Display name spoofing
Display name spoofing exploits the gap between what email clients show users and the actual sender address, allowing attackers to impersonate trusted contacts while passing email authentication checks.
3 min read
What it is#
Display name spoofing is a technique where an attacker sets the display name in an email's From header to match a trusted person, a CEO, vendor contact, or IT administrator, while using a completely unrelated email address. It is a common tactic in phishing and impersonation campaigns. Most email clients render the display name prominently and hide or de-emphasize the actual address, so recipients see "Jane Smith" without noticing the message came from [email protected] rather than [email protected].
The email From header has two components, the display name (a free-text string) and the addr-spec (the actual email address). For example, From: "Jane Smith - CFO" <[email protected]>. Nothing in the email protocol prevents an arbitrary string in the display name field.
Why authentication doesn't catch it#
SPF validates the envelope sender (the MAIL FROM address used in the SMTP transaction). DKIM signs the message with a key associated with the sending domain. DMARC aligns these checks against the domain in the From header's addr-spec. In a display name spoofing attack, the attacker sends from a domain they legitimately control, often a free email provider, so SPF passes, DKIM passes, and DMARC passes. The deception is entirely in the display name, which none of these protocols evaluate.
This creates a structural gap. A message can be fully authenticated and still deceive the recipient about who sent it.
Common attack patterns#
CEO fraud is the most recognized variant and a common form of business email compromise. An attacker sets the display name to the CEO's name and sends urgent requests, typically for wire transfers, gift card purchases, or sensitive data, to finance or HR staff. The urgency discourages verification through a second channel.
Vendor impersonation uses a display name matching a known supplier contact, paired with updated payment instructions. Because the real address is hidden, recipients process the request based on the visible name alone.
On mobile email clients, the problem is especially acute. Many mobile interfaces show only the display name with no visible address, and the compact layout discourages users from investigating message headers. Attackers sometimes combine display name spoofing with lookalike domains in the addr-spec to make the deception more convincing on closer inspection.
Mitigations#
- External sender banners. Email gateways and clients can tag messages from outside the organization with a visible warning banner, making it harder for external messages to pass as internal
- Display name comparison rules. Some email security products flag inbound messages where the display name matches a known VIP or executive but the sending address doesn't match the expected domain
- Client UI improvements. Email clients that always show the full sender address alongside the display name reduce the attack surface significantly
No single control eliminates display name spoofing entirely. Because the attack operates in the presentation layer rather than the protocol layer, defense requires a combination of technical controls and user awareness.
More from Email security
View allBusiness email compromise (BEC)
Business email compromise is a targeted social engineering attack that uses email impersonation and trust exploitation to divert payments, steal sensitive data, or manipulate business processes.
Email authentication
Email authentication combines SPF, DKIM, and DMARC into a layered defense that verifies sender identity and prevents domain spoofing, with BIMI emerging as a visual trust indicator built on top.
What is adversary-in-the-middle (AiTM) phishing?
AiTM phishing uses reverse-proxy tools to relay credentials and capture session tokens in real time, allowing attackers to bypass multi-factor authentication and hijack authenticated sessions.