Preventing Display Name Spoofing

Display name spoofing is one of the types of social engineering attacks  that involves the falsification of data to artificially modify the perception of other individuals. Spoofed emails can fool even the most honest employees at an organization into thinking that they are communicating with the CEO or other senior executives.

The most convincing spoofed email will almost always get through, since even people who are supposed to check it will be fooled by its fraudulent appearance.

Hackers use their fake identities to make all those involved in an online transaction think they are talking to one particular person without them knowing there is another person behind the screen.

Therefore, the purpose of this process is to enable hackers to ‘fake it until they make it’ in their phishing attempts.

What is Display Name Spoofing?

Display Name Spoofing is an email scam perpetrated by fraudsters who use someone’s real name (known to the recipient) as the display name for their emails.

This is done by registering a valid email account with an email address different but the display name the same as the contact they want to impersonate. Therefore, the recipient will think they are getting an email from a trusted person in their contacts–but it’s not them.

For example:

A hacker might impersonate himself as “Ben, the CEO of XYZ company” by using the exact display name that “Ben, the CEO” has set up on his official email address. And then apply this forged display name to a valid but different email address from the actual email address used by “Ben, the CEO”.

Since most modern email platforms like Outlook just display the email sender’s name (instead of the sender’s actual From: email address) to the recipient–for the sake of user-friendliness–the recipient might fall into the trap set by the hacker.

The recipient will accept the email legitimately sent by “Ben, the CEO” when in reality it’s not because the From: section (which is usually hidden by default by most email platforms) has a different email address than “Ben, the CEO” actually uses.

Display Name Spoofing Becoming a WideSpread Phishing Scam: But Why?

Over the years, the use of display name spoofing has become more and more common in phishing scams. This is because displaying a name that is identical to the actual From: email address can trick many people into believing that it’s actually from someone they know or trust.

➜ Proliferation of Smartphones

Email display name spoofing is becoming a widespread phishing scam because of the proliferation of smartphones.

As email clients on mobile devices don’t display an email’s metadata, it allows for display name spoofing. This means that when a recipient opens an email from someone he doesn’t know, he will only see the sender’s display name and not the From: address.

As you can imagine, this makes it easy for a scammer to trick people into thinking they are interacting with someone they know.

➜ Bypasses Spoofing Defense Mechanisms

The reason this type of fraud is so effective is because display name spoofing is done via a legitimate email address. Because it bypasses most spoofing countermeasures, such as SpamAssassin, these phishing emails are often very difficult to filter out.

➜ Email Metadata Is Hidden

Most people are used to the idea that an email should look like it came from their friends or family. In reality, most people don’t read the full metadata of an email and thus fall for the trap.

This is why hackers can target user interfaces that were designed with ease of use as a priority. Most modern email client apps don’t show metadata for ease of readiness; therefore, the From: address is hidden from plain view until a recipient clicks on it to see full metadata.

Most recipients don’t read full email exchanges—they just rely on the display name to authenticate them. Thus, they fall for this phishing scam because they assume that if an email looks like one they know, then it must be legitimate and safe.

How To Avoid Becoming a Victim of Display Name Spoofing?

Don’t rely on display names to authenticate email. If you’re not sure, then check the email exchange to see if it’s actually from who it says it is. Here are more useful tips to prevent display name spoofing.

1. First, head over to the email message in question and extract all of the metadata from it. This will give you access to the sender’s name, email address, and complete email header information. If this is spoofing, then it is likely that some of the metadata is not what it seems. For example, if you notice that the email address doesn’t match up with any other accounts in your contact list, then it’s a good indication that this is a phishing scam.

2. Check your SPF records. These are lists of domains that have permitted mail from their domain to be delivered (or rejected).

3. Check your DKIM records. These are lists of domains that have signed your mail with their private key to verify its authenticity. If any of these records don’t match up with the domain in the email header, then it’s a good indication that this is spoofing.

4. Check your DMARC records. These are lists of domains that have set up a policy to reject mail if it fails any of the above checks. If this record doesn’t match up with the domain in the email header, then it’s a good indication that this is spoofing.

5. If you see a hyperlink that looks like it points to an official page, but takes you somewhere else, this is a good indication of spoofing. If you see typos or other errors in the text of the email, this can also be an indication of display name spoofing.

Creating Transport Rule for Display Name Spoofing

Transport rules are a way to block or allow specific emails that have been sent from outside the organization. They are applied to individual email messages, which means you can use them to specify which messages should or should not be delivered.

The transport rule for CEO “Ben” is as follows:

Apply this Rule if…

1. Sender is located outside the organization.

2. A message header matches… ‘From’ header matches ‘Ben’.

Do the Following…

Prepend the Disclaimer ‘<disclaimer>’

With this transport rule, any email message that comes from outside the organization and contains the word “Ben” in the From header will be blocked and sent to a user-defined mailbox. This prevents the fake Ben from being able to spoof the actual Ben’s address and display name. The disclaimer prepended to each blocked message alerts users that this is not an authentic business email and should not be opened or responded to.

How PowerDMARC Fights Display Name Spoofing For The Protection Of Your Business?

Display name spoofing is on the rise, and PowerDMARC is here to help you fight it. We enforce DMARC protocols like DKIM and SPF checks, which are essential tools for fighting email spoofing. We also use machine learning to generate a predictive model of email spoofing threats and then combine these predictions with advanced content analysis tools to maximize your protection against email phishing attacks.

That way if someone sends out an email pretending to be from you in hopes of tricking your employees into clicking on it, they won’t get through because the filter will catch display name spoofing as well as typosquatting.

Latest posts by Ahona Rudra (see all)