University at Buffalo (UB)
All about ‘spoofing:’ how scammers send fake emails that look real
Published October 21, 2020
Got a suspicious email from an @buffalo.edu email address? It might be a scam, sent from a spoofed email address.
What is spoofing?
Spoofing is when someone forges the email address of the sender—the address that appears in the ‘From:’ field—to make it look like it’s being sent by someone else.
Spoofing relies on exploiting the way email data is sent, a protocol that is nearly 40 years old! That’s why email is, by default, not a very secure means of communication.
You might be surprised to learn that spoofing an email address is incredibly easy, and it’s commonly used by scammers to make fake emails seem more legitimate. Here are some examples of how spoofing is used in real scams commonly targeting the UB community:
- Job/internship scams: scammers use spoofing to make fake job offers or internship opportunities appear to be coming from a trustworthy source, like a real company or someone at UB (like a professor or an academic advisor).
- Impersonation scams: these emails appear to be from someone you work with and trust—thanks to spoofing. But, if you reply, the scammer on the other end usually asks you to buy something on their behalf.
- …and many other generic scams: did you get an email from UBIT telling you your account is being migrated? How about an email from a university claiming to have new information about COVID-19? These are all variations of phishing scams that rely on spoofing to seem legitimate, in order to trick you into entering your password or other personal information.
The bottom line: it pays to be cautious when responding to email. When in doubt, try talking to the supposed sender directly, maybe in person or over the phone, to confirm they’re really the one who sent the message.
Someone got an email from my address, but I didn’t send it. Has my account been compromised?
Not necessarily. Spoofing is different from hacking an account—scammers can spoof your account without having direct access. In fact, it’s more likely someone was spoofing your account, since spoofing is easier than breaking into an account (especially when your account uses Duo two-step verification).
Nonetheless, it never hurts to make sure you’re using a strong, unique password for your UBITName account. If you have any doubts whether your account is secure, now may be a good time to change your UBITName password.