Categories
Over-the-Counter-Medications

How to forge email

In my day job as the communications guy for ValiMail, I spend a lot of time explaining how easy it is to create fraudulent emails using an email address that doesn’t belong to you.

A faked “from” address, in fact, how the majority of email attacks happen. And email attacks (aka phishing) are how the majority (actually the vast majority) of cyberattacks begin. So the ease of faking emails from people is a major vulnerability.

But, you ask, why would I bother faking an email from “company.com” when I could just register a fake lookalike domain (like c0mpany.com) and use that? Or create a Gmail account ([email protected]) and give it a friendly name that looks like the CEO of a company?

Well, actually, it’s significantly easier to forge the address of a real person at a real company than it is to register a fake domain, or even to create a throwaway Gmail account.

Here’s how easy it is.

Website mailer

Find a website like deadfake, which describes itself as “a site that lets you send free fake emails to anyone you like.” Or anonymailer.net. Or spoofbox.com. There are dozens. Many of them are free, some cost a little money to send mail. Then:

Enter your recipient’s email address in the To: field.

Put whatever email address you want in the From: field.

Craft your message and press the Send Now! Button.

Here’s a message I sent to myself using President Trump’s address. Note that Gmail is a little suspicious of the source — that’s why it put a little red question mark next to the address.

Unix command line

If you have a computer that’s set up with mail services — or you can telnet or SSH to a computer that has mail services — you can forge a from address with one line. Just type this:

That creates a message that says “[email protected]” in the From field. Type in a subject line and the rest of your message, press Ctrl-D when you’re done, and off the message goes.

This doesn’t work in every version of Unix, and whether it works at all depends on how your system is set up (whether it’s connected to Sendmail, etc.). Still, this is the basic idea and it works in many systems.

PHP

Because I’m not very sophisticated about programming I use PHP when I need to code stuff for my personal websites. It’s fast, easy, and used by about 90% of the people (like me) who don’t know any more about programming than they were able to pick up through Google searches and by stealing snippets of code published on various public forums. (Which is also why PHP is often accused of being insecure.) Hey, I built a whole website content management system in PHP. If I can figure it out, how hard can it be?

Without getting into all the pros and cons of PHP, I will say that it is perfect for email purposes. You can forge emails with five lines of very simple PHP code:

Note: These are actual lines of code used as an example in the online manual for PHP’s mail() function. I took out a couple of lines you don’t actually need.

Again: configurations vary; maybe this won’t work on every version of PHP on every server.

Email Is a Very Trusting Place

The email world, until quite recently, was an entirely trusting place. Most of it still is. No matter who I am, if I use the Unix mail command or PHP mail(), the email goes off into the internet and the internet obligingly delivers it to whomever, with the exact headers that I specified. Nobody checks to see if I own the address I used in the from field. Nobody cares.

Well, almost nobody: As I noted above, Gmail and some other mail clients are starting to flag mail that looks suspicious, like my anonymailer message. Still, that’s dependent on the client you use and/or the receiving mail server.

Granted, these spoofing tools are pretty simplistic. If I want to do some fancier formatting and make my messages look even more realistic, it takes a little more work. But the basic forgery is just that simple.

The only thing truly stopping fake From addresses is email authentication using a standard called DMARC. But that only works if the domain you’re trying to fake has published a DMARC record and set it to an enforcement policy. Then, and only then, will almost all email servers that receive messages (Gmail, Yahoo Mail, etc.) block the faked emails.

Fortunately for fraudsters, most of the Internet’s domains haven’t done this yet. For example, only about 4% of .gov domains have protected themselves.

As for other 96%? Fraudsters can forge emails from those domains all day long with no repercussions.

Domains like justice.gov. House.gov. Senate.gov. Whitehouse.gov.

And also domains like democrats.org, dnc.org, gop.com, rnc.org. And DonaldJTrump.com.

All of them can be easily faked by email scammers with access to a Unix command line or some rudimentary PHP skills. And, as we are learning, scammers have been taking advantage of that vulnerability. For instance, according to one source, one in four email messages from .gov domains are fraudulent.

