{
	"id": "812d3091-e19a-4616-840e-0be3343722c2",
	"created_at": "2026-04-06T00:12:46.181401Z",
	"updated_at": "2026-04-10T03:21:31.611597Z",
	"deleted_at": null,
	"sha1_hash": "fef618b0dbbaa80afd0ed7edba05ff48cba5ce6e",
	"title": "What Is Email Spoofing? Definition \u0026 Examples | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 452482,
	"plain_text": "What Is Email Spoofing? Definition \u0026 Examples | Proofpoint US\r\nPublished: 2021-02-27 · Archived: 2026-04-05 12:44:15 UTC\r\nTable of Contents\r\nEmail Spoofing Definition\r\nA Brief History of Email Spoofing\r\nSpoofing vs. Phishing\r\nHow Email Spoofing Works\r\nExamples of Email Spoofing\r\nHow to Identify Spoofing Email\r\nMotivations Behind Email Spoofing\r\nEmail Spoofing Statistics\r\nHow to Protect Against Email Spoofing\r\nEmail Spoofing Definition\r\nEmail spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from\r\na person or entity they know or trust. In spoofing attacks, the sender forges email headers so that client software\r\ndisplays the fraudulent sender address, which most users take at face value. Users don’t realize the sender is\r\nforged unless they inspect the header more closely. If it’s a name they recognize, they’re more likely to trust it. So\r\nthey’ll click malicious links, open malware attachments, send sensitive data, and even wire corporate funds.\r\nEmail spoofing is possible due to how email systems are designed. The client application assigns a sender address\r\nto outgoing messages, so outgoing email servers cannot identify whether the sender address is legitimate or\r\nspoofed.\r\nRecipient servers and antimalware software can help detect and filter spoofed messages. Unfortunately, not every\r\nemail service has security protocols in place. Still, users can review each message’s email header to determine\r\nwhether the sender address is forged.\r\nHere’s how your free trial works:\r\nMeet with our cybersecurity experts to assess your environment and identify your threat risk exposure\r\nWithin 24 hours and minimal configuration, we’ll deploy our solutions for 30 days\r\nExperience our technology in action!\r\nReceive report outlining your security vulnerabilities to help you take immediate action against\r\ncybersecurity attacks\r\nFill out this form to request a meeting with our cybersecurity experts.\r\nThank you for your submission.\r\nhttps://www.proofpoint.com/us/threat-reference/email-spoofing\r\nPage 1 of 7\n\nA Brief History of Email Spoofing\r\nEmail spoofing has been an issue since the 1970s due to how email protocols work. It started with spammers who\r\nused it to get around email filters. The issue became more common in the 1990s, then grew into a global\r\ncybersecurity issue in the 2000s.\r\nSecurity protocols were introduced in 2014 to help fight email spoofing and phishing. Since then, many spoofed\r\nemail messages are now sent to user spamboxes or are rejected and never sent to recipient inboxes.\r\nSpoofing vs. Phishing\r\nDespite sharing some similarities, spoofing and phishing are two distinct cyber threats with several fundamental\r\ndifferences.\r\nThe goal of spoofing is to impersonate someone’s identity, while the goal of phishing attacks is to steal\r\ninformation.\r\nPhishing scams are fraudulent because they involve information theft. However, spoofing is not considered\r\nfraud because the victim’s email address or phone number is not stolen but rather imitated.\r\nPhishing often involves the attacker pretending to be from a trusted organization, whereas spoofing\r\ninvolves changing the sender’s email address or phone number to impersonate someone else.\r\nPhishing is commonly executed with fake websites and data collection portals. Spoofing emails can be\r\nused to breach system security or steal user information.\r\nHow Email Spoofing Works\r\nEmail spoofing aims to trick users into believing the email is from someone they know or trust—in most cases, a\r\ncolleague, vendor, or brand. Exploiting that trust, the attacker asks the recipient to divulge information or take\r\nsome other action.