How does email spoofing work? How do people Phish? Why does it look like my bank sent me a message when in fact it’s a hacker?


When the internet was invented there was a lot of trust between the original pioneers that worked at universities. One of the first applications to be developed was email. Email was designed in a way to be easy to use – and email security wasn’t a big deal back then. With the proliferation of the internet, spammers soon started making use of this lack of security.

Technically it’s possibly for anyone in the entire world, not even just hacker, to specify any email address as a FROM: address.

Try it in Outlook, it will take you 2 minutes. You can specify *any* FROM: address.

So how email spoofing works, it uses someone else’s address. It could be a legitimate address, anyone’s email address. Then if a the bounce happens, it goes back to the address that was chosen.

So at first glance, there is absolutely nothing you can do about it. Someone out there is trying to phish and they’re using a legitimate address as bait.

Here is a high level overview that every person working with email at an ISP should understand:

With more time protections grew, and now there are a host of common one prevailing in email that needs to be there for SPAM to be minimized. Here are four common ones:

  • SPF
  • DKIM
  • Sender ID

Almost all hosts have SPF configured by default but you’d have to check if the other’s are present.

But the problem is, and it’s in the last paragraph of that Wikipedia article:

To effectively stop forged email being delivered, the sending domains, their mail servers, and the receiving system all need to be configured correctly for these higher standards of authentication. Although their use is increasing, estimates vary widely as to what percentage of emails have no form of domain authentication: from 8.6%[7] to “almost half”.[8][9][10] For this reason, receiving mail systems typically have a range of settings to configure how they treat poorly-configured domains or email.[11][12]


* Only effective if stopped if both RECEIVING and SENDING systems honour the settings. So you won’t always have control and you cannot control other’s people incoming and outgoing email servers.
* Only half of mail server actually honour security

What we tell most people who use the internet, to avoid phishing:

Don’t click on links

That’s why the bank often sends phishing warning reminder emails telling their users to not click links. If you are a victim of phishing, this could be one way of getting the message across – send bulk email to your users.


Thanks for your long explanation, but I’m still getting phished. Can you stop it, please? Who’s responsibility is it?


The short answer is it’s not our responsibility. Internet and email providers should offer basic SPAM protection tools to avoid these emails, but there are no guarantees that they can stop it.

The onus rests on the user to be vigilant and not open these emails, and to be super sceptical of information requests via email, especially those that direct to a banking site, a website, or a site that asks for a username and password. Pick up the phone when unsure!

More Information

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top