On a daily basis, cyber criminals are unleashing email-based attack campaigns against companies, from server choking spam to scam emails loaded with malicious software designed to disrupt business processes. Despite the fact that most people are aware of these dedicated attacks, like phishing emails, many are still fooled into falling for these tried and tested tactics.

One of the reasons why enterprise employees continue to become victims of these email-based assaults is because hackers use spoofed email addresses to launch their attacks. Far harder to identify than many common forms of phishing email, spoofing techniques fake an authentic email address to hoodwink recipients into believing messages are from a trusted source.

Testing if an email address has been spoofed

If you know where to look, there are ways of checking if an email you have received is part of a spoof attack. Whether it is the poorly written English or an unfamiliar tone, if you receive an email that seems suspicious, the first place to begin your investigation is in the email’s header.

The header of an email includes crucial elements of each electronic message. Along with the well-known “To”, “From”, “Subject” and “Date” fields, the header also offers detailed data on precisely where the email originated and the route it took to your inbox. It also contains records of the verification process employed by your mail provider to assess if the server sending the email had correct permission to use the domain.

Examining “Received” and “Received-SPF” fields

While an email may appear to be authentic, the header details can help reveal if it is a spoof attack. While there is wealth of information contained in the header, the two important areas to view are the IP address and domain name within the field marked “Received” and the recorded results for validation within the field marked “Received-SPF”.

If the domain name is entirely different from the sender’s company domain, this is a clear sign of a spoofed email. For a more conclusive test, you can also look at the IP address. Using Domain Tools, you can input the IP address and look it up. If your sender is from a UK-based company and your Domain Tools search uncovers the IP address is actually hosted in Russia, for example, you will know it is likely a scam.

Studying the Received-SPF field in the header will tell you more. Sender Policy Framework, or SPF, is a method for a sender’s domain to alert recipient servers when a server has the authorisation to send out an email on its behalf. If the mail server has permission, in the Received-SPF field you will see the word “Pass”. If, however, you see the word “Softfail” or “Fail”, this is a strong indicator of a spoof email.

At Galaxkey, our secure system has been designed to help enterprises operate safe from scammers, with easy to employ solutions that are never too complex for staff to master. Contact our team today to trial our state-of-the-art security platform.