Is Email Spoofing Illegal in the UK in 2024?

Email spoofing represents a formidable cybersecurity threat, wherein email messages are dispatched with a falsified sender address. This form of deception is remarkably feasible due to email protocols’ failure to innately authenticate the origin of an email, thereby easily misleading these protocols into assuming the email has been sent from the genuine sender. Amidst this backdrop, the question arises: is email spoofing illegal in the UK? This technique, predominantly utilised in spam and phishing campaigns, aims to dupe recipients into believing that the email has been sent by a known or trusted individual or entity. By manipulating email headers, attackers are able to make client software display a fraudulent sender address, which most users accept without question.

Is Email Spoofing Illegal in the UK in 2024?

In the UK, the legality of email spoofing is nuanced. While the act of spoofing an email address per se is not explicitly mentioned in legislation, the intent and consequences of the act can make it illegal under various laws. Activities involving email spoofing, such as fraud, phishing, or distributing malware, fall under the Computer Misuse Act 1990 and the Fraud Act 2006. These laws criminalise unauthorised access to computer systems and deceitful practices intended to gain personal or financial advantage or to cause loss to another. Therefore, if email spoofing is used for malicious purposes, it is indeed illegal in the UK.

Preventing Email Spoofing in 2024

Email providers and organisations are continuously enhancing their defenses against email spoofing. By 2024, the implementation of robust anti-spoofing controls on domains has become a standard practice, making it challenging for attackers to send fake emails. Key technologies include:

• Sender Policy Framework (SPF): Enables domain owners to specify which IP addresses are authorised to send emails on behalf of their domain.
• DomainKeys Identified Mail (DKIM): Allows senders to attach a digital signature to emails, verifying the message’s origin from their domain. DKIM supports email forwarding without losing its authentication.
• Domain-based Message Authentication, Reporting, and Conformance (DMARC): Establishes policies for handling emails that fail SPF or DKIM checks, including rejecting untrusted emails. DMARC also provides reporting, helping domain owners monitor and understand email handling.

These technologies collectively enhance email security by authenticating email origins, thus significantly reducing the risk of spoofing. We’ve wrote two articles about these in recent years:

1. Newly Enforced Gmail and Yahoo DMARC Requirements for 2024
2. What are DKIM Records and why you should use them?

Real-Life Example of Email Spoofing

A modern example of email spoofing involves a scam where attackers pose as a reputable company’s IT department. The email, which looks convincingly official, alerts the recipient to a security breach in their account and urges immediate action to prevent data loss. It includes a link to a fake website designed to mirror the company’s official login page. Unwary individuals entering their credentials on this page inadvertently provide attackers with access to their accounts, leading to potential data theft and financial loss.

Innocent Uses of Spoofing That Are Still Not Permitted

While some attempts at email spoofing might stem from benign intentions, they are generally discouraged or prohibited due to the potential for misuse and confusion:

• Automated Customer Service Responses: Utilising automated systems to send responses that appear to come from the customer’s email address. This method aims to streamline communication but can confuse both customers and staff, potentially harming trust. Additionally, such practices may increase the likelihood of emails being marked as spam.
• Testing Security Systems: IT departments simulate spoofing attacks to test email security protocols. This practice aims to enhance defenses but requires careful execution to avoid causing unnecessary concern among the workforce.
• Employee Impersonation for Internal Requests: Sending emails under the guise of a manager’s address to issue directives or requests to employees. Intended to expedite internal processes, this tactic risks misunderstanding and misrepresents authority, potentially leading to issues of accountability and trust within the organisation.
• Customer Impersonation for 3rd party communication: Pretending that an initial outreach or inquiry originates directly from a customer, rather than from an automated system or service. While this may be aimed at enhancing customer experience, it can create confusion and potentially erode trust, as recipients may be misled about the true origin of the request. It will also very likely end up in spam based on the preventative measure mentioned above.

Even when the intent is not malicious, these practices can undermine trust in email communications and potentially violate privacy and security policies. By understanding the complexities surrounding email spoofing, including its legal implications, prevention strategies, and potential for both harmful and seemingly benign uses, organisations can better navigate the challenges of maintaining secure and trustworthy email communications.

IMPORTANT: If you encounter a phishing attempt or suspect email spoofing, the National Cyber Security Centre (NCSC) provides resources and a reporting service. Visit their website for more information and to report phishing scams: NCSC Phishing Scams.

Disclaimer: While we discuss the implications and technical aspects around “is email spoofing illegal in the UK”, including its potential legality, it’s important to note that we are not legally trained professionals. Our commentary on email spoofing not being explicitly illegal in the UK is based on our understanding of current laws and should not be construed as legal advice. Laws vary by jurisdiction, and legal outcomes may depend on specific circumstances. We strongly recommend consulting with a legal professional for advice or if you require a definitive stance on the legality of email spoofing or any related activities.