Display name deception is the most common form of email spoofing and is often successful because many email clients (especially on mobile devices) show only the display name. With this kind of attack, criminals can insert the identity of a trusted individual (such as the name of an executive at the targeted company) or a trusted brand (such as the name of the bank used by the targeted individual) into the display name. Since common consumer mailbox services, such as Gmail and Yahoo, allow a user to specify any value in the display name, this type of attack is simple and cheap to stage from such a service. For example:
| David Smith <[email protected]> | Original person you have been communicating with. |
| David R. Smith <[email protected]> | Could be the same as the row above, maybe he just changed his display name or maybe his account has been compromised and the attacker modified the display name. |
| David R. Smith <[email protected]> | Could be the same as the 1st row, just a personal email address or could be an attacker setting up a similar looking legit email address. |
| David Robert Smith <[email protected]> | Definitely an attacker. |
When an email is confirmed as dangerous by our Visible-IR (Incident Response) Team, the following banners may appear at the top of the email. In addition to this banner the email may be moved to either your Junk or Deleted email folder depending on the threat detected