Revisiting Email Spoofing Attacks

TL;DR

This study investigates how email providers detect, prevent, and warn users about spoofed emails, revealing gaps in detection and warning mechanisms that can be exploited by attackers, and assessing the effectiveness of security cues in real-world scenarios.

Contribution

It provides a comprehensive end-to-end measurement of email spoofing defenses across major providers and evaluates user responses to security cues in realistic phishing experiments.

Findings

Most providers detect spoofing but still allow forged emails into inboxes.

Many providers lack effective warnings for users about forged emails.

Visual security cues can reduce risky user actions, but are less effective in real-world conditions.

Abstract

The email system is the central battleground against phishing and social engineering attacks, and yet email providers still face key challenges to authenticate incoming emails. As a result, attackers can apply spoofing techniques to impersonate a trusted entity to conduct highly deceptive phishing attacks. In this work, we study email spoofing to answer three key questions: (1) How do email providers detect and handle forged emails? (2) Under what conditions can forged emails penetrate the defense to reach user inbox? (3) Once the forged email gets in, how email providers warn users? Is the warning truly effective? We answer these questions through end-to-end measurements on 35 popular email providers (used by billions of users), and extensive user studies (N = 913) that consist of both simulated and real-world phishing experiments. We have four key findings. First, most popular email providers have the necessary protocols to detect spoofing, but still allow forged emails to get into user inbox (e.g., Yahoo Mail, iCloud, Gmail). Second, once a forged email gets in, most email providers have no warnings for users, particularly on mobile email apps. Some providers (e.g., Gmail Inbox) even have misleading UIs that make the forged email look authentic. Third, a few email providers (9/35) have implemented visual security cues for unverified emails, which demonstrate a positive impact to reduce risky user actions. Comparing simulated experiments with realistic phishing tests, we observe that the impact of security cue is less significant when users are caught off guard in the real-world setting.