And that’s why I am trying to get the message out: It’s way too easy to fake emails from most sources. We need to start authenticating our email, today.

Most people don’t realize how easy it is to forge an email. Say my brother John Doe uses the email address [email protected] If I get an email from that address, it’s natural to assume that John actually sent it. In fact, it’s also remarkably easy for an attacker to have sent it.

To illustrate this, in this post I describe one way to send an email that appears to come from someone else. I do this not to help attackers, (who already know how to forge emails), but rather to put everyone else on their guard by demonstrating how untrustworthy the "From" field of an email is. With that in mind, please use these directions responsibly.

1. Draft it

First, write up your fake email using this template:

2. Send it

Then send it from a linux server that has sendmail installed and set up:

3. Done!

There, it’s that simple. You sometimes have to play around a bit so that you bypass the recipient’s spam filter, but it’s usually not hard. To see this in action, take a look at what happened when I sent the above forged email to myself, (replacing Jane’s example.com address with my own, Gmail address):

How to forge email

As you can see, this little trick easily fooled Gmail. Amusingly, not only does Gmail not send this email to spam or warn me about phishing, but it also marks it as "important", perhaps out of concern for my brother John and his desperate need for Mom’s social! (Okay, that’s not fair: Gmail marks it as "Important mainly because of the people in the conversation").

Of course, in a real situation I’d be wary of a email asking me for my mom’s social, from someone claiming to be my nonexistent brother John, and who on top of that mistakes the gender of his own sibling. But you can easily imagine an attacker carefully crafting a more convincing message to you with devastating effects. Be on your guard.

How to forge email

Forged email, or spoofed email, is a tactic used by scammers to commit fraud. The purpose of an email forgery, as its name implies, is to fake a message so that it looks legitimate. Forged emails are the basis of phishing and spam attacks. They are widely used by cybercriminals because people are more open to interact with emails from people and brands they already know.

Table of Contents

How to forge email

Check out our list of 5 types of forged email attacks

1. Compromised Email Account

That’s one of the most dangerous type of email attack. An attack of compromised email account happens when your email account has been hacked and then used for other attacks. Typically, this scam starts with a spam or phishing message.

Using a malicious link or malicious attachment, the attacker gains access to your credentials or to your entire device. At this early stage, criminals often use different types of malware to gain control over your computer. Then, with free access, they can send emails as if they were you.

If you have heard about BEC (Business Email Compromise), you already know about the damage that an attack using a compromised email account can do.

2. Forged Envelope Sender attack

The Envelope Sender is also known as Envelope From, SMTP From and Mail From. In general, this address is only used by your mail server, so it may be visible to you or not depending on your email provider. When a criminal falsifies the Envelope Sender, he’s trying to use the domain of a known company to earn your trust and bypass the mail server’s filters.

3. Forged Header Sender attack

The Header Sender can be called by other names as well: Header From and Message From. This is the address that appears in your mail application. Unlike the Envelope Sender, it’s always visible to the end user.

The goal of a forged Header Sender attack is the same as a forged Envelope Sender attack. The difference between them is that spoofing the display name of the sender gives more credibility to the scam, since people trust what they can see and read in the from field.

4. Cousin domain attack

A cousin domain attack, or similar domain attack, happens when the criminal tries to trick you by using a domain that looks like the real one. This type of fraud involves adding or subtracting characters to the address.

For example, the attacker can substitute a “t” for “1” or an “e” for a “3”. Instead of having “[email protected]”, it could be “[email protected]”. Or “[email protected]” would be “[email protected]”. It’s a subtle change that may catch someone distracted during a rush time.

5. Free email account attack

The free email account attack uses a valid free email account, such as Yahoo and Gmail, to deceive people. For example, the scammer may incorporate a director of a company, saying that he is using a personal email because he was unable to access the company’s network.

This attack is interesting to fraudsters because, as it’s a valid email, it usually doesn’t get stuck in filters and authentication protocols.

