Email spoofing

For example: In this case, even if Bob's system detects the incoming mail as containing malware, he sees the source as being Charlie, even though it really came from Alice's computer.

When mail administrators fail to take this approach, their systems are guilty of sending "backscatter" emails to innocent parties – in itself a form of spam – or being used to perform "Joe job" attacks.

The SSL/TLS system used to encrypt server-to-server email traffic can also be used to enforce authentication, but in practice it is seldom used,[8] and a range of other potential solutions have also failed to gain traction.

[11][12][13] For this reason, receiving mail systems typically have a range of settings to configure how they treat poorly-configured domains or email.

Examples include invoice scams and spear-phishing attacks which are designed to gather data for other criminal activities.

Typically, an attack targets specific employee roles within an organization by sending spoof emails which fraudulently represent a senior colleague, trusted customer, or supplier.

The emails often use social engineering to trick the victim into making money transfers to the bank account of the fraudster.

[17] The United States' Federal Bureau of Investigation recorded $26 billion of US and international losses associated with BEC attacks between June 2016 and July 2019.