What Is Spoofing?
Given how widely it is practiced among hackers and other cybercriminals, it’s a good idea to understand what spoofing is and how it works in order to defend your organization.
Definition and explanation of spoofing
Spoofing is a technique whereby a rogue third party attempts to impersonate someone known to their victim. This could be a person, such as a friend or family member. Spoofing attacks can also involve a threat actor trying to pass themselves off as a government entity, a financial institution or even their target’s employer.
By fooling the target into believing they’re dealing with someone they trust, attackers often use spoofing to gain online credentials such as passwords, files or other data that should otherwise stay protected.
Spoofing is similar to, and is often treated as a form of, phishing, though the latter attack doesn’t necessarily require impersonating a third party and can involve other tactics.
Common examples of spoofing
Although it can take many forms, spoofing attacks will often involve sending someone an email that looks like a known entity, or directing someone via text message to a web site that looks similar to a legitimate company or institution. Some spoofing attacks are also conducted via phone calls pretending to come from a trusted source, and it may be difficult to spot them if you’re not careful.
How spoofing can impact individuals and businesses
A successful spoofing attack can lead to real damage for an individual or a business. By providing account details and logins, for instance, a spoofing attack victim could wind up having personal information or even their money stolen.
The impacts on businesses can be even more wide-ranging. A single spoofing attack could allow cybercriminals a way to penetrate corporate networks and inject them with malware, ransomware and install advanced persistent threats (APTs).
How Spoofing Works
One of the most worrying aspects of a spoofing attack is how easy it can be to prey upon victims using basic psychology and subtle trickery.
Techniques and methods used in spoofing attacks
A spoofing attack usually begins by the target receiving some form of communication from cybercriminals that asks them to provide information.
If they’re successful, the target either clicks on links that redirect them to sites that capture sensitive data, or even have them relay the information verbally over the phone.
Attackers can then make use of the data and system access they’ve gained without the victim necessarily being aware until it's too late, and negative consequences have occurred.
Understanding the vulnerabilities exploited by spoofers
Those behind spoofing attacks are well aware that people are busy and don’t always take the time to carefully inspect every piece of communication they receive. They also know we tend to trust familiar names, logos and other details that can easily be replicated, even if they aren’t always perfectly executed.
A spoofing attack will usually create a sense of urgency or fear by indicating a problem that requires immediate action. This also leads targets to hand over information before conducting the proper due diligence.
Real-life scenarios illustrating the process of spoofing
Some examples of spoofing attacks could include getting an e-mail claiming to come from your streaming provider’s customer support team, indicating your service will be cut off unless you update your credit card details on your account.
In other scenarios, cybercriminals might impersonate a government agency and call targets suggesting there’s an issue with their tax return, directing them to hand over social security numbers or other personally identifiable information (PII) .
Types of Spoofing
Cybercriminals are nothing if not inventive, and they have a long history of conducting spoofing attacks using every digital channel you can imagine. Here’s a rundown of some common tactics to watch for:
Email spoofing and its implications
Many of us live in our inboxes, sending and receiving messages so often that a spoofing attack is easy to overlook. However, clicking on a bogus URL or replying with credentials could be the first step in a phishing scheme that leads to an organization-wide data breach.
Caller ID spoofing and its impact on phone scams
Your phone rings and you glance down to see the name of your financial institution on the screen. You answer it and, even if it’s a robotic voice on the other end, the request to deal with an account error could easily lead to identity theft or other repercussions, including those that affect other customers of the same bank, insurance company or credit union.
GPS spoofing and potential consequences for navigation systems
You might assume your GPS is safe from hackers, but that’s not the case. By sending incorrect information to a radio transmitter, attackers can override legitimate signals. This can steer drivers off course when they’re making essential deliveries or even responding to emergencies.
Website Spoofing
Imagine clicking on a link that doesn’t use the IP address of a real retailer but looks like one where you’ve shopped in the past. Just a simple request like asking you to update your password could give those behind the spoofing attack direct access to your actual account with that retailer, opening the door to further negative impacts.
DNS Spoofing
Sometimes called cache poisoning, DNS spoofing manipulates DNS records to direct targets to a bogus site. This allows cybercriminals to carry out the web site spoofing attacks described earlier in this section.
SMS Spoofing
Retailers, airlines and many other organizations routinely reach out to customers with text notifications and updates that matter to them. By making the name and number look like one of those retailers, attackers can send fraudulent messages and encourage targets to give information related to their purchase histories or accounts.
Neighbor Spoofing
Even if you don’t immediately recognize the number of a call that’s coming, you may be more likely to answer if you see recognizable details, such as the area code in which you live. Neighbor spoofing takes a local approach to increase the odds of a successful attack.
IP Spoofing
Hackers can easily create Internet protocol (IP) packets that often do one of two things: replicate the IP of a known entity or simply hide the source address. Either approach can make it more difficult to detect an attack is under way.
