Phishing is the most common data breach vector, and phishing attacks cost companies $4.76 million on average, according to IBM.
Spoofing is an attack technique often leveraged by attackers to improve the efficacy of phishing and other attacks. While the concepts are closely related, they're not the same. Here's a look at spoofing and phishing basics, how they're different, where they overlap, and what organizations can do to protect against these threats.
Understanding Spoofing
Spoofing is all about disguise and deception. The goal of spoofing is to convince victims that they're interacting with or responding to a legitimate user or company, in turn increasing the chance that they'll share sensitive data or click on links.
Definition of spoofing
According to the FBI, "spoofing is when someone disguises an email address, sender name, phone number, or website URL". These changes are often extremely small in hopes of going unnoticed. For example, if employees regularly receive emails from bigcompanyIT@support.com, attackers might spoof this email and send messages from bigcompanyIT@suport.com. The missing "p" in support isn't impossible to spot, but at a glance, it may convince users that they're interacting with legitimate tech support. As a result, attackers may get users to share their login details or click on malicious links that download malware or send them to infected websites.
Common types of spoofing attacks
Some common types of spoofing attacks include:
Email spoofing
Email spoofing creates legitimate-looking email addresses by altering sender addresses or mimicking known sender names and email addresses.
Domain spoofing
Domain spoofing creates a fake website address that resembles the actual site. For example, thisisarealwebsite.com becomes thissarealwebsite.com. Almost the same, but missing an "i".
Website spoofing
Website spoofing takes domain spoofing a step further by creating a website page that looks like its legitimate counterpart, complete with color schemes, logos, and links.
IP spoofing
IP spoofing uses fake IP addresses to make it appear as though emails are coming from a different location or user.
Examples of spoofing in the digital world
As noted by The Hacker News, an email routing flaw in a popular security product made it possible for threat actors to send more than 14 million spoofed emails. These emails supposedly came from companies such as Best Buy, IBM, Nike, and Disney, and were designed using familiar logos and other branding trademarks. This large-scale spoofing attack also lent credibility since users receiving these messages had an email security solution in place.
Understanding Phishing
Phishing is an attack vector that uses the bait of seemingly legitimate messages to convince users they should click on links or respond with personal or confidential information. It remains the most popular form of compromise thanks to sheer volume — while very few phishing attacks succeed, all it takes is one click for attackers to gain access or steal data.
Definition of phishing
Phishing uses massive quantities of generic emails to prompt user action. For example, an employee might receive an email stating that they've won a prize or that their account has been suspended. If they believe the message's contents, they may be convinced to click on a malicious link and supply username and password data, or download an attachment that contains malicious code.
Common techniques used in phishing attacks
Some common techniques used in phishing attacks include:
Spear phishing
Spear phishing targets specific individuals within an organization using social engineering to create fake email conversations and encourage victims to provide sensitive information or share secure data.
Smishing
Smishing uses text messages rather than emails as the threat vector with the intent of convincing users to visit a website and download malicious content.
Clone phishing
Clone phishing sends duplicates of legitimate emails in hopes of convincing users to click on malicious links or download attachments. For example, attackers might send a duplicate tracking email that contains an attachment that carries malware.
Business email compromise (BEC)
BEC sees attackers compromise a business account and then use this account to compel action from other employees. This type of attack is harder to spot because attackers aren't spoofing an email address — they're using the real thing without the knowledge or consent of the account owner.
Real-life examples of successful phishing attempts
Between 2013 and 2015, Facebook and Google lost more than $100 million to a BEC attack spearheaded by a Lithuanian man named Evaldas Rimasauskas, who forged emails from a Taiwan-based company that had partnerships with both Google and Facebook. He created fake invoices and contracts that were convincing enough to cost the companies millions.
In a more recent example, a finance worker with an international company was tricked by a phishing video that used deepfake technology to create a facsimile of the company's chief financial officer (CFO) and other staff members. The fake video led the staff member to pay fraudsters $25 million.
The Differences Between Spoofing and Phishing
While spoofing and phishing both focus on tricking users into believing they represent legitimate businesses or individuals, these compromise efforts aren't identical.
