Make It Happen
My Tipsheets are chock full of ideas. They are all aimed at translating knowledge into a quick, action-oriented 60-second nugget.

First Name:
Last Name:
Tipsheet Archive
Randall's Resources
Whenever I speak or write, I often prepare extra "bonus" materials.
Enter the Resource Code to access this special content:
Resource Code:
Try this example Resource Code: eventplanning

Identity theft and email spoofing

by Randall Craig on November 13, 2015

Filed in: Blog, Make It Happen Tipsheet, Risk,

Tagged as: ,

Think your identity is secure?  Think again – it isn’t.

Consider this email that a colleague recently received from “me”:

Hello Monty,

How are u doing? I will like you to handle an International bank transfers for me with some other few transactions today but first,let me know the required information needed to process an international bank transfer.

I will appreciate a quick response from you.


Randall Craig.

Of course this email did not come from me , but how would the recipient know?  And more importantly, how might you protect yourself (and the unwitting recipients) when you also have your identity purloined with this type of attack?  The answer is surprisingly easy, and surprisingly disturbing: you can’t do a single thing.

The nature of the internet, and email in particular, makes email spoofing surprisingly easy to do.  The perpetrator need only programmatically insert your name and from email address into the visible part of the email header (which is the part that your email system displays)… and that’s it.  Welcome to the world of email identity spoofing.

That being said, there are clues that you can use when you receive an email that appears suspicious, and you want to see who really sent the email.  The trick is to expose the (usually hidden) email header, which displays all of the routing information from the sender to you.  Each email program is different: In some versions of Outlook, right-clicking on an email message will give you an option to “view source”.  In other versions of Outlook, open a message and click “options” or “tags”.  In Gmail, click the down-arrow in the top right corner of the message, and choose the option “show original”.

The header shows a lot of technical information, but it boils down to providing some key information:

  • The destination (Delivered-To:
  • The route the email took (All of the Received by lines)
  • Identity and authentication for the main sending and receiving email server (Received-SPF, Authentication-Results, and X-Sender)
  • Who replies should be sent to (Reply-To: “Randall Craig” <>)

Looking for an unexpected Reply-To email address (vs the Reply-to name, which can also be spoofed), is the easiest clue to identify.

Delivered-To: <--- This is where the email was delivered to
Received: by with SMTP id x134csp1228756ybg;
        Mon, 9 Nov 2015 08:29:34 -0800 (PST)
X-Received: by with SMTP id pq4mr13445696oeb.7.1447086574553;
        Mon, 09 Nov 2015 08:29:34 -0800 (PST)
Return-Path: <>
Received: from ( [])
        by with ESMTPS id ij5si6643142obb.76.2015.
        for <>
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Mon, 09 Nov 2015 08:29:34 -0800 (PST)
Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of client-ip=;<--- A clue: why would the email not be sent via the same server domain as the "From" domain, eg
       spf=neutral ( is neither permitted nor denied by best guess record for domain of <--- Because the results are neutral, our server allows the mail to be received.
Received: from localhost ([])
by with bizsmtp
id fUVZ1r0012Rj2se01UVZTY; Mon, 09 Nov 2015 09:29:33 -0700
X-SID: fUVZ1r0012Rj2se01
Received: (qmail 6860 invoked by uid 99); 9 Nov 2015 16:29:33 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
User-Agent: Workspace Webmail 5.15.9
Message-Id: <>

From: "Randall Craig" <> <--- This is the spoofed email address
X-Sender:   <--- The email was sent via this insecure server
Reply-To: "Randall Craig" <> <---- This is the email address of the perp
Subject: Request
Date: Mon, 09 Nov 2015 09:29:30 -0700
Mime-Version: 1.0

Another clue that this was a spoofed email was the text itself.  Typographical errors, non-standard abbreviations, and strange grammar all make the email suspect.  And the request for international banking transfer information is icing on the cake.

This week’s action plan: The biggest risk in email fraud isn’t clumsy emails of this nature, but when a hacker gets access to your email account, and actually sends their requests directly from the account itself.  This week, make sure that your passwords are strong enough that they can’t be easily guessed, and that they contain enough non-alphabetical characters so that brute-force attacks are also less likely to work.

This week’s tech action plan:  Ask your IT group to ensure your email servers have SenderID configured appropriately, and that only authorized users can use the sending server.  While this won’t prevent all types of spoofing, it will absolutely help.

Note: The Make It Happen Tipsheet is also available by email. Go to to register.

Randall Craig

@RandallCraig (follow me)




Randall has been advising on Digital Strategy since 1994 when he put the Toronto Star online, the Globe and Mail's GlobeInvestor/Globefund, several financial institutions, and about 100+ other major organizations. He is the author of eight books, including Digital Transformation for Associations, the Everything Guide to Starting an Online Business, and Social Media for Business. He speaks and advises on Digital Transformation, Digital Trust, and Social Media. More at

Leave a Comment

Previous post:

Next post: