Display-Name Spoofing
A technique where an attacker sets a legitimate-looking name in the email 'From' field while using a completely different, often fraudulent, email address.
Also known as: friendly-name spoofing, sender name spoofing
Last reviewed: 1 June 2026
Most email clients show only the display name — the friendly label before the actual address — in their default view. Display-name spoofing exploits this by setting the name to something trusted ('Apple Support', 'Your Bank', 'CEO FirstName LastName') while the real sending address is something like '[email protected]'. Victims who do not expand the full header see only the name they trust.
This technique bypasses SPF and DKIM authentication because the actual sending domain may be a legitimate (or at least non-blocked) domain — it is only the display name that is deceptive. It is widely used in CEO fraud and BEC attacks, where an employee receives what appears to be an urgent request from their chief executive.
The defence is straightforward but requires habit: always expand or hover over the sender name to reveal the full email address before acting on any financial or sensitive request, and treat any mismatch as a red flag. Organisations can also configure email clients to show full addresses by default.
Examples
- An email displays 'From: Jane Smith, CFO' but expanding the address reveals it was sent from '[email protected]'.