3 Ways to Protect Your Business From Email Fraud

It happens to everyone. You receive a new email that appears to be from a person or company you know, yet you weren’t expecting it. Is it real? Or could it be email spoofing? Email spoofing—a technique attackers use to send forged emails—is on the rise. When you consider that criminals send over 3 billion domain spoofing emails per day and 90% of cyber attacks start with an email, email spoofing isn’t a topic to ignore. And it’s not just individuals that suffer – according to Mimecast, 60% of brands have experienced email impersonation fraud in the last 12 months. Learn what you can do to protect yourself, your employees, and your brand.

What is Email Spoofing?

A cyber attacker uses email spoofing to trick the recipient into thinking that someone – or some company – they know sent them an email. Then, if they persuade the recipient to click on a malicious link or reply with personal information, the attacker has the opportunity to obtain sensitive business data, install malware, or steal the recipient’s identity. 

Email spoofing comes in many forms.
The most common types include:

Display Name

Display name email spoofing: In this case, only the email sender’s display name is forged. This happens a lot with company executives. It appears you’ve received an email from your CEO, but when you look closer, the “from” email address is not accurate.

Legitimate Domain

Sometimes it’s more than just the “from” name that appears real, some attackers may also use what appears to be a trusted email address. While the way they do this gets technical, the attacker isn’t actually hijacking the business account, they are actually tricking the system into thinking they are using a legitimate account. This happens more often than you think, as many enterprise email domains aren’t using any countermeasures for verification.

Lookalike Domain

In this scenario, the attacker registers and uses a domain that is similar to the real domain such as @amaz0n.co. Often, the change is small enough that someone quickly skimming the email might not notice.

Three Ways to Protect Yourself and Your Business

At its core, sending email doesn’t require authentication, so you can never stop email spoofing completely. But there are additional measures you can take to protect your business and your employees.


Implement Advanced Email Service Protocols:

Use a trusted email service provider that uses additional checks, including:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication
  • Reporting & Conformance (DMARC)
  • Secure/Multipurpose Internet Mail Extensions (S/MIME)


When implemented effectively, these additional measures help receiving email systems identify incoming emails as spoofed messages and immediately mark them as spam.


Educate Your Employees.

Teaching your employees to stay vigilant when it comes to cybersecurity is important. Educate them about the threats posed by spoofed emails and train them how to identify email headers and domains, especially on smartphones where only the name shows, making it harder to identify. Clearly explain what to do if they receive a suspicious email, such as forward the email to your I.T. team. Tell them if they receive an email from a company executive asking for sensitive information, money or gift cards that they should follow-up in a separate way to check if it’s legitimate, such as via a phone call, a quick message within your company’s messaging app, or even a new email to the person’s known address.


Ensure your employees use strong and complex email passwords.

Best practices suggest including both upper and lower case letters, numbers and special characters. Avoid using easy-to-identify personal information such as birthdays, phone numbers and favorite colors. Another helpful idea is to use a phrase, as a longer password increases its strength. Most importantly, ensure employees never share email passwords.

The First Line of Defense is a Strong Offense

When it comes to email spoofing, all businesses are at risk. Facebook, Google, and Sony Pictures have all been victims of email spoofing fraud, to the collective tune of $170 million dollars. If you’re unsure if your current email service provider has the proper countermeasures in place, reach out to inConcert Web Solutions. Call today to learn more at 978-632-5300.

Get Expert Advice. Join Our Newsletter.

Receive curated tips and practical guidance to improve your digital presence and build your brand.