be Smart.
be Secure.
Phone: 800-441-6612

8 Ways to Protect yourself from Forged/Fake Email

The Internet is rife with fake and forged email.  Typically these are email messages that appear to be from a friend, relative, business acquaintance, or vendor that ask you to do something.  If you trust that the message is really from this person, you are much more likely to take whatever action is requested — often to your detriment.

These are forms of social engineering — the “bad guys” trying to establish a trusted context so that you will give them information or perform actions that you otherwise would not or should not do.

Here we address some of the actions you can take to protect yourself from these attacks as best as possible.  We’ll present these in the order of increasing complexity / technical difficulty.

1. Viewing the actual “From” email address of email messages sent to you.

Email messages generally specify from whom they are sent.  This From must include the email address of the sender and can also include any textual “name” to go with it.  Many email programs by default show only the textual name and hide the actual address … for simplicity.  E.g. it is perhaps easier to read “John Smith” in your message list than his actual address “”.

However, anyone technically can set these addresses and names to anything they want.  So, someone can send you an email that is from any email address of their choosing and have the “name” show up as “John Smith,” or your mother’s name, or your spouse’s name, etc.

So, it is a good practice to have your email or WebMail program show the actual email address of the sender so that you can check that.  This could be done in the list of messages or when you actually view the message.  Don’t trust that just because a name is presented as the “From”, that the message is actually from that named person — there is no real guarantee of that (unless you take further actions we’ll discuss below).

In LuxSci WebMail, the full from name and address is displayed in the message view pane if you have it expanded (e.g. click the “+” on the left if the From, Date and Subject are displayed on a single concise line).

Additionally, you can change your preferences to “always display the email addresses of message senders and recipients instead of their names” in the WebMail message list.

2. Only view plain text previews of messages until your trust them

When you open an email message “fully”, you render its HTML content, download images, and other things.  This action can inform the sender that you have read their message (see how).  Once the sender knows that, they know that your email address is “good” and that you will open their messages … and so they are likely to send you more.

Additionally, it is possible that malicious messages that made it by your email filtering system may infect your computer if opened fully (e.g. due to old versions of software on your computer, newly discovered problems with your software or with images).  It is best to open the message in a “plain text preview” mode first so you can evaluate if it is legitimate before opening it fully.  In a plain text mode, you will not notify the senders of your actions via web bugs, and you are not opening yourself up to attacks.

3. Get a good spam and virus filter

Most good spam and virus filtering systems will detect common social engineering / forged emails that are being sent in bulk to many people on the Internet.  E.g. they can stop such things as forged email from your bank asking you to login to verify your account.

These will help prevent many generic attacks, but not necessarily ones targeted directly at you or your domain / organization.

4. Get email link filtering

The most advanced email filtering systems can re-write the Internet links in your email so that when you click on them, the filtering system will scan the target page to see if it is legitimate or contains malicious content.  This gives you a good measure of real-time protection against malicious links.  See: prevent email phishing attacks with real-time link click protection.

If you do follow links in emails, be aware of the red flags that can tell you if a link is malicious.  See the “Phishing” section of “What is Social Engineering?

5. Use DKIM to identify forged email

DKIM is a system that cryptographically signs email messages sent and allows recipients to ensure that such messages were sent from the email servers owned by the purported sender’s organization.  E.g. DKIM prevents a hacker from sending forged email … because the recipient can then easily identify it as such.  Your Spam and virus filtering should use DKIM to eliminate forged email.

6. Use DKIM for your own domains

If your email service provider supports it, you should setup DKIM for your own email domains.  This allows folks on the Internet to determine if email forged as coming from you is legitimate or not.  It also helps you identify email that is coming in forged from yourself.  See: Bounce back and backscatter spam — “who stole my email address?”

7. What about SPF?

SPF – Sender Policy Framework – is also a good mechanism to help identify if messages have originated from the trusted servers of the purported sender.  It is not quite as good as DKIM, as it doesn’t prevent messages from being captured, altered, and re-sent later — those may also show up as valid.

However, as various spam filtering systems use DKIM and SPF to varying degrees, it is best to setup your domain with both SPF settings and DKIM support — and to enable both in your email filtering software.

8. Common Sense

Last but not least is use of common sense!

  1. Most forged email does not read exactly like messages that you normally receive from that sender … if they are your family or friend
  2. If there is a link to click on, hover over it first and see if the link looks funny — going to some domain that doesn’t look like it should.  If so … be very wary.
  3. If the request is unusual or extraordinary, best to verify it with a phone call or text message or something.  Many messages appear time sensitive emergencies that require you  to do something to help someone, or yourself, fast.  They try to use pressure and familiarity to make you skip any checking and just act out of fear or altruism.  Unfortunately, you need to be skeptical until you can have some certainty that the request is legitimate….
  4. Even if DKIM and SPF are all OK — a messages could still be fake.  E.g. a virus could have infected the sender’s computer or email account and be sending messages to his contact list through his regular servers.   This will all look “Ok” on the surface and will all be valid and may even slip past your filtering software — only the content of the message itself will serve to tip you off as to its veracity – if you keep you eyes open.

If you are using LuxSci WebMail:

  • We have a preference for always showing the sender email address
  • We have preferences for previewing email messages (text only) and for not showing images in email right away
  • We support DKIM and can assist you with setup of DKIM, SPF, and other suggestions listed herein.

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries