Email spoofing

[5] In malicious cases, however, this is likely to be the computer of an innocent third party infected by malware that is sending the email without the owner's knowledge.

For example: In this case, even if Bob's system detects the incoming mail as containing malware, he sees the source as being Charlie, even though it really came from Alice's computer.

When mail administrators fail to take this approach, their systems are guilty of sending "backscatter" emails to innocent parties – in itself a form of spam – or being used to perform "Joe job" attacks.

The SSL/TLS system used to encrypt server-to-server email traffic can also be used to enforce authentication, but in practice it is seldom used,[8] and a range of other potential solutions have also failed to gain traction.

[11][12][13] For this reason, receiving mail systems typically have a range of settings to configure how they treat poorly-configured domains or email.

Typically, an attack targets specific employee roles within an organization by sending spoof emails which fraudulently represent a senior colleague, trusted customer, or supplier.

The emails often use social engineering to trick the victim into making money transfers to the bank account of the fraudster.

[17] The United States' Federal Bureau of Investigation recorded $26 billion of US and international losses associated with BEC attacks between June 2016 and July 2019.