New Research: Insights into Brand Spoofing Tactics

Posted by Matt Moorehead on

Email fraud is rife—up more than 162% from 2010-2014—and costs companies like yours millions every year.

Implementing the authentication standard DMARC (Domain-based Authentication Reporting and Conformance) to block bad email before it reaches consumer inboxes is a great first step. But DMARC is not enough, protecting your brand from only 30% of email-borne attacks.

We know there is no silver bullet solution to combat against the other 70% of email attacks. But we also know the only way to build a comprehensive defense is through comprehensive understanding.

To gain that understanding, we tapped into the Return Path Data Cloud and analyzed more than 760,000 email threats associated with 40 top global brands.


Our objective for this project was not to surface every tactic fraudsters use to spoof brands. Instead, we sought to test some of our reigning assumptions about how they cheat email filters, namely that:

  1. Fraudsters use snowshoe spamming in large phishing attacks.
  2. Fraudsters rotate elements of subject lines to appear personalized.
  3. Fraudsters spoof the display name.

The data confirmed some of our assumptions and decidedly disproved others:

  • While there is no discernible pattern to snowshoe spamming, this method is still rife and monitoring IP address reputations needs to be part of a multi-faceted email fraud protection strategy.
  • Fraudsters do not go to the trouble of rotating elements of their subject lines, preferring a more template-based approach. Access to message-level data from email threat intelligence sources should help you prioritize your efforts around attack mitigation.
  • The most frequently spoofed Header From field is the display name, for which there is currently no authentication mechanism. Visibility into display name spoofing is critical in identifying and responding to phishing attacks leveraging your brand.

These learnings revealed the unpredictable variety of brand spoofing tactics, and can inform how to fight email fraud in two key ways:

First, prioritize DMARC implementation—it’s the most direct way to keep bad email out (and the good email in) of consumer inboxes.

Second, the more you know about the nature of email attacks spoofing your brand, the better. As our analysis proves, fraudsters like to mix and match tactics to reach their victims. While DMARC is a great first step, it is not enough. Protect your brand from the 70% of email threats beyond DMARC by studying their anatomy. Only then can you implement the right suite of solutions to fight back.

You can download our full report here.



Popular this Month

 3 Trends Impacting Email: Persistent Fraud, Part 2

3 Trends Impacting Email: Persistent Fraud, Part 2

In part one of this three-part series, I examined the evolving landscape of...

Read More

 The Top 16 Topics of 2016

The Top 16 Topics of 2016

2017 is finally here! But before we focus on the year ahead, we wanted to...

Read More

 Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Cyberattacks against your brand can be very damaging and costly to both your...

Read More

Author Image

About Matt Moorehead

Matt Moorehead is a Strategic Project Manager for Return Path's Email Fraud Protection team. He works closely with top brands on technical and strategic initiatives to eliminate the impact of email fraud. In his spare time you can find Matt on the golf course or the ski slopes. Connect with him on LinkedIn @Matt Moorehead, IMBA, or @mattmooreheadRP on Twitter.

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.