Spoofing is a type of scam in which a criminal disguises an email address, display name, phone number, text message, or website URL in order to fool a victim into thinking they are interacting with a known, trusted source.
Spoofing frequently entails changing just one letter, number, or symbol of the communication so that it appears valid at first glance. For example, you may receive an email purporting to be from Netflix but using the bogus domain name "netffix.com.".
How Does Spoofing Work?
Spoofing criminals attempt to gain your trust by convincing you that the spoofed communications are legitimate. Using the name of a large, trusted company, such as Amazon or PayPal, is often enough to entice targets to take action or reveal information.
A fake email from Amazon, for example, may indicate a problem with a recent purchase, which may entice you to click on the link to learn more (hint: don't click on the link). You could download malware or be directed to a fake login page, where you enter your username and password unknowingly.
Spoofing can cause you to reveal personal and financial information, send money, and download malware, which can infect your computer.
Email spoofing, text message spoofing, caller ID spoofing, and URL and GPS spoofing (more on these further in the blog) are all examples of spoofing. Spoofers are essentially attempting to scam their way into any form of online communication - and thus into your identity and assets.
What Is the Difference Between Spoofing and Phishing?
The terms “spoofing” and “phishing” are often used interchangeably, but they mean different things. Spoofing uses a fake email address, display name, phone number or web address to trick people into believing that they are interacting with a known, trusted source.
Phishing tricks you into providing personal data that can be used for identity theft. Many phishers use spoofing tactics to trick their victims into believing they are providing personal information to a legitimate, trusted source.
Types of Spoofing
Email spoofing is the act of sending emails with false sender addresses, typically as part of a phishing attack intended to steal your data, ask for money, or infect your computer with malware. This tactic is used by both dishonest advertisers and outright thieves.
The spoofer sends emails with a falsified “From:” line to trick victims into believing that the message is from a friend, their bank, or some other legitimate source. Any email that asks for your password, Social Security number, or any other personal information could be a trick.
These emails typically include a combination of deceptive features, including:
False sender addresses that look like someone who you know and trust
A missing sender address, or at least one that is hard for the average user to find
Familiar corporate branding, such as logos, colors, call-to-action buttons, and the like typos, bad grammar, and unusual syntax (e.g., “Good day sir, please made certain this data is well and good”).
Text Message Spoofing
Sometimes referred to as smishing, text message (SMS) spoofing is similar to email spoofing. The text message appears to come from a legitimate source, such as your bank or a doctor’s surgery. It may request that you call a specific phone number or click on a link within the message to get you to divulge personal information.
Caller ID Spoofing
Here, the spoofer falsifies the phone number from which they are calling in the hope of getting you to take their call. On your caller ID, it might appear that the call is coming from a legitimate business or government agency.
URL or Website Spoofing
URL spoofing happens when scammers set up a fraudulent website to obtain information from victims or install malware on their computers. For instance, victims might be directed to a site that looks like it belongs to their bank or credit card company and be asked to log in using their user ID and password. If the person falls for it and logs in, the scammer could then use the information that the victim typed in to log into the real site and access their accounts.
GPS spoofing has a somewhat different purpose. It attempts to trick a GPS receiver into believing it is in a different location or headed in a different direction by broadcasting bogus GPS signals or other means. At this point, GPS spoofing is more likely to be used in warfare or by gamers (e.g., Pokémon GO players) than to target individual consumers, although the technology exists to make anyone vulnerable.
This type of scam happens when someone wants to disguise or hide the location from where they’re sending or requesting data, so they replace the source Internet protocol (IP) address with a fake one.
The spoofed IP address looks like it’s from a trusted source (the original IP address) while masking its true identity: an unknown third party.
Virtual private network (VPN) services allow users to mask their IP and location, which can also be used for legitimate reasons such as privacy or streaming content went traveling overseas.
This is the latest form of spoofing. With facial spoofing, a criminal uses a person’s face and simulates their facial biometrics by using a photo or video to replace their identity. Facial spoofing is most commonly used to commit bank identity fraud. However, it is also used in money laundering.
Adopting controls and NCSC guidance
Email spoofing is a technique used by criminals in support of phishing campaigns or more targeted attempts to breach an organisation.
The adversary's aim of sending a spoofed email is normally to trick an employee into visiting a website to divulge information or infect their device with malware.
Many organisations have adopted controls like SPF, DKIM and DMARC, and as a result it's getting more difficult to spoof an email from their domains.
As well as implementing anti-spoofing controls there has been an increase in support for TLS on email servers used by the public sector. The vast majority of public sector email servers now support the reception of email using TLS, and in fact the NCSC have been helping organisations responsible for those that don't put that right.
The NCSC’s advice is derived from some of the lessons they have learned in the public sector. The Government Digital Service have helped distill this advice into something that should be useful for many other sectors. Their aim is to keep this guidance current and accurate.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).