What is spoofing?With phishing and identity theft remaining critical threats to personal and corporate cybersecurity, you might think that scams have grown more complex over the years. While it’s true that the resources available to scammers and fraudsters have improved and that the methods used to trick victims have changed, the underlying anatomy of a scam hasn’t changed. Most scams involve someone misrepresenting themselves to potential victims and manipulating them with scenarios and pretexts designed to provoke an urgent and emotional response. Although we’ve given a broad overview of scams in the past, in this post, we’re covering the first part of a scam – the initial approach, specifically how scammers conceal their identities with a technique known as spoofing.

Fraud by any other name

What exactly is spoofing? The verb spoof means to make a joke or parody of something, but the modern connotation of the word is far more sinister. Today, the term usually refers to the act of forging credentials in order to approach a victim as someone else. Nearly every hacker, scammer, phisher or social engineer interacting with human targets is a “spoofer” of some sort. In other words, spoofing is integral to many of today’s most devastating scams. Spoofing isn’t new, though; it’s just forgery by another name, but with today’s technology, it’s become trivially easy to perform spoofing convincingly.

What can be spoofed?

Given the ingenuity of scammers, the better question would probably be, “what can’t be spoofed?” Although there are many different types of credentials scammers can spoof to convince you that they’re someone they’re not, below we’ll go over the most common types of spoofing, detail how they’re usually used and explain how you can protect yourself from each type.

Email spoofing

What it is: Email spoofing specifically refers to the alteration of an email header (usually the from or sender field), so that an email appears convincing to a potential target. While someone with some technical expertise might be able to poke around a spoofed message to identify its exact origins, to the average person, the email will look legitimate, as phishers often use real email addresses in their forged headers. If the spoofer has done their research, the message will not only come from an email address their victim recognizes, but also the tone of the message will usually accurately emulate the sender they’re imitating. This, of course, like most social engineering attacks, makes victims lower their guard and more easily fall into a scammer’s trap.

Used in: Email spoofing is most commonly used in spear phishing and whaling as well as 411 scams and other email fraud.

Combating it: Knowledge is power, as they say, and simply knowing that email headers can be spoofed should give you pause whenever reading an email. If someone you know makes a strange request of you, don’t just comply. Even low-tech solutions, like calling a contact whenever you’re not sure if you’ve actually received an email from them, are a great way to circumvent the uncertainty that phishing takes advantage of.

Phone & SMS spoofing

What it is: If you’ve ever gotten a call from a telemarketer or a scammer, you’ve probably already seen caller ID spoofing in action. Using modern technology, callers can mask their number by either making up numbers or using existing or unassigned numbers. This type of spoofing is especially dangerous when combined with social engineering. Imagine your phone’s caller ID noting a caller as the local police and then when you pick up the phone, you’re yelled at and threatened with jail time. For someone not familiar with these types of scams, it can be very disorienting to say the least. It’s worth noting that text messages can be spoofed in much the same way, so be on the lookout for suspicious messages purportedly coming from friends, family and any other trusted sources.

Used in: Phone & SMS spoofing is often used in tech support scams, IRS scams and other voice phishing/SMS phone scams.

Combating it: While spoofing is dangerous, it becomes less threatening the more informed you are. That isn’t to say that being aware of the potential to be scammed over the phone means you’ll never get scammed again, but awareness does breed the kind of caution likely to help you stay safe. Keep in mind that most respectable businesses and individuals won’t call you out of the blue to give you free offers, support or threats. This means that you should never expect an unsolicited call from Microsoft, the IRS or cruise lines.

Website spoofing

What is it: Website spoofing refers to several scenarios in which a scammer unwittingly lures victims to a page of their own creation. It’s usually one that resembles a page you’d actually visit or a page that you intended to access (e.g., your bank’s website). They can accomplish this in several ways, from controlling or redirecting your web requests to emailing you a duped website with a nearly identical name. We’ve talked about fake websites before, and most fake websites and pages fall under this category of spoofing.

Used in: Website spoofing is usually involved in typosquatting, pharming and other fake website setups.

Combatting it: This is perhaps the hardest type of spoofing to fight against, especially without technical knowledge. Knowing about website spoofing and paying attention to your surroundings on the Internet are some of the best ways to stay safe, though. You should always type in web addresses that you want to visit instead of clicking on links in emails or ads you may come across. Additionally, remember that most websites requiring sensitive information have OV or EV SSL certificates which are displayed in the URL bar of most browsers (don’t just look for HTTPS encryption, as even scammers are adopting basic encryption onto their pages). You can also Google or perform a WHOIS lookup on any URLs that have been shared with you. While these tactics aren’t 100% foolproof, in most cases, they should be more than enough to keep you safe.

Cybersecurity is becoming increasingly important in a world that’s getting more technologically advanced. Keep reading our technology blog for the latest tips on how to keep your identity safe online.