top of page

Spoofing: How to spot it and protect yourself

We've put together a guide explaining what spoofing is, how it works, and how you can protect yourself - using advice based on guidance from UK police, Action Fraud and the National Cyber Security Centre (NCSC).


ree

Spoofing is one of the most common tools used by scammers today. It works because criminals know that people trust what they see on caller ID, trust emails that look familiar, and trust text messages that appear to come from well-known organisations.

 

What Is Spoofing?


Spoofing is when a criminal falsifies information to make it look like a call, text message, email or website is coming from someone you trust.


Common examples include:


  • A phone call displaying your bank’s number

  • A text message appearing in the same thread as genuine messages from Royal Mail or NHS

  • An email that looks like it came from a colleague, your boss, or a well-known company

  • A website that looks identical to a legitimate one but is set up to steal login details


Spoofing is almost always used as part of a scam - a way to pressure or trick you into paying money, giving personal information, or granting access to accounts.


Why Spoofing Works


Criminals rely on:


  • Trust - If the number looks right, people assume the call is genuine

  • Familiarity - Fake messages drop into real text threads

  • Urgency or fear - “Your account is at risk”, “This is the police”, “A parcel can’t be delivered”

  • Authority - Pretending to be a bank, government body, or tech support


The technology needed to spoof numbers or emails is cheap and widely available — making these scams common in the UK.


Common Types of Spoofing


1. Number (Caller ID) Spoofing


Calls appear from your bank, HMRC, the police, NHS, or even a trusted family member. The goal: Persuade you to transfer money, share security codes, or “verify” personal details.


2. Text Message Spoofing (Smishing)


Fake texts appear inside legitimate message threads. The goal: Get you to click malicious links, provide personal data, or enter banking details.


3. Email Spoofing


The sender name and email address are faked. The goal: Trick you into paying fraudulent invoices, resetting passwords, or downloading malware.


4. Website Spoofing


A fake website mimics a real one. The goal: Steal login credentials or payment details.


How to Spot Spoofing


Red Flags for Calls


  • You are pressured to act immediately

  • You’re asked for passwords, PINs, security codes or to move money

  • The caller claims to be from the police, your bank, or a government department

  • You’re told to “stay on the line” when you try to call the organisation back


Red Flags for Texts


  • Links that look odd or slightly misspelled

  • Messages about deliveries, refunds, or account issues you aren’t expecting

  • Requests for personal or financial information


Red Flags for Emails


  • Spelling or grammar errors

  • Unexpected attachments or links

  • Email addresses that look close to real ones but are subtly altered

  • Pressure to act quickly (“urgent”, “final warning”, “invoice overdue”)


ree

How to Protect Yourself


1. Never trust the number that appears on your phone


Banks, police, HMRC, and major organisations cannot be trusted based solely on caller ID - it can be faked in seconds.


2. Hang up and contact the organisation using a verified number


Use a number from an official website or bank card. Important: Wait at least 30 seconds after hanging up, or use a different phone, as scammers can stay connected on the line.


3. Don’t click links in unsolicited texts


If it appears to be from Royal Mail, NHS, GOV.UK, your bank, or a delivery company, visit the official website manually instead.


4. Never share banking passwords, PINs or one-time security codes


Genuine organisations will never ask for these - including banks and the police.


5. Enable extra security features


Such as:

  • Two-factor authentication

  • Email security checks

  • Updated systems and apps


6. Spread awareness


Talk to friends, family and colleagues, especially those less familiar with scams.


What to Do If You Think You’ve Been Targeted


If you responded to a suspicious call, text or email:


  • Contact your bank immediately

  • Change any passwords you may have shared

  • Enable two-factor authentication

  • Check accounts for unusual activity


Report it (this helps stop further scams):


  • Suspicious texts: Forward to 7726 (free spam-reporting service)

  • Suspicious emails: Forward to report@phishing.gov.uk (NCSC)

  • Fraud or attempted fraud: Report to Action Fraud

  • If money has been lost: Contact your bank and report to the police via 101


Key Message


Just because a message or call looks real doesn’t mean it is. Spoofing is designed to make you trust what you see - so trust your instincts instead. If something feels off, pause, hang up, and verify using official contact details. Staying cautious is one of the strongest protections you have.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


 
 
 

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page