\r\nA typical email client (such as Microsoft Outlook) automatically enters the sender address when a user sends a\r\nnew email message. But an attacker can programmatically send messages using basic scripts in any language that\r\nconfigures the sender address to a chosen email address. Email API endpoints allow a sender to specify the sender\r\naddress regardless of whether the address exists. And outgoing email servers can’t determine whether the sender’s\r\naddress is legitimate.\r\nOutgoing email is retrieved and routed using the Simple Mail Transfer Protocol (SMTP). When a user clicks\r\n“Send” in an email client, the message is first sent to the outgoing SMTP server configured in the client software.\r\nThe SMTP server identifies the recipient domain and routes it to the domain’s email server. The recipient’s email\r\nserver then routes the message to the right user inbox.\r\nFor every “hop” an email message takes as it travels across the internet from server to server, the IP address of\r\neach server is logged and included in the email headers. These headers divulge the true route and sender, but many\r\nusers do not check headers before interacting with an email sender.\r\nThe three major components of an email are:\r\nhttps://www.proofpoint.com/us/threat-reference/email-spoofing\r\nPage 2 of 7\n\nThe sender address\r\nThe recipient address\r\nThe body of the email\r\nAnother component often used in phishing is the Reply-To field. The sender can configure this field and use it in a\r\nphishing attack. The Reply-To address tells the client email software where to send a reply, which can be different\r\nfrom the sender’s address. Again, email servers and the SMTP protocol do not validate whether this email is\r\nlegitimate or forged. It’s up to the user to realize that the reply is going to the wrong recipient.\r\nExamples of Email Spoofing\r\nAs an example of email spoofing, an attacker might create an email that looks like it comes from PayPal. The\r\nmessage tells the user that their account will be suspended if they don’t click a link, authenticate into the site, and\r\nchange the account’s password. If the user is successfully tricked and types in credentials, the attacker can\r\nauthenticate into the targeted user’s PayPal account and steal the user’s money.\r\nTo the user, a spoofed email message looks legitimate because many attackers use elements from the official\r\nwebsite to make the message more believable. Here’s an email spoofing example with a PayPal phishing attack:\r\nMore complex attacks target financial employees and use social engineering and online reconnaissance to trick a\r\ntargeted user into sending money to an attacker’s bank account. Here’s an example of a forged email:\r\nhttps://www.proofpoint.com/us/threat-reference/email-spoofing\r\nPage 3 of 7\n\nNotice that the email address in the From field is Bill Gates (b.gates@microsoft.com). There are two sections in\r\nthese email headers to review. The “Received” section shows that the email was originally handled by the email\r\nserver email.random-company.nl, which is the first clue that this is a case of email spoofing. But the best field to\r\nreview is the Received-SPF section—notice that the section has a “Fail” status.\r\nEmail Protection\r\nThe Industry-Leading Email Gateway\r\nLearn More\r\nHow to Identify Spoofing Email\r\nWhile spoofing scams continue to become increasingly elaborate, particular signs and cues can help you identify a\r\nspoofing email.\r\nCheck the email header: The email header contains information like the date, subject line, recipient’s and\r\nsender’s names, and email address. Check to see if the email address appears from a legitimate source and\r\nthat the name and other details match up.\r\nLook for disconnects between email addresses, display names, etc.: An email address that doesn’t\r\nmatch the sender’s display name is a telling sign of a spoofed email, especially if the domain of the email\r\naddress looks suspicious.\r\nhttps://www.proofpoint.com/us/threat-reference/email-spoofing\r\nPage 4 of 7\n\nAssess the email content: Spoofed emails often contain alarming or aggressive messaging to provoke a\r\nsense of urgency and impulsiveness. If the tone of the subject line and email content is tailored to scare you\r\nor alarm you, then it likely is a spoofed email.