Protection against forged email attacks

The best way to fight forged email attacks is using different engines, protocols and softwares, such as anti-spam, anti-virus, SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication Reporting & Conformance). If you need a complete solution, designed for businesses of all sizes, take a look at Secure Email Gateway software.

Want to send fake emails to prank your friends and family? Here are some of the best prank email generators out there.

If you want to send fake emails to prank your friends and family, there are a few online services worth exploring. They each have slightly different features and use cases.

Keep reading to learn about seven of the best prank email generators and how you can use them to make an email look like it was sent from someone else.

1. Deadfake

Deadfake is one of the most well-known prank email generators on the web. The service has been responsible for sending almost two million fake email messages since it first went online.

The app lets you send fake emails to anyone you want. Better yet, you can make the email appear that it’s from any person of your choosing as well.

To aid anonymity, you don’t need to register on the site or provide your personal details to Deadfake to use the service.

When creating your fake email, you can format it using the native text editor. Make sure you use a real domain in the From field, or the email will bounce, and your attempts to make an email look like it was sent from someone else will fail.

2. Emkei’s Mailer

Emkei’s Mailer provides a similar service to Deadfake. You can choose the From Name, From Email, To, Subject, and Message.

The most significant difference between the two services is Emkei’s Mailer’s support for attachments. As per most email services, the maximum attachment size is 25MB.

Emkei’s Mailer also offers a plain text editor and an HTML editor while you’re composing your message. As such, the app is simple to use for a quick one-liner, but can also be deployed when you want to make a fake email message look a bit more convincing.

3. Send Anonymous Email

Send Anonymous Email is a web app that can make an email look like it was sent from someone else. It claims more than 60,000 anonymous emails are sent from its servers every day. That number sounds high to us, but it’s clearly a widely-used app regardless of the real figure.

The service’s options and features are the least extensive of the three sites on the list so far. You can only specify the receiver’s email, sender’s email, subject, and message. There are no attachments, and only a standard plain text editor is available.

You cannot add colors, change the font, or fiddle with other formatting options. You’ll need to enter the security code before Send Anonymous Email will let you send your fake message.

It’s worth noting that Send Anonymous Email takes a serious stance on abuse of its services. In the company’s terms, it says if you send death threats, abuse, slander, or anything illegal, the company will publish your IP address and block you from the site.

(Note: The same company provides additional services for sending anonymous or fake SMS messages.)

4. Spoof Box

Spoof Box has the most modern-looking site on the list. It is also one of the only services that let you send fake emails from either your Android or iOS device; a free app is available for both operating systems.

The service has one feature that is unique among the prank email generators we’ve looked at—you can send your fake email message to up to 10 email addresses at a time. Just separate each address with a comma in the To field.

On the downside, you can only send 30 fake emails for free. Thereafter, you need to earn credits by following Spoof Box on its various social media platforms.

Download: Spoofbox for Android | iOS (Free, in-app purchases)

5. ZMail

ZMail provides a unique way to send fake emails or play an email spam prank. That’s because it is the only service on our list that works via a desktop app rather than via a web app.

Don’t worry; you don’t need to fret about viruses and malware. ZMail is open source; anyone can check out the code to make sure it’s safe.

Sadly, the app is only available on Windows. Mac users will have to stick to one of the web apps we have discussed.

6. GuerrillaMail

None of the services we’ve looked at so far will allow you to receive email replies; they do not provide an inbox service.

However, some services—such as GuerrillaMail—do provide an email inbox and can be used to send a fake email. But there is a trade-off. You cannot send the fake email from someone else; GuerrillaMail does not let you add a custom From address. You can set any username you wish but are restricted to one of the app’s preselected domains.

Furthermore, emails in the inbox are only saved for 60 minutes. Thereafter, GuerrillaMail will automatically delete the messages from its servers. If you don’t regularly check for responses to your prank, you risk missing the fallout altogether.

7. Letter Generator

We’ll leave you with something a bit different. Letter Generator lets you generate fake letters using topics and keywords of your choosing.

The service is the perfect app to use when you’re not sure what to write in your fake prank email. Pair this app with one of the fake email services we’ve already discussed, and you’ve got a winning prank on your hands.

