The Fraudster's Favorite Phishing Tactic

Deception is the essential ingredient in any successful phishing attack. And cybercriminals go to great lengths to create it, jeopardizing the brand reputation and revenue of companies they spoof.

In defense, many brands are now implementing email authentication standards like DMARC (Domain-based Authentication Reporting and Conformance). With DMARC, attacks that spoof legitimate sending domains are blocked before they ever reach consumer inboxes.

But fraudsters are finding creative ways to evade email authentication. Their favorite way to do it? Spoofing the Display Name of legitimate brands.

Return Path analyzed more than 760,000 email threats targeting 40 of the world’s largest brands and found that nearly half of all email threats spoofed the brand in the Display Name.

Here’s how it works. If a fraudster wanted to spoof the hypothetical brand “My Bank,” the email may look something like:

screen_shot_2015_09_22_at_2_16_17_pm (1)


Since My Bank doesn’t own the domain “,” DMARC will not block this email on My Bank’s behalf, even if My Bank has set their DMARC policy for to reject messages that fail to authenticate.

This fraudulent email, once delivered, may appear legitimate because most user inboxes only present the Display Name.

Since the Display Name is only one element of the Header From: field, we wanted to dig a little deeper to see if and how cybercriminals spoofed the sending email address following the Display Name.

We analyzed both the Email Name (to the left of the @) and the Email Domain (to the right of the @) and discovered that nearly 30% of threats spoofed the brand in the email address. Of those threats, more than two thirds focused on spoofing the Email Domain alone:


When we looked at the union of Display Names and email addresses, we discovered the following spoofing behaviors in relation to the Header From field:



In the majority (62.69%) of email threats, fraudsters spoof elements of the Header From field, the most popular being the Display Name field, for which there is currently no authentication.

Current email authentication solutions, while critical, clearly do not suffice on their own. Fraudsters like to mix and match tactics to reach their victims. That’s why visibility into all threats targeting your brand and your customers is critical.

Want to learn about the other tactics fraudsters use to cheat email authentication? Check out The Email Threat Intelligence Report.

Prev Next

minute read

Popular stories