Email spoofing is malicious behaviour in which an email header is forged to appear as if it has originated from a trusted source or the recipient email address when that is not the case.
There are two general reasons why this is done. One is to create the appearance that an email account has been compromised, and the other is to spear phish (the spoofed email will appear to have come from a legal@ or finance@ address requesting wire transfers or account credentials).
We are working to implement a sender policy framework (SPF) to address this form of fraud. If you receive an email that looks suspicious or is requesting any kind of financial or account details, it is vital that you verify its legitimacy before clicking any links it contains or provide the information it is requesting.
There has been a noticeable increase in this kind of spam in the wake of several large online security breaches (Facebook and LinkedIn are examples of the larger ones). The spam emails will contain an old (and potentially current) password obtained through one of these breaches. If you receive one of these spoofed emails it is always best to update your email password (avoiding the same password used on other accounts decreases the likelihood of one breach compromising multiple systems).
Practice extra caution:
- Whenever the subject prompts you to act quickly (using words like 'important' and 'please respond', or threatens to close an account).
- If you aren't expecting something from the sender.
- With all links and attachments — never click or open them unless you're 100% sure they're legitimate.
- Spoofed messages often direct people to malware sites. If you have any doubt if the email is legitimate, confirm the source before you click.