The topics available include employment, relationships, apartment rentals, and even song lyrics.

Letter Generator is entirely free to use, and there are no restrictions on the number of letters you can generate.

Use Fake Email Generators Responsibly

Services that let you send fake emails can easily be abused. The act of sending fake email from someone else raises ethical and moral concerns. And depending on the content of your message (and the actions the recipients takes in light of it), there could even be legal consequences.

Sure, fake emails can provide a bit of fun among family and friends. But don’t send prank emails that could cause alarm, sadness, or panic. And it goes without saying that you shouldn’t impersonate the police or other emergency services.

To learn more about pranking people, check out our article on the best ways to play geeky pranks on your friends.

Sending an email from an email account that you don’t control is called email spoofing. The problem with spoofed messages compared to other phishing messages (e.g. Nigerian Prince schemes) is that spoofed emails usually impersonate someone the recipient trusts. Essentially, the attacker is claiming the “sender’s” identity and abusing their credibility to trick the victim into taking some action. This can be a funny prank or extremely damaging to the target and the victim.

Since it’s such a common problem, it seems like it must be easy to do. To find out how easy it is to send a spoofed email, I gave it a try. It turns out it’s incredibly simple. Here’s how you can send a spoofed message.

Step 1: Choose a Method

There are multiple methods for spoofing a domain. Some are very technical, some are not. To find them, all it took was a Google search. I used a website to send a spoofed message for me, which was one of the top search results.

Step 2: Select a Target

The target of your spoofed email is the domain that you are impersonating, which becomes the ending of the “from” address you choose. If I want to impersonate Facebook, I might use “[email protected],” but I can’t spoof facebook.com because it has a DMARC Reject policy.

The target domain needs to be a registered domain; you can’t spoof a domain that doesn’t exist. In addition, it needs to be a domain that’s not using a DMARC Quarantine or Reject policy. A None policy can be spoofed, although the domain owner should notice your spoof. I used gatech.edu, which is not using DMARC. To see if a particular domain is using DMARC or what its DMARC policy is, use Fraudmarc’s Email Security Score tool . For more information about Fraudmarc’s Email Security Scores, see our post, Understanding Fraudmarc’s Email Security Scores .

You’ll also need a name for the “from” field. This can be anything, but typically it’s a person’s name. I used George P Burdell to match the “from email address,” [email protected]

Step 3: Select a Victim

The victim of your spoofed email is the recipient of your message. This can be a fun way to prank your friends and colleagues. Or it could be more malicious. These emails are very convincing. I chose my boss.

Step 4: Write Your Message

This is the same as writing an email from your account. Except you are posing as someone else. College students have sent messages to their roommates “from” potential employers saying they got a job offer, and high school students have emailed their school “from” their parents to excuse themselves from classes. People have also emailed to their colleagues “from” their bosses to get out of work responsibilities. The possibilities are endless. While some scenarios lead to laughs, others can have costly or devastating consequences.

For my prank, I sent this:

How to forge email

Step 5: Send Your Spoofed Message

Once I filled in all the fields on the website, I hit send, verified that I’m not a robot, and the website showed that the email was successfully sent. That was too easy.

The Results

My boss was not fooled. Of course, he is the CEO of a cybersecurity company, and I sent an email from an infamous Georgia Tech Alumni requesting an outrageous pay increase. However, when we examined the email header, which contains all the details about the email, there was no difference between the spoofed version and a legitimate email from gatech.edu.

How to forge email

It’s Time to End Spoofed Emails

Once I found the site, it took me less than 5 minutes to send the message. A 5th grader could do it. While my example is meant to amuse, this should be alarming to anyone who values their domain, which represents their brand. Although spoofing a domain is surprisingly easy, so is protecting domains from spoofing. DMARC fixes this problem by blocking this type of phishing attack. To understand more about the features of DMARC, see Fraudmarc’s post, What DMARC Can & Can’t Do for Domains .

