Play Live Radio
Next Up:
Available On Air Stations
Watch Live

Science & Technology

UC San Diego researcher finds new vulnerabilities for email providers

Hackers try to deceive people by sending them emails that seem to be from someone else. It's called spoofing. And cybersecurity experts at UC San Diego say it’s easily done on some systems by using a forwarding command. KPBS sci-tech reporter Thomas Fudge has more.

Let’s say you’re checking your email and you see an email with the return address You may wonder what Secretary of State Antony Blinken wants with you.

The email might be from him, but cybersecurity experts at UC San Diego (UCSD) recently created an email impersonating him — called a spoof — using methods that are available to online users.

Hackers are always looking for ways to deceive people online, to get them to open malware or reveal their passwords. And they're more likely to do so if they think the email comes from someone of trust or authority.


“Spoofing is you trying to stand as someone else. I’m from UCSD, but I’m trying to send an email from,” said cybersecurity expert Alex Liu, referring to the name of the U.S. State Department’s Internet domain.

Liu is the lead author of a research paper that shows how spoofed emails can be created with an automatic forwarding command.

It relies on how most companies and agencies don’t manage their own email servers. They use things like Gmail or Outlook. The State Department uses Outlook.

“Having access to Outlook service is much easier than having access to Because is not going to give a random guy like me access. But Outlook on the other hand is open to registration. You can register for an Outlook account. I can register for an Outlook account,” Liu said.

And so can scammers who want to forge an online identity. In a typical scenario, Liu said a hacker with, say, an Outlook account would create a spoofed email, send it to themselves and automatically forward it to potential victims.


The UCSD research identified several email server companies and end users that are vulnerable, including several U.S. cabinet email domains like Financial services company Mastercard is on the list, along with media companies like the Washington Post and the Associated Press.

Liu says spoofs can fool the target’s email system because the fake email is coming from the same server that works for — in this example — the State Department.

Alex Liu stands next to UC San Diego's science and engineering building in this undated photo. Liu is a computer science Ph.D. student who specializes in cyber security.
Courtesy of UC San Diego
Alex Liu stands next to UC San Diego's science and engineering building. Liu is a computer science PhD student who specializes in cyber security. Undated photograph

“This email is claiming to be from, and it’s sent by an Outlook server and does allow Outlook to send on its behalf,” he said. “So (email providers) would consider the email trustworthy in this case.”

There’s not much an individual can do here aside from being suspicious when something looks wrong. Protection lies with those third-party email companies.

He said some are doing a good job stopping fake emails and some, like Outlook and iCloud, have some work to do. KPBS sought out comments from Microsoft and Apple, but were not addressed in time for this story.

KPBS has created a public safety coverage policy to guide decisions on what stories we prioritize, as well as whose narratives we need to include to tell complete stories that best serve our audiences. This policy was shaped through months of training with the Poynter Institute and feedback from the community. You can read the full policy here.