All about ‘spoofing:’ how scammers send fake emails that look real

A UB student wearing a mask works on a laptop in a public study space on UB's north campus.

Published October 21, 2020

Got a suspicious email from an @buffalo.edu email address? It might be a scam, sent from a spoofed email address.

Print

What is spoofing?

Spoofing is when someone forges the email address of the sender—the address that appears in the ‘From:’ field—to make it look like it’s being sent by someone else. 

Spoofing relies on exploiting the way email data is sent, a protocol that is nearly 40 years old! That’s why email is, by default, not a very secure means of communication.

You might be surprised to learn that spoofing an email address is incredibly easy, and it’s commonly used by scammers to make fake emails seem more legitimate. Here are some examples of how spoofing is used in real scams commonly targeting the UB community:

The bottom line: it pays to be cautious when responding to email. When in doubt, try talking to the supposed sender directly, maybe in person or over the phone, to confirm they’re really the one who sent the message.

Someone got an email from my address, but I didn’t send it. Has my account been compromised?

Not necessarily. Spoofing is different from hacking an account—scammers can spoof your account without having direct access. In fact, it’s more likely someone was spoofing your account, since spoofing is easier than breaking into an account (especially when your account uses Duo two-step verification).

Nonetheless, it never hurts to make sure you’re using a strong, unique password for your UBITName account. If you have any doubts whether your account is secure, now may be a good time to change your UBITName password.