Facial Spoofing
Biometric security is now common on laptops, smartphones and other devices. Unfortunately, threat actors can sometimes get past these protections by using a photograph or 3D model of a legitimate user’s face. This can allow the system to misidentify a user and allow rogue third parties illegal access.
Detecting Spoofing Attempts
The good news is that with some care and attention, as well as the right tools, you can often spot spoofing attacks in the wild and mitigate the damage they cause.
Signs and indicators of a spoofing attack
Before acting on what you see in an email, check for unusual spellings, generic-sounding greetings or other inconsistencies that a trusted party is unlikely to make. If it’s a caller ID spoofing attack, you might become suspicious if you’ve never gotten a call from that entity before, or if the number seems unfamiliar. Generally speaking, if something seems fishy about what you’re seeing or hearing, it’s best to proceed with extreme caution.
Tools and technologies to detect spoofing
Your IT team may have also taken measures to reduce the chance of a spoofing attack. These could include the use of intrusion detection systems, firewalls and tools that analyze network traffic to look for anomalies or unexpected activity.
Steps to take when you suspect spoofing
The moment you believe you’re being targeted with a spoofing attack, make sure you don’t provide any of the information being requested.
If this is happening at work, immediately inform your IT department, manager or any other stakeholder that should be apprised of the situation. This could prevent your coworkers from falling victim to spoofing attacks.
Individuals or organizations can also file a complaint with the Federal Communications Commission (FCC) so it can be added to a database of similar threats. In the event of financial theft or other serious impacts, contact law enforcement authorities as well.
Is Spoofing Illegal?
You might wonder if being duped by scammers is just part of life, and that there’s little recourse but to move on. Fortunately, legal authorities are slowly catching up.
Understanding the legal implications of spoofing
Though few states have specific laws to protect against spoofing, attacks conducted via caller ID are prohibited under FCC rules and can lead to fines. There can also be legal implications for impersonating public figures and institutions, especially if the intent is to defraud people of information or money.
Laws and regulations related to spoofing
The FCC's Truth in Caller ID Act includes provisions specifically against displaying false information to cause harm, defraud or steal something of value.
Examples of high-profile spoofing cases
Some of the classic cautionary tales involving spoofing include the NotPetya attacks of 2017, which began via bogus messages purporting to come from a Ukrainian accounting software company.
This followed a notorious attack on an Austrian aerospace company called FACC when employees fell for messages masquerading as those coming from their CEO.
Perhaps worst of all was an attack involving Google and Facebook that fooled employees into paying bogus invoices and other financial claims.
Protecting Yourself from Spoofing
There’s no reason to add to the history of successful spoofing attacks. Here’s what to do instead:
Best practices and tips to prevent spoofing attacks
As always, employee training is one of the most important lines of defense for any organization. Sharing this post, for example, could be the first step in helping raise awareness of what spoofing is and how it works.
How to identify and avoid phishing attempts
Make sure employees take the time necessary to confirm they’re dealing with known senders or callers when they’re dealing with third parties.
If there’s any reason to be suspicious, they should not click on links or open attachments, especially if they were unsolicited.
Using filtering tools can also help reduce the flood of messages coming from attackers and have them go into the spam folder instead.
Using multi-factor authentication for enhanced security
Spoofing attacks are a good example of where multi-factor authentication (MFA) provides a lot of value. Even if a target innocently handed over a name and password, for instance, MFA might require that a cybercriminal use a code that is only sent to the target’s inbox or answer a security question that they might not know.
Using a password manager
A password manager is another great solution to combat spoofing attacks. Besides storing sensitive credentials, these tools can be configured to only offer access to those coming from verified domains or prohibit forms from auto-filing with sensitive information.
With that in mind, start your LastPass trial and put fears of spoofing attacks to rest.
FAQ
Does spoofing mean hacked?
No, spoofing doesn’t mean you’ve been hacked. The primary difference lies in degree of access.
Spoofing involves a scammer impersonating a known entity to deceive you into taking risky actions. They have no direct access to your accounts or data.
Meanwhile, hacking involves a scammer gaining actual access to your accounts and performing illegal actions like data exfiltration and unauthorized money transfers.
Can I stop my phone number from being spoofed?
While it’s impossible to completely stop your number from being spoofed, there are steps you can take to protect yourself:
- If you suspect your number has been spoofed, file a complaint with the FTC.
- Temporarily restrict outgoing phone calls to just your phone contacts
- Make your voicemail box password-protected to ensure that scammers can’t access your voice mails.
- If your number hasn’t been spoofed yet, consider using a data removal service to delete your number from various online sites
How can users protect themselves from domain spoofing?
In a domain spoofing attack, your information may be stolen when you click on a malicious link that redirects you to a scam website.
There are three easy ways to protect yourself from domain spoofing:
- Avoid clicking on links or attachments from unknown email or text senders.
- Enable multi-factor authentication (MFA) to add another layer of security to your accounts.
- Use a password manager that only autofills your login credentials on verified websites.
