What is spoofing? 

Spoofing is the criminal act of disguising a communication from an unknown source to appear as if it’s being sent from a trusted and known contact. The ultimate goal of spoofing is to get the target to share their sensitive information and/or their money with the scammer. For example, a spoofer may pretend to represent a victim’s credit card company and lead them into sharing their account details.

Types of spoofing

Cybercriminals have a variety of ways to pull off their spoofing. Here are the more common forms:

1. Email spoofing

In email spoofing, an attacker sends an email message appearing to be from a known or trusted source. The emails typically include links to harmful websites or attachments that will infect the victim’s device with malware. Alternatively, the scammer may use social engineering to persuade the recipient to share sensitive information.

2. IP spoofing

In IP spoofing, an attacker tries to gain access to a system by sending messages via a bogus or spoofed IP address, which appears to be from a recognized, trusted source, such as one on the same internal computer network. The spoofed IP address will mask the true source, which is a third party that is out to infect the victim’s device with malware and steal their information.

3. Caller ID spoofing

Here, attackers make a phone call to a target that appears to be from a known caller. The scammer will often pose as the victim’s bank or credit union. The victim, believing they are speaking with a representative of their financial institution, will disclose their account information and even passwords, which can lead to the scammer emptying their accounts and/or stealing their identity. Sometimes, the scammer will provide the victim with a phone number to call, which will allegedly connect them with their bank or credit union. This number, of course, will only connect the victim to a scammer.

4. Facial spoofing

In this most recent form of spoofing, a scammer uses a photo or video of a target’s face to simulate their facial biometrics. This enables them to unlock accounts that can only be opened via facial recognition.

5. Website spoofing

In website spoofing, a scammer will create a bogus site that looks just like a reputable website that the victim often visits. Attackers will lure victims to this site for the purpose of stealing their login credentials and personal information.

6. Text-message spoofing

In this scam, also known as smishing, a victim will receive a text message on their personal device appearing to have been sent via a trusted source, such as the victim’s financial institution, place of work, or doctor’s office. The text will ask the victim to share personal information. They’ll often do so, mistakenly believing the sender of the text message to be who they claim to be.

7. Man-in-the-Middle (MitM) attacks

There are three players involved in MitM attacks: the victim, the party the victim is attempting to communicate with, and the “man in the middle”, otherwise known as the scammer who is intercepting the communications. In these spoofs, the scammer tries to eavesdrop on the interaction between the victim and the other party. Alternatively, they may try to impersonate the other party to get at the victim’s personal information.

Deepfakes and spoofing

Deepfakes is a relatively new and dangerous tool for spoofers. A deepfake is a fake image, video, or audio clip that has been edited to appear authentic. For example, a scammer may create a deepfake video using an image and audio recording of a celebrity and make it appear as if they are telling you to open a link or support a specific cause.

Scammers use deepfakes to trap victims and appear as if they represent a trusted source.

Protect yourself

Spoofing is a formidable danger for consumers across the economic spectrum, but with the right tools and knowledge, you can avoid falling victim to these scams. Here’s how to protect yourself from a spoofing attack:

• Turn on your email’s spam filter and be sure to mark incoming emails that look suspicious as spam.
• Use two-factor authentication and/or biometric logins when possible.
• Use strong, unique passwords across all of your accounts.
• Ensure your device’s security system is at its strongest setting and uses the most updated patches. If you haven’t already done so, it’s worthwhile to invest in robust security software.
• Never click on links or open attachments that are sent from an unverified source.
• Never share personal information online or over the phone with an unknown contact.
• If you’re allegedly contacted by your financial institution and asked to provide your login credentials or account details to fix a supposed issue with your account, don’t respond. Instead, delete the message or abort the call and contact your bank or credit union directly to ask about any possible issues with your account.
• Don’t take phone calls at face value, even with caller ID. If you suspect foul play, Google the phone number presented on the caller ID to see if it’s associated with scams.
• Consider an app, like Hiya, that filters out known scammers, spoofers, and other nefarious numbers.
• Opt to display file extensions in Windows. This will enable you to view any spoofed extensions so you can avoid opening malicious files.
• Identify deepfakes by looking for small details that give them away. Zoom into the image or video to verify if the words and lip movements are in sync. Look for lip color that looks unnatural, unrealistic facial hair, exaggeratedly wrinkled or smooth skin, and non-existent moles.

Red flags

Look out for these red flags that can alert you to a possible spoofing attack:

• Websites with a URL that is very similar to the URL of a reputable site.
• Websites riddled with typos, unusual syntax, and spelling errors.
• An alleged rep of your bank or credit union asks you to call a number that is not associated with your financial institution.
• You’re asked to share your login credentials or account number with an unverified contact.
• Familiar corporate branding, such as logos, colors, and call-to-action buttons within a message asking you to take an action that is not typical.

If you’ve been targeted

If you believe you’ve shared sensitive information with a scammer through a spoofing attack, there are steps you can take to mitigate the damage.

First, contact your financial institution to let them know about the attack. You may place a credit alert or a credit freeze on your accounts, making it difficult or impossible for a scammer to open a line of credit or take out a loan in your name. If you believe your identity has been stolen, check out identitytheft.gov to learn what your next step should be. Finally, change the passwords on all your accounts to protect them from further attacks.

Spoofing has gotten a lot more dangerous in recent years, but with proper awareness and basic protective measures, you can avoid getting scammed. Use the tips outlined here to stay safe.