What is a display name spoof?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You glance at your inbox, see "CEO Jennifer Smith" in the sender list, and think: legit. But the actual sending address? totally-not-phishing@random-domain.xyz. That's a display name spoof.

It works because most email clients show the display name first and hide the actual address unless you dig. So "CEO Jennifer Smith <random@xyz.com>" appears as just "CEO Jennifer Smith" in your inbox list. An attacker picks a trusted name (your CEO, your bank, "IT Support") and pairs it with an address they control. You see the name, trust it, click.

This is different from domain spoofing, where someone forges the actual sending domain to match yours. Display name spoofs are easier to pull off because the attacker doesn't need to compromise your domain or bypass authentication. They just use a name you'd trust and a throwaway address.

Why it still works in 2024: people scan, they don't read. You're looking at 50 emails, you see "Payroll Dept" and you click. Only when something feels off do you hover over the address and realize it's payroll-updates@sketchy-domain.com, not your actual payroll system.

The defenses: DMARC alignment doesn't stop display name spoofs directly (it only checks if the From domain matches SPF/DKIM), but it does stop attackers from spoofing your actual domain in the From address. That forces them to use random domains, which domain reputation systems catch quickly. A brand-new domain sending "urgent payment requests" gets flagged fast. You can also train your team to hover before clicking, or use email security tools that flag mismatched display names (many enterprise email filters now highlight when the display name doesn't match the domain).

For senders: if you're a legitimate business, make sure your DMARC policy is enforced so attackers can't spoof your domain. And use a recognizable, consistent display name so your recipients learn what real emails from you look like. "Acme Corp Billing" every time, not "Billing Dept" one week and "Accounts Receivable" the next.

Now if you're on the receiving end and something feels off, check the actual address. Hover over the sender name, or tap to expand it on mobile. If the domain doesn't match the organization, don't click. When in doubt, go directly to the service (type the URL yourself, don't click the link in the email) and check there.

You can test your own domain's vulnerability to spoofing with our free Email Header Analyzer, or check if your DMARC setup is actually protecting you with the DMARC Parser. If you're stuck on authentication setup, our SOS Hotline is free and we actually pick up ;)

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get AI help applying this →

I read this on the Email Almanac about display name spoofing: "A display name spoof shows a trusted name (like 'CEO Jennifer Smith') but hides a fake sending address (like totally-not-phishing@random-domain.xyz). It works because people scan names, not addresses. DMARC doesn't stop it directly, but enforcing DMARC on your own domain prevents attackers from spoofing YOUR domain in the From address, forcing them to use throwaway domains that get caught by reputation filters." Help me apply this to my situation. I need: 1. Risk assessment for my domain/business - What's my exposure to display name spoofs (as a sender or recipient)? - If I'm a sender: can attackers spoof my brand this way? - If I'm a recipient/org: what's my team's risk profile? 2. Defensive setup checklist - DMARC enforcement status (am I protected from domain spoofing?) - Email security tools I should consider (display name mismatch detection) - Training/policy changes for my team (what to teach them to spot) 3. If I'm already targeted - How to confirm it's a display name spoof vs. domain spoof - Steps to take immediately (reporting, alerting team, blocking sender) - How to prevent future attempts 4. Sender reputation protection - How to make my legitimate emails recognizable (consistent display name strategy) - What display name format reduces spoof risk for my recipients - How to monitor if someone is spoofing my brand name --- My details: - Email platform/ESP: e.g. Gmail, Outlook, custom domain with Google Workspace - My role: sender/business owner, IT admin, recipient/end user - Domain(s): your domain if you're a sender - Current DMARC status: none / monitoring / quarantine / reject / don't know - What prompted this: [saw suspicious email, planning defenses, got spoofed, training team]

Edit the yellow boxes, then send to the AI of your choice.