Fraudmarc Can Help

A domain with a Quarantine or Reject policy can’t be so easily spoofed because DMARC works to secure domains against spoofing. To learn how DMARC works, check out our info page, What is DMARC . The more restrictive DMARC policies block spoofed messages from inboxes because spoofed messages don’t pass email authentication- SPF and DKIM . With no DMARC policy or with the monitor-only None policy, the spoofed email is delivered despite failing email authentication .

Fraudmarc makes blocking spoofed email easy for the domain owner. Fraudmarc offers a variety of plans and tools, including free options, to help every domain block spoofed emails using DMARC. Fraudmarc’s tools help with managing and monitoring as many authorized senders and DKIM selectors as required for your business. Fraudmarc uses SPF Compression , so the number of DNS lookups needed to authenticate all of your authorized senders is minimized. Fraudmarc’s DMARC reports are free, so you have the information you need to configure your policies accurately. For some tips on how to implement a Reject policy, see Fraudmarc’s post, How to Implement a Reject Policy . If you want more hands-on assistance with this, let us know .

How to forge email

Online privacy is incredibly important, but it’s hard to keep your identity secure when you have to give your email address away whenever you join a website. And if your email address is just your name — looking at you, [email protected] — you could be giving away even more data.

That’s where Apple’s “Hide My Email” service comes in. Hide My Email is a feature that lets you sign up for websites and fill out forms with a fake email address. This keeps people from seeing your email address, and still lets you get the emails you want.

Here’s how to use Hide My Email, and manage your fake email addresses.

How to use Hide My Email on your iPhone

Hide My Email is available to all users with iOS 15, but you’ll need iCloud+ to use it in some places.

You’ll see Hide My Email as an option in two situations:

Using Sign in With Apple

A few years ago, Apple launched the Sign in With Apple program. This lets you make accounts in new apps using your Apple ID information. It’s a quick way to get started in an app without having to remember a new username and password.

1. Open an app that offers Sign in With Apple as a choice when creating your account, and pick that option.

You should be given a choice: You can pick Share My Email, which gives the app your real email address; or Hide My Email, which will give them a fake one.

2. Pick Hide My Email, and then Continue.

Going forward, any email the app sends you will still be sent to your real email address, but the app won’t know what that address is.

Anyone with an Apple ID account can use this feature.

Signing up for a new service or filling out a form

This feature is only available to iCloud+ users.

When you fill out forms online, they usually ask you for your email address. Hide My Email works here, too.

1. Tap the text field that asks for your email address.

2. If your phone recognizes that it’s asking for your email, you’ll see Hide My Email appear as an autocomplete option. Tap it.

3. A menu will appear and offer you a randomly generated email address. Tap the refresh button next to it to get a new one, or Continue to save and use it.

4. On the next screen, give the fake email a Note so you can remember what it’s being used for, then tap Use.

Sending emails from a fake email address

Newer versions of iOS 15 let you make a Hide My Email address straight from the Mail app, and use it to send emails from that fake address.

1. Open the Mail app and start composing an email.

2. Tap the From field and select Hide My Email.

As you start writing the rest of the email, your phone will create a fake email address for you.

How to find and delete your Hide My Email addresses

You can manage all of your fake Hide My Email addresses from the Settings app.

1. Open the Settings app and tap your name at the top of the page.

2. Tap iCloud, and then Hide My Email.

3. You’ll see a list of all the emails you’ve created, the option to create a new one right away, and a tab that lets you change where your emails get forwarded to. Creating a new email here will give you an address that you can freely use anywhere, even if you’re not offered the Hide My Email option.

4. If you tap on one of your existing addresses, you can change its label and note or Deactivate it. Deactivating the address won’t delete it, but emails sent to it won’t be forwarded to you anymore.

Deactivated email addresses can be reactivated by going back to the main Hide My Email page and selecting Inactive Addresses.

Verifying that an email came from Facebook is incredibly simple, but only if you know where to look. We show you how.

How to forge email (Illustration: René Ramos)

If you work for a company of any size that is even remotely online, chances are good you’ve had to undergo some training on how to spot phishing (fraudulent) emails. Even if you don’t, you may have gained a certain amount of expertise in how to spot phishing scams just by virtue of receiving tons of them.

