Back to Top

Help & Support

Get instant answers 24/7

Top

How do I block spoofed messages that look like they're from my company but are not?

Spammers love to send spoofing messages to trick users into thinking that their CEO or their billing department is asking them to transfer money, or do some other task to phish information. These are obviously very dangerous attacks, but they can also be tricky to stop. There are a few things to know about stopping these attacks:

  • Sometimes the spoofer/spammer is using their own email address, but just using the CEO's name. So this may appear something like this, "John Doe <theuser@somedomain.com>". The name "John Doe" may be your CEO's name, and the email "theuser@somedomain.com" is some email address the spammer is using. The problem with these, is that the email address might pass an SPF check, meaning, the message is verified as coming from an approved source! Often these will not be stopped. So, to stop these, you may need to setup a Custom Filter (Settings > Custom Filters tab) and search the "From" section of the message for the CEO's name:

    https://www.spamhero.com/cp2/settings/custom-filters/domain

  • If you find that the spoofing message is actually using your domain name, or one of your user's email addresses, this article may help:

    https://www.spamhero.com/support/123824/How_can_I_stop_spoofing

  • It is also important to know that an email message actually has 2 sender addresses. The return path (or envelope sender), and the from address. These are not always the same! Sometimes there is a legitimate reason for this, such as, if you are sending out using a mailing list service. The from address may be your email address, such as "user@domain.com", but the return path may be the mailing list company's email address. This is normal. However, a spoofer may use your from email address, but their email for the return path. An example may be:
    Return Path: spoofer@somedomain.com
    From: user@domain.com

    In this case, since the domains are different (somedomain.com vs domain.com), the sender is not aligned. You can quarantine messages that have alignment issues. To do this, see the new Settings > Approved senders system.


Last updated October 31, 2021