Stick figure wearing a mask tries to spoof a brand's email

Email Spoofing: How to Stop it From Hurting Your Brand


Imagine a world in which it was nearly impossible to tell a real person from an alien imposter. Like the classic sci-fi film, Invasion of the Body Snatchers, it would be horrifying. Yet, that’s essentially what the average subscriber experiences in their email inbox all the time.

The problem? Email spoofing is running rampant. Scammers can mimic the look of your brand and even forge sender names to make harmful phishing emails seem real. Call it “Inbox Invasion of the Brand Snatchers” if you will.

Thankfully, there are things smart marketers can do to protect subscribers and stop possible damage to brand reputation.

How email spoofing works

There are many forms of phishing, and email spoofing is a favorite among cybercriminals. The goal is to dupe people into believing an email comes from a certain person or business. But it actually has malicious intent, such as installing malware or obtaining sensitive personal information.

Like a lure that looks like food to a fish, an email spoofing attempt looks fine at first glance, but it’s full of dangerous hooks.

Email spoofing happens because Simple Mail Transfer Protocol (SMTP) doesn’t come with a way to authenticate a sender before a message is delivered. So, attackers look for mail servers with open SMTP ports and the lack of email authentication methods.

 There are two main types of email spoofing:

1. Phishing emails that impersonate an individual

These are emails that appear to come from someone you know: a friend or family member, a business contact, or a colleague. You’ve likely heard of and even experienced getting a suspicious email from your boss or HR that asked for something unusual or came with a strange attachment.

This type of email fraud is certainly a cybersecurity threat to businesses everywhere. But it targets individuals within your organization, and it shouldn’t impact brand reputation or your customers.

2. Phishing emails that impersonate brands

This type of spoofing involves the creation of fake emails that appear to come from a recognizable company, which subscribers trust and expect to see in their inboxes.

Scammers forge information in the email header to make it seem like the sender is a brand with which the recipient is familiar. These spoofed emails often link to a false web page where targets are asked to enter account login credentials or sensitive info such as credit card numbers.

Unlike, phishing attempts that impersonate people, those that spoof brands may target a large group of your customers with similar fake emails. This can ultimately lead to a damaged brand reputation and a decrease in email engagement.

Statistics on email spoofing

Here are some eye-opening stats proving how much of a problem email spoofing is becoming for brands.

  • Scammers send more than 3 billion spoof emails per day.
  • According to a report from Barracuda, brand impersonations account for 83% of phishing attacks.
  • Securelist found more than 40% of phishing websites use a .com domain, making them hard to identify as fake.
  • AdWeek reported that brand impersonation increased 11x between 2014 and 2018.
  • Great Horn’s 2020 Email Security benchmark report found 42.4% of survey respondents saw brands impersonated in their inboxes. That’s way up from 22.4% in 2019.

Recognizable brands are the most likely to be spoofed in phishing emails. For example, Microsoft often tops a quarterly report from CheckPoint listing the most consistently impersonated companies. Big names in technology, retail, banking, and social media are frequently imitated as well.

However, smaller business should not assume that they won’t be spoofed. Writing for Mimecast.com, Allan Halcrow explains that SMBs are targeted because they lack the security to stop brand impersonation.

In fact, Halcrow experienced SMB email spoofing firsthand:

“A few years ago, I was selling my house and hired a small, independent real estate firm with just a few agents. During the process, I got an email asking for some very specific financial information, including account numbers. Because I (foolishly) believed that the firm was so small the email must be legitimate, I responded. Big mistake!”

5 Examples of brand email spoofing

Let’s take a look at some email spoofing examples and the tricks of the trade the attackers use in phishing attempts.

1. Suspicious account activity

Perhaps the most common email spoofing tactic is falsely claiming there’s been suspicious activity on an online account. That feels really scary and urgent. Many people go into fight-or-flight mode and try to fix the non-existent problem.

Of course, that’s where the cybercriminals get you. The phishing email below impersonates Chase and includes fake charges to a credit card.

Chase Bank email spoofing example

Jefferson Graham of USA Today received this email and wrote about it. In his article, he notes a few things that gave this spoofing attempt away (so he didn’t fall for it).

Here’s a similar phishing email that spoofs LinkedIn:

LinkedIn phishing email

See the falsified sender name at the top? Notice the odd capitalization of text? How about the fact that the email isn’t personalized after “Dear”? LinkedIn knows your name and so does your bank and many other brands you work with. These are three good signs of a fraudulent email. But are your subscribers vigilant enough to catch them?

2. Forged email header

When the blogger at LoyaltyLobby got this email that spoofs American Airlines, he almost believed it. He writes that he even checked the email header and found the right sender name. In fact, the email header was practically identical to American Airlines’. But, links in the email were for a .ru Russian website.

American Airlines email spoofing example

Ironically, while Gmail delivered this message to his inbox, a transactional email from the airline that he was waiting for ended up in spam.

3. Convincing email design

Thanks to the availability of image editing tools, just about anyone can be an amateur email designer. In many cases, all it takes is a logo and the right button color to produce something that’s pretty believable.

While most people have probably seen hundreds of Amazon emails in their life, something about phishing emails like this feels legit. Of course, it’s not legit at all.

Amazon email phishing example

Commonly spoofed brands such as Amazon often have ways for customers to report phishing so these scams can be investigated and shut down.

4. Package tracking trick

We all like to get packages, even when they’re unexpected. Getting an email about a delivery sparks our sense of curiosity. That’s why DHL and other shipping/logistics companies have become frequent targets of brand spoofing.