If the sender’s email domain is not quite the same as the supposed sending company, that’s a red flag. A message from an address at paypal.com may very well be fine; one from paypal-acount-verefy.com probably isn’t. Messages telling you to click a link before some deadline or else lose access to your account are also highly suspect.

It’s too bad that Facebook seems to be sending legitimate mail that raises these flags. Just how do you determine if an email that seems to be from Facebook is legitimate? The best security suites are good at detecting phishing emails, but what if you want to check a particularly tricky message for yourself? I’ll show you the process I went through with one such email, below.

A Strange Message From Facebook

I started looking into this problem when an old friend of mine asked about a slightly odd email he got, purportedly from Facebook. It noted that since his posts have “the potential to reach a lot of people,” he’s required to enroll in Facebook Protect. Not only that, if he doesn’t do it within about three weeks, he’ll be locked out of the account. There’s that pesky deadline. To top it off, the message was sent from the domain facebookmail.com—a variation on what you’d expect. That’s two strikes. Oh, and according to its own description, Facebook Protect was designed for “candidates, their campaigns and elected officials.” My friend doesn’t fit any of those categories.

And yet…the message is not asking him to send money, or give away his password, or anything nefarious. It’s insisting that he increase his security. How would a scammer benefit from that? Also, strange as it seems, Facebook confirms that it uses the facebookmail.com domain to send official emails. Could it be that the message is legitimate?

How to Verify Whether an Email Is From Facebook

As it turns out, verifying that an email came from Facebook is incredibly simple—but only if you know where to look. Here’s how.

Go to Settings. On your own Facebook profile page, find the down-pointing triangle icon at top right. Click it, then choose Settings & Privacy > Settings to open the main Settings page.

Find Facebook’s List. Near the top left you should find Security and Login. Click that and scroll down to the Advanced section. Click the item titled “See recent emails from Facebook.”

Match Your Message. If you see a match for the questionable message’s subject line, you can be pretty sure it’s legitimate. Be sure to look both in the list of Security-related messages and in the list titled Other. Note that Instagram has a very similar feature—not surprising, as both Facebook and Instagram are owned by Meta Platforms.

Other Ways to Verify

If the message you’re wondering about doesn’t appear in the list of messages sent by Facebook, that should make a strong case for it being a fraud. By observation, though, this may not be the case. I shared the instructions above with my friend who received that suspect message. He reported no matches in the list of messages. On the flip side, he pointed out that Facebook recently extended the Facebook Protect program to a wider audience, including journalists. As it happens, he’s a journalist, living outside the US.

At this point I was convinced that, despite its quirks, the message was probably legit. To further support this judgment, I combed through the original message and checked all the links. A scam message that uses deadlines or other scare tactics to make you click a link will almost certainly link to a dangerous page. All the links in this message went straight to facebook.com.

That left the very unlikely possibility that somebody spoofed the sending address, [email protected] Nothing I’d learned thus far suggested any possible motivation for that sort of hack, but I checked anyway.

The Proof Is in the Header

Every email message comes with a collection of routing information and other metadata hidden away in its header. You don’t normally see this data. It’s not intended for you—it’s for use by your email client. But if you want to check for signs of address spoofing, you must dig into that header data.

Just how you view an email message’s header data varies depending on how you get your mail. In Gmail, you click the More icon (three vertical dots) to the right of the Reply icon and select Show Original. This immediately showed that the message passed three tests designed to detect spoofing: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). That’s all I needed to know; I didn’t bother clicking Download Original to view the precise details of header data.

A lot of people think you can stop online tracking by the big-tech data machine by typing in a fake name when you sign up for a new service. Unfortunately, that won’t do much to keep companies from watching you online. That’s because they use so many other pieces of information to track consumers.

But hiding another piece of information—your email address—actually will work to reduce online tracking, privacy experts say.

“Email is one of the main ways that services link your identity together across different sites and activities,” says Justin Brookman, director of privacy and technology policy at Consumer Reports. As the internet moves away from cookies, email tracking may become more important to marketers, so fake email should become even more useful over time.