\r\nBe watchful for emails requesting personal information: Spoofed emails are often used in conjunction\r\nwith phishing scams, where fraudsters impersonate brands or identities to get your personal information.\r\nAvoid clicking links or downloading attachments: If you receive an email that appears suspicious or is\r\nfrom an unknown sender, do not click links or download attachments.\r\nCopy and paste the content of an email message into a search engine: Chances are that text used in a\r\ncommon phishing attack has already been reported and published on the Internet.\r\nLook for inconsistencies in the email signature: If the information in the email signature, such as the\r\ntelephone number, does not align with what is known about the sender, it may be a spoofed email.\r\nWhen in doubt, refrain from opening any unknown or suspicious emails. Spoofing email or not, a people-minded,\r\nuser-focused approach is key to mitigating costly social engineering attacks.\r\nMotivations Behind Email Spoofing\r\nEmail spoofing may seem like an unusual tactic, but it can be an effective means of deceiving unaware victims.\r\nSome of the primary motivations behind email spoofing include:\r\nAcquiring sensitive information: Attackers may use email spoofing to obtain sensitive information, such\r\nas social security numbers, financial details, and other critical information.\r\nTaking over online accounts: Email spoofing can take over online accounts by deceiving users into\r\nrevealing their login credentials.\r\nDistributing malware: Attackers use email spoofing to deliver malware to the recipient’s computer or\r\nnetwork.\r\nStealing funds: Email spoofing is used to steal funds by tricking users into revealing their financial\r\ninformation or transferring money to the attacker’s account.\r\nManipulate and influence: Spoofing email can sway public opinion for special interest groups and\r\nparties, whether political, governmental, or environmental.\r\nEmail Spoofing Statistics\r\nEmail clients configured to use SPF and DMARC will automatically reject emails that fail validation or send them\r\nto the user’s spam box. Attackers target people and businesses, and just one successfully tricked user can lead to\r\nthe theft of money, data, and credentials.\r\nIt’s no wonder that email spoofing has become a commonly exploited avenue for cyber-attackers. Consider the\r\nfollowing statistics:\r\n3.1 billion domain spoofing emails are sent per day.\r\nMore than 90% of cyber-attacks start with an email message.\r\nEmail spoofing and phishing have had a worldwide impact costing an estimated $26 billion since 2016.\r\nIn 2019, the FBI reported that 467,000 cyber-attacks were successful, and 24% were email-based.\r\nhttps://www.proofpoint.com/us/threat-reference/email-spoofing\r\nPage 5 of 7\n\n91% of bait emails are sent via Gmail, with just 9% coming from other sending domains. (Source:\r\nhttps://blog.barracuda.com/2021/11/10/threat-spotlight-bait-attacks/)\r\nThe average scam tricked users out of $75,000.\r\nA common attack that uses email spoofing is CEO fraud, also known as business email compromise (BEC). In\r\nBEC, the attacker spoofs the sender’s email address to impersonate an executive or owner of a business. This\r\nattack usually targets an employee in the financial, accounting, or accounts payable departments.\r\nEven smart, well-intentioned employees can be tricked into sending money when the request comes from\r\nsomeone they trust—especially an authority figure. Here are just a few high-profile examples of costly spoofing\r\nscams:\r\nThe Canadian City Treasure was tricked into transferring $98,000 from taxpayer funds by an attacker\r\nclaiming to be city manager Steve Kanellakos.\r\nMattel was tricked into sending $3 million to an account in China, but it was lucky enough to claw back\r\nthe money when the defrauded financial executive confirmed that CEO Christopher Sinclair did not send\r\nthe email message.\r\nThe Crelan bank in Belgium was tricked into sending attackers €70 million.\r\nHow to Protect Against Email Spoofing\r\nIn addition to having a discerning team with an eye for suspicious emails, specific tools and technologies can help\r\nprevent email spoofing from becoming a threat.