Skip navigation

BLOGIdentity theft and email spoofing

by Randall CraigFiled in: Blog, Make It Happen Tipsheet, Risk, TechnologyTagged as: ,

Think your identity is secure?  Think again – it isn’t.

Consider this email that a colleague recently received from “me”:

Hello Monty,

How are u doing? I will like you to handle an International bank transfers for me with some other few transactions today but first,let me know the required information needed to process an international bank transfer.

I will appreciate a quick response from you.


Randall Craig.

Of course this email did not come from me , but how would the recipient know?  And more importantly, how might you protect yourself (and the unwitting recipients) when you also have your identity purloined with this type of attack?  The answer is surprisingly easy, and surprisingly disturbing: you can’t do a single thing.

The nature of the internet, and email in particular, makes email spoofing surprisingly easy to do.  The perpetrator need only programmatically insert your name and from email address into the visible part of the email header (which is the part that your email system displays)… and that’s it.  Welcome to the world of email identity spoofing.

That being said, there are clues that you can use when you receive an email that appears suspicious, and you want to see who really sent the email.  Beyond clues such as bad grammar and spelling mistakes, uncovering this type of fraud requires exposing the (usually hidden) email header, which displays all of the routing information from the sender to you.  Each email program is different: In some versions of Outlook, right-clicking on an email message will give you an option to “view source”.  In other versions of Outlook, open a message and click “options” or “tags”.  In Gmail, click the three dots in the top right corner of the message, and choose the option “show original”.

The header shows a lot of technical information, but it boils down to providing some key information:

  • The destination (Delivered-To:
  • The route the email took (All of the Received by lines)
  • Identity and authentication for the main sending and receiving email server (Received-SPF, Authentication-Results, and X-Sender)
  • Who replies should be sent to (Reply-To: “Randall Craig” <>)

Looking for an unexpected Reply-To email address (vs the Reply-to name, which can also be spoofed), is the easiest clue to identify.

Delivered-To: <--- This is where the email was delivered to
Received: by with SMTP id x134csp1228756ybg;
        Mon, 9 Nov 2015 08:29:34 -0800 (PST)
X-Received: by with SMTP id pq4mr13445696oeb.7.1447086574553;
        Mon, 09 Nov 2015 08:29:34 -0800 (PST)
Return-Path: <>
Received: from ( [])
        by with ESMTPS id ij5si6643142obb.76.2015.
        for <>
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Mon, 09 Nov 2015 08:29:34 -0800 (PST)
Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of client-ip=;<--- A clue: why would the email not be sent via the same server domain as the "From" domain, eg
       spf=neutral ( is neither permitted nor denied by best guess record for domain of <--- Because the results are neutral, our server allows the mail to be received.
Received: from localhost ([])
by with bizsmtp
id fUVZ1r0012Rj2se01UVZTY; Mon, 09 Nov 2015 09:29:33 -0700
X-SID: fUVZ1r0012Rj2se01
Received: (qmail 6860 invoked by uid 99); 9 Nov 2015 16:29:33 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
User-Agent: Workspace Webmail 5.15.9
Message-Id: <>

From: "Randall Craig" <> <--- This is the spoofed email address
X-Sender:   <--- The email was sent via this insecure server
Reply-To: "Randall Craig" <> <---- This is the email address of the perp
Subject: Request
Date: Mon, 09 Nov 2015 09:29:30 -0700
Mime-Version: 1.0

As I mentioned earlier, another clue that this was a spoofed email was the text itself.  Typographical errors, non-standard abbreviations, and strange grammar all make the email suspect.  And the request for international banking transfer information is icing on the cake.


The biggest risk in email fraud isn’t clumsy emails of this nature, but when a hacker gets access to your email account, and actually sends their requests directly from the account itself.  This week, make sure that your passwords are strong enough that they can’t be easily guessed, and that they contain enough non-alphabetical characters so that brute-force attacks are also less likely to work.

This week’s tech action plan:  Ask your IT group to ensure your email servers have SenderID and DKIM configured appropriately, and that only authorized users can use the sending server.  While this won’t prevent all types of spoofing, it will absolutely help.

Does this topic resonate? Reach out to Randall: he can present it to your group.  (More presentation topics)
Download Randall’s professional credentials: Speaker credentials one-sheet or Management Advisory credentials.

Content Authenticity Statement: 100% original content: no AI was used in creating this content.

@RandallCraig (Follow me for daily insights) Professional credentials site.



Randall Craig

Contact us for more on Randall’s topics, availability, and audience fit.

Back to top