However, a closer look at the 'Return-Path' and 'Reply-To' in the email headers indicates that the sender is not who they claim to be.
From: "Professor John Doe" <jdoe@andrew.cmu.edu>
Reply-To: "Professor John Doe" <jdoe.andrew.cmu.edu@gmail.com>
Return-Path: <fakeaccount123@scammail.net>

Question the Content of the Message

Sometimes the best defense against phishing is to trust your best instincts. If you receive a message from a supposed known source that appears out of the ordinary, it should raise a red flag. When receiving an unsolicited message, users should always question the content of the message, especially if the message is requesting information or directing the user to click on links or open attachments.

Before responding to any questionable message, perform the following tasks to ensure the message is reliable.

  • Ask yourself:
    • Was I expecting this message?
    • Does this email make sense?
    • Am I being pushed to acty quickly?
  • Examine the email and look for:
    • Sense of urgency
    • Unsolicited request of personal information
    • Generic greeting/signature
    • Unfamiliar links or attachments
  • Contact the sender of the message through a trusted channel
    • If the email appears legitimate, but still seems suspicious, it is best to contact the supposed sender through a trusted phone number or open a new outgoing email message using their real email address found in the address book. Do not reply to the message in question.

It is important to always remain vigilant when receiving mail whether it is from an unknown sender, someone you are close with, or an organization you are familiar with. Cyber scammers are always looking for new ways to exploit individuals for their own personal gain.