The first thing you need to recognize is that email is a very old protocol by computer standards and was developed in a time long before IT and internet security was understood or even a concern.

I once described basic email security as follows:

**HELLO I’m Microsoft.com**

**Hello Microsoft.com**

**Here’s an email from Bill Gates**

**OK! thanks!**

Is that email legit? Was it actually from Microsoft.com? Email at a very basic level doesn’t even bother to check…

While there’s a bunch of security features that have been added onto it over the years (like SPAM filters, encryption, SPF, DMARC, etc for those paying attention), it’s still an awfully old and basic protocol at its core and to be perfectly honest it’s shocking that we still use it. It’s just so ingrained in our lives and businesses at this point that it’s very hard to replace.

As for Spoofing the FROM address in an email can easily be altered to show a name that isn’t the RETURN address.

I could show you how to do that from DOS and Telnet session in about 5 minutes.

The process is roughly the same as putting a false name in a return address on a letter in snail mail. The letters return address is legit, but the name of the person that sent it is false.

So when you receive the email the name in the FROM field looks legit, but the return address is probably some GMAIL account.

Email has protections like SPF that forces a check to confirm the email was sent from an authorized source for that Domain, but A. that only works if you have a good SPAM filter in front of your email, and B. the sending Domain has bothered to setup their SPF properly and ho boy is there a lot of companies that don’t…

More sophisticated attacks will break into companies mail servers and use them (referred to as a zombie) to send email. If you have access to their mail server then you can send all the legit looking email you want. But you can also use this to spoof email, because there’s ways to fool the SPF check in SPAM filters because you are sending an email with a legit return address and from a legit source so the SPF check passes but the LABEL on the FROM field is false.