What is a display name spoof?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You glance at your inbox, see "CEO Jennifer Smith" in the sender list, and think: legit. But the actual sending address? totally-not-phishing@random-domain.xyz. That's a display name spoof.
It works because most email clients show the display name first and hide the actual address unless you dig. So "CEO Jennifer Smith <random@xyz.com>" appears as just "CEO Jennifer Smith" in your inbox list. An attacker picks a trusted name (your CEO, your bank, "IT Support") and pairs it with an address they control. You see the name, trust it, click.
This is different from domain spoofing, where someone forges the actual sending domain to match yours. Display name spoofs are easier to pull off because the attacker doesn't need to compromise your domain or bypass authentication. They just use a name you'd trust and a throwaway address.
Why it still works in 2024: people scan, they don't read. You're looking at 50 emails, you see "Payroll Dept" and you click. Only when something feels off do you hover over the address and realize it's payroll-updates@sketchy-domain.com, not your actual payroll system.
The defenses: DMARC alignment doesn't stop display name spoofs directly (it only checks if the From domain matches SPF/DKIM), but it does stop attackers from spoofing your actual domain in the From address. That forces them to use random domains, which domain reputation systems catch quickly. A brand-new domain sending "urgent payment requests" gets flagged fast. You can also train your team to hover before clicking, or use email security tools that flag mismatched display names (many enterprise email filters now highlight when the display name doesn't match the domain).
For senders: if you're a legitimate business, make sure your DMARC policy is enforced so attackers can't spoof your domain. And use a recognizable, consistent display name so your recipients learn what real emails from you look like. "Acme Corp Billing" every time, not "Billing Dept" one week and "Accounts Receivable" the next.
Now if you're on the receiving end and something feels off, check the actual address. Hover over the sender name, or tap to expand it on mobile. If the domain doesn't match the organization, don't click. When in doubt, go directly to the service (type the URL yourself, don't click the link in the email) and check there.
You can test your own domain's vulnerability to spoofing with our free Email Header Analyzer, or check if your DMARC setup is actually protecting you with the DMARC Parser. If you're stuck on authentication setup, our SOS Hotline is free and we actually pick up ;)
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.