\r\nSecure email gateway: A secure email gateway can help protect against email spoofing by filtering out\r\nsuspicious messages and blocking messages from known spoofed email addresses.\r\nImplement email authentication protocols: Implement Sender Policy Framework (SPF), DomainKeys\r\nIdentified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance\r\n(DMARC) protocols work together to authenticate emails and prevent email spoofing.\r\nSender Policy Framework (SPF) is a security protocol set as a standard in 2014. It works with\r\nDMARC (Domain-based Message Authentication, Reporting and Conformance) to stop malware\r\nand phishing attacks.\r\nSPF can detect spoofed emails, and it’s become common with most email services to combat\r\nphishing. But it’s the domain holder’s responsibility to use SPF. To use SPF, a domain holder must\r\nconfigure a DNS TXT entry specifying all IP addresses authorized to send email on behalf of the\r\ndomain.\r\nWith this DNS entry configured, recipient email servers look up the IP address when receiving a\r\nmessage to ensure that it matches the email domain’s authorized IP addresses. If there is a match,\r\nthe Received-SPF field displays a PASS status. If there is no match, the field displays a FAIL status.\r\nRecipients should review this status when receiving an email with links, attachments, or written\r\ninstructions.\r\nUse a secure email provider: Choose a secure email service provider that uses advanced security\r\nmeasures to protect against email spoofing and phishing attacks. For example, ProtonMail is a widely\r\nknown and free-to-use secure email provider.\r\nhttps://www.proofpoint.com/us/threat-reference/email-spoofing\r\nPage 6 of 7\n\nUse email filters: Simple email filters limit the number of suspicious emails that get through to users’\r\ninboxes. Email filters help detect and filter spoofed messages and block messages from known spoofed\r\nemail addresses.\r\nEducate users: Train your people to identify and avoid spoofing attacks. Share ways to identify suspicious\r\nemails that should be reported before opening.\r\nThese are just some of the most common email security solutions that organizations use to better protect\r\nthemselves from email spoofing and other types of cyber attacks.\r\nGet Ahead of Tomorrow’s Threats with Proofpoint\r\nAnticipating the nature of certain cyber threats helps organizations identify where their defenses are weak and\r\nwhich protective measures to prioritize. Most organizations are more resilient through layered strategies that\r\nleverage detection and prevention technologies, real-time threat intelligence, and user-focused training programs\r\nto reduce the risk of attacks via email and cloud environments. As threats like phishing, BEC, ransomware, and\r\ncredential theft evolve, it’s important to have the right mix of tools and processes to keep your data and your\r\npeople protected. Take ownership to protect against threats and make strides to improve your cybersecurity\r\neffectiveness.\r\nLeverage the capabilities trusted by 83 of the Fortune 100 companies. Contact Proofpoint to learn more.\r\nRelated Resources\r\nThe latest news and updates from Proofpoint, delivered to your inbox.\r\nSign up to receive news and other stories from Proofpoint. Your information will be used in accordance with\r\nProofpoint’s privacy policy. You may opt out at any time.\r\nSource: https://www.proofpoint.com/us/threat-reference/email-spoofing\r\nhttps://www.proofpoint.com/us/threat-reference/email-spoofing\r\nPage 7 of 7\n\nMore than 90% Email spoofing of cyber-attacks and phishing have start with an email had a worldwide message. impact costing an estimated $26 billion since 2016.\nIn 2019, the FBI reported that 467,000 cyber-attacks were successful, and 24% were email-based.\n   Page 5 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-reference/email-spoofing"
	],
	"report_names": [
		"email-spoofing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434366,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fef618b0dbbaa80afd0ed7edba05ff48cba5ce6e.pdf",
		"text": "https://archive.orkl.eu/fef618b0dbbaa80afd0ed7edba05ff48cba5ce6e.txt",
		"img": "https://archive.orkl.eu/fef618b0dbbaa80afd0ed7edba05ff48cba5ce6e.jpg"
	}
}