DHL email spoofing example

The team at Sensors Tech Forum says DHL scams keep cropping up as attackers get better and better at spoofing the brand so they can nab personal info or install malware.

5. Spam or not?

PayPal got so frustrated with being spoofed by scammers that it helped lead the way in developing a more effective way to authenticate emails. That hasn’t stopped the spoofing.

Here’s a typical PayPal phishing email. But what’s interesting about it is a line at the very end. The scammers ask the recipients to mark the fake email as “not spam” if it ended up in their junk mail. Nice touch.

PayPal scam email

There are many other ways to spoof a brand in the inbox. But, why should email marketers care and what can be done about it?

Email spoofing and brand reputation

An organization isn’t liable if attackers impersonate the brand. Unless it is connected to a data breach, companies can’t be sued for email spoofing. However, that doesn’t mean there’s no need to worry about it, and it doesn’t mean you shouldn’t try to stop it either

Attacks using your company’s identity to commit fraud can have a direct impact on your business and your email marketing efforts. While your brand isn’t to blame for email spoofing, your subscribers and customers may not see it that way. They may wonder, “How could they let this happen?” As CTO Salvatore Stolfo writes in CPO Magazine:

“Phishing was once aimed mostly at banks and financial institutions, but clearly, that is changing. If a company has a website requiring customers to log in, they are at risk. And so is their brand’s reputation.”

Consulting firm BRP found 63% of consumers will stop doing business with retailers after just one bad experience. How do you think consumers will feel after a brand they trusted was used to trick them into an identity theft scheme? Not good!

Cofense.com cites research that suggests 42% of customers are less likely to do business with brands after falling victim to a phishing attack.

At the very least, subscribers who get fooled by email spoofing will think twice every time they see an email from you in their inbox. If it happens to enough people, that’s going to impact your engagement rates and the effectiveness of email as a marketing channel.

When Frost & Sullivan surveyed thousands of information security execs, they found that 71% said avoiding harm to the brand was their top priority. To make that happen, email marketers and cybersecurity teams can work together to thwart email spoofing with email authentication protocols.

How email authentication helps

security badges and locks depicting email authentication

The most effective way for brands to protect their reputation against email spoofing is to implement technology that helps mailbox providers verify the identity of the sender.

There are four main email authentication protocols that make up for what SMTP lacks. Each one is a record or policy that gets set up on the sender’s DNS (domain name server) from which it is sending email.

SPF (Sender Policy Framework)

An SPF record is published on the DNS so that receiving mail servers can check to see if the name in the from field matches what’s listed in the record. SPF also lists the IP addresses that are authorized to send mail on behalf of the domain.

DKIM (DomainKeys Identified Mail)

The DKIM protocol uses a public key on the DNS that matches a private encrypted key, or digital signature, that is attached to the email. This helps mailbox providers detect forged sender information in the email header. Like a password, DKIM signatures need to be updated periodically.

DMARC (Domain-based Message Authentication Reporting, and Conformance)

DMARC is a customizable policy published on a sender’s DNS record that checks for both SPF and DKIM. The policy explains what mailbox providers should do with email from a sender when it fails authentication. DMARC will instruct the mailbox provider to either ignore the policy, quarantine the email by sending it to spam, or reject/block the email from being delivered.

BIMI (Brand Indicators for Message Identification)

BIMI is a newer email authentication protocol that can help subscribers identify email spoofing attempts. With BIMI correctly implemented, a brand’s logo will appear next to messages in the inbox. In order to get BIMI to work, senders must also have a working DMARC policy that is set to either quarantine or reject.

Email authentication can seem complicated and technical. It’s important for marketers to get involved, but it’s also likely you’ll need assistance from IT, security teams, and your email service provider (ESP) so that these records are correctly published on the DNS.

Find out more about all this in our guide to email authentication protocols.

Download our free BIMI report!

bimi ebook cover with hermes character

Besides the benefit of protecting your customers and your brand’s reputation, email authentication also supports deliverability. Without proper authentication, it’s more likely that mailbox providers will mistake legitimate messages as spam. The presence of email authentication protocols also supports sender reputation, which in turn leads to better email deliverability.

Gain control of email deliverability

Email deliverability may seem like a mystery that’s out of your team’s control. However, by following best practices, working with reliable partners, and using effective tools, you can vastly improve your chances of making it to the inbox.

Email on Acid’s deliverability features include spam testing on nearly two-dozen filters and blocklist monitoring. Rather than finding out your email went to spam after hitting the send button, you can take steps to improve deliverability before a campaign launches.

If you’re using Pathwire’s email marketing solutions, you can also get help from deliverability experts who can guide you through setting up email authentication protocols. Check out the email deliverability apps and services to learn more.

Concerned about email deliverability?

Check out our email deliverability guide from the experts at Mailgun Optimize. Learn the ins and outs of how to stay out of spam folders make sure your campaigns make it into your subscribers’ inboxes.

delivery truck with email envelope on the side.
Improve Deliverability to Hit More Inboxes!

Nothing ruins a polished email’s ROI potential like a trip to the spam folder. Run a Spam Test right within your Campaign Precheck workflow so you can land in more inboxes and increase email ROI. With Sinch Email on Acid, you can check your email against 23 of the most popular spam filters and your domain against the most popular blocklists before you hit “send”. Sign up for a free trial and try it out today.

Start a Free Trial