It won’t stop tracking altogether, Brookman says, “but using different email addresses for different businesses makes it a little harder to correlate your activity, and in some cases it will interrupt it entirely.”

That means companies won’t collect quite as much data on details such as your political views, shopping habits, work life, hobbies, and finances. And, as a bonus, using a fake email address can also cut down on spam.

You can create lots of alternate email accounts yourself, but several services will do the work for you, including Sign in with Apple and Firefox Relay, which just launched a new premium tier.

Sign In With Apple

If you’re an Apple user, you can access a built-in tool that will help with email aliases on participating apps and services.

When you sign up with a compatible app or website, you’ll see a “Sign in with Apple” button. Tap it, and you can use your iCloud account to log in instead of creating a brand-new username and password.

You’ll see a pop-up that walks you through the process. If you want, you can share your real email address with the service, but the savvy move is to use a feature called “Hide My Email.”

Do that, and Apple will generate a random, unique email address and share that with the service you’re signing up for. Companies will still be able to reach you—any emails they send you will be forwarded to your regular email inbox—but they won’t know your real address.

Sign in with Apple is a great privacy supplement to keep your identity hidden from apps and a variety of websites.

You don’t have to keep track of the fake emails: Apple plugs that information in for you when you’re at the log-in screen. You can change the emails you’ve shared and even turn off email forwarding so you don’t get spam using the settings on your iPhone or iPad, or on iCloud.com.

Apple says it won’t read the content in the emails that companies send you, aside from doing some automatic spam filtering.

Take the 7-Day Privacy Challenge

This weeklong series is a shortcut to more control of your personal information. Click here to get started.

Firefox Relay

There are several advantages to using the Firefox web browser. It’s a more privacy-focused alternative to Google Chrome, which has Google’s tracking and data harvesting built in. And it gives you access to tools like Firefox Relay.

Firefox Relay is a fake email management service. You can create up to five fake email addresses free, or get unlimited fake emails under the premium tier, which launched this week for 99 cents a month.

Just like Sign in with Apple, Relay will forward emails sent to your aliases to your regular email inbox, or you can block all incoming mail. Relay has the advantage of being available on any platform, whether or not you have an Apple ID.

You can use the Relay website to generate the email addresses and copy them into apps and services, but the easiest way is to download the Relay browser extension and add it to Firefox. With the browser extension, you’ll see the Relay icon when you come across an email field on websites, and you can fill in a fake address automatically.

Unlike Apple (and most companies, for that matter), Relay has an unusually simple privacy policy. Like Apple, the company promises not to access the contents of the emails passing through its service.

Temporary Email Services

Sign in with Apple and Firefox Relay are great for apps and websites where you plan to log in multiple times in the future, but sometimes you just need an email address you can use once, and in a hurry.

For that, there are a number of sites and services that will generate a temporary email address. Most work without you even creating an account. Among the best known are 10MinuteMail, Temp-Mail, Minute Inbox, and EmailOnDeck.

As soon as you hit the websites of any of these services, they give you a new, unique email address. These addresses actually work, with the home page functioning as an email inbox. That means you can read any messages that are sent until your new address self-destructs, typically after 10 minutes.

This lets you sign up for a service you want to use just once, to get past the email confirmation step. They’re great options to use on retail websites that offer you a coupon in exchange for giving up your email address, which inevitably leads to marketing messages. But it probably makes sense to avoid using them on any services that are particularly sensitive.

Spoofing an email address is far easier than most people realise, and among the main reasons why phishing campaigns have become a prevalent problem in the cyberthreat landscape of today.

Organisations and enterprises have been coming under attack from dedicated email campaigns for many years. From mass mailers that shut down systems, to more pointed attacks designed for criminal activity, emails have been used as a way to deliver damaging consequences for companies. As mailbox providers developed more enhanced spam filters to ensure unwanted emails never reach recipients, hackers and other cybercriminals have been forced to design ever more ingenious methods of aiming malicious messages at their targets.

