The Fraudster's Favorite Phishing Tactic

Deception is the essential ingredient in any successful phishing attack. And cybercriminals go to great lengths to create it, jeopardizing the brand reputation and revenue of companies they spoof.

In defense, many brands are now implementing email authentication standards like DMARC (Domain-based Authentication Reporting and Conformance). With DMARC, attacks that spoof legitimate sending domains are blocked before they ever reach consumer inboxes.

But fraudsters are finding creative ways to evade email authentication. Their favorite way to do it? Spoofing the Display Name of legitimate brands.

Return Path analyzed more than 760,000 email threats targeting 40 of the world’s largest brands and found that nearly half of all email threats spoofed the brand in the Display Name.

Here’s how it works. If a fraudster wanted to spoof the hypothetical brand “My Bank,” the email may look something like:

screen_shot_2015_09_22_at_2_16_17_pm (1)


Since My Bank doesn’t own the domain “,” DMARC will not block this email on My Bank’s behalf, even if My Bank has set their DMARC policy for to reject messages that fail to authenticate.

This fraudulent email, once delivered, may appear legitimate because most user inboxes only present the Display Name.

Since the Display Name is only one element of the Header From: field, we wanted to dig a little deeper to see if and how cybercriminals spoofed the sending email address following the Display Name.

We analyzed both the Email Name (to the left of the @) and the Email Domain (to the right of the @) and discovered that nearly 30% of threats spoofed the brand in the email address. Of those threats, more than two thirds focused on spoofing the Email Domain alone:


When we looked at the union of Display Names and email addresses, we discovered the following spoofing behaviors in relation to the Header From field:



In the majority (62.69%) of email threats, fraudsters spoof elements of the Header From field, the most popular being the Display Name field, for which there is currently no authentication.

Current email authentication solutions, while critical, clearly do not suffice on their own. Fraudsters like to mix and match tactics to reach their victims. That’s why visibility into all threats targeting your brand and your customers is critical.

Want to learn about the other tactics fraudsters use to cheat email authentication? Check out The Email Threat Intelligence Report.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time