From emails that redirect recipients to impersonated sign-in sites to steal credentials, to those containing clickable links containing ransomware downloads, there are several different cybercrime strategies deployed via mail. Spear phishing is a finely honed tactic that threat operators are constantly refining. This sophisticated type of attack is cleverly researched using publicly available company information combined with stolen Personally Identifiable Information (PII) to make emails that are so authentic, they can fool their victims.

How hackers spoof email accounts

What could look more authentic than an email that appears to originate from a sender you know? Without too much trouble, it is perfectly possible for a hacker to impersonate or “spoof” an email address to trick their intended target.

The necessary tools to spoof an email address are not hard to come by. All a hacker requires is a Simple Mail Transfer Protocol (SMTP) server and the appropriate mailing software to use with it.

Any reliable web host can provide an SMTP server and hackers can also install an SMTP on a system they already own.

The mailing software is just as simple to use. The PHP Mailer for example is a readily available is a popular open source PHP library that sends emails using PHP code from a web server. The mailing software is incredibly easy to get to grips with, simple to install, and comes complete with a user-friendly web interface.

With ease, hackers can open PHP mailer and compose their content (including any malicious links) before adding their victim’s information in the “to” address and putting the email details they want to impersonate in the “from” address. This could be a company employee, a trusted supplier or even an international organisation. With these fields complete, all the hacker needs to do is hit “send”.

When the email arrives in the victim’s inbox, it will look like it came from the email address typed by the hacker.

The only problem for the hacker lies in if the recipient replies to the malicious message, as this will be sent to the owner of the real email address and the spoofing will be revealed. However, for the most part, this is not a circumstance that cybercriminals are concerned with. They usually just want the email to reach their target and fool them into downloading malicious software via a clickable link or handing over their credentials after being sent to a phishing site.

Spoofed emails and the consequences for your company

Spoofed emails are typically used in two different ways. The first use involves an organisation being spoofed by hackers to send targets malicious emails. This form of attack can be damaging to a company’s reputation, particularly when the victims are clients and customers. The second use can be far more destructive for businesses and involves cybercriminals contacting company personnel with spoofed emails.

The results of this can be catastrophic, ranging from malware entering a corporate network to personnel fooled into parting with company funds or confidential data.

A recent report identified that over 92% of spam emails include malware attachments, and cybersecurity experts state that spam is increasingly becoming a successful attack method for hackers seeking access to a computer network. A malware attack can be both disruptive and costly for companies hit.

Following such an attack, the business will need to allocate valuable resources to recover and secure any customer and employee data that has been compromised. They will also need to pay for forensic services, along with legal fees to satisfy both regulatory authorities and impacted customers.

If fault lies with the company for the incident, it may also face expensive fines and penalties. The enterprise will also need to act following the attack to restore security and prevent future attacks; this may involve additional costs for increased cybersecurity.

Spoofed phishing emails can be a highly effective strategy. The probability of a user clicking on a link and downloading malware will increase by 12% if they believe it originates from a trusted and legitimate source. These links can also trick targets into parting with company login credentials or payment details.

Finally, spoofed emails can impact how effectively a business operates. A constant stream of irrelevant emails that require filtering can tie up your employees with pointless timewasting. To block these messages can cost companies too, with updates to spam filters adding up to thousands over a year. This means that both time and money that should be spent business operations is being wasted.

Powerful anti-spoofing protection from Galaxkey

At Galaxkey, we understand that while there are many different options available for firms to work with, email still accounts for the majority of company communications across the globe and must always be secure. That is why we have developed a secure platform with multiple features offering our users total email protection.

Our digital sign feature offers email recipients complete confidence that communications received originate from a verified sender and that any content including attachments has not been tampered with. This offers complete protection from spoofing tactics and means employees can work without the disruption of constantly questioning the integrity of data and its source for better business efficiency.

Our state-of-the-art solution for secure emails also delivers a range of other useful features, including end-to-end encryption, and email classification that ensure confidential data is labelled and managed effectively, and only accessible by authorised personnel.

Defend your enterprise against the threat of spoof emails today and contact us for a free trial of our secure platform.