Key characteristics that differentiate spoofing and phishing
Phishing is a type of attack. Phishing efforts are designed to create a sense of urgency or convince users that the message they've received is legitimate. Phishing aims to hook users and compel users to take a specific action, such as opening an attachment or clicking on a link.
Spoofing is an attack technique that helps improve the efficacy of phishing or other attack vectors. For example, a phishing email from totallynotascam@fake.com will set off both security system warning bells and naturally make employees suspicious. A spoofed email that seemingly comes from a user's bank — thebigUSAbank@accounts.com — is far more likely to prompt action. If a user opens their email account and sees an email that says "URGENT: ACCOUNT COMPROMISED" and the sender address is thbigUSAbank@accounts.com, the missing "e" may just go unnoticed.
How spoofing and phishing attacks are executed
Spoofing and phishing attacks share similar execution patterns. The most common in both cases is email: Spoofed messages make for much more convincing phish. Spoofing attacks are all about imitating users, companies, or other trusted sources, whether this imitation happens via email, websites, or IPs.
Phishing, meanwhile, leverages multiple techniques to achieve its aim. These may include social engineering attacks that leverage research to increase the likelihood of user action, or large-scale generic email attacks that feature obviously fake email addresses but rely on accidents or misclicks by users to breach business networks.
Potential consequences for individuals and organizations
Spoofed messages are similar to identity theft in that impersonate individuals or companies. If spoofing techniques lead to compromise, spoofed companies may find themselves under fire from compromised organizations even though they had nothing to do with the attacks. Individuals, meanwhile, may find their credibility damaged if their name and email are being used to trick employees.
Phishing attacks, meanwhile, can lead to everything from user account compromise to lost or stolen data, ransom demands, or the creation of digital backdoors that allow attackers to access business systems on demand. As a result, phishing can cost companies millions in both money and resources required to identify attack root causes, eliminate infections, and remediate network environments.
Similarities Between Spoofing and Phishing
Spoofing and phishing also share several similarities, such as:
Threat to personal information
Both phishing and spoofing attacks threaten personal information. In the case of spoofing, attackers may impersonate friends or business partners to trick users, while in phishing attacks, malicious actors often look to steal credentials and take over employee accounts.
Malicious intent
Spoofing and phishing efforts are malicious. They're designed to trick users into trusting untrustworthy sources or taking action that could harm themselves or their companies. While the severity of impact varies, both spoofing and phishing are designed to cause harm.
Use of social engineering
Both approaches may also use social engineering. In the case of spoofing, social engineering takes the form of creating fake emails or websites that users are familiar with or naturally trust. These might include a popular media or banking website or emails that supposedly come from close friends or colleagues.
Phishing attacks — especially targeted techniques such as spear-phishing — leverage research to enable social engineering. Attackers may spend weeks or months researching their targets before making contact, enabling them to create a convincing backstory that encourages employees to let their guard down.
The use of a fake identity
Finally, fake identities are a core component of both approaches. In the case of spoofing, these identities are modeled on real people or companies. In the case of phishing, fake identities may be spoofs of the real thing or may be tied to people or companies that don't exist — they simply look real on paper.
Protecting Yourself Against Spoofing and Phishing
To protect against spoofing and phishing, companies need techniques to identify and avoid, strengthen email security, and boost overall protection.
Best practices for identifying and avoiding
There are several best practices for identifying and avoiding these attacks.
First, businesses need to educate employees about common spoofing and phishing techniques, such as emails that seem legitimate but demand immediate action, or unexpected messages that appear to be from known contacts but are unexpected or odd.
Next, companies need to create a culture of reporting: If something seems strange, staff should be encouraged to report it, even if this means reduced performance or project delays.
Finally, organizations need to deploy email security solutions capable of scanning for spoofed email addresses and detecting potential phishing attacks. If companies can detect these attacks early and prevent them from reaching user inboxes, they can significantly reduce their risk of compromise.
How to strengthen your email security
Better email security starts with a strong email security solution. It should be capable of spotting spoofing or phishing indicators before emails are delivered to inboxes, and then quarantining these emails for examination.
Strengthened email security also depends on a zero-trust approach that assumes nothing and verifies everything. By considering potential sources as threats until they're verified, businesses can significantly reduce the risk of compromise.
Using multi-factor authentication for added protection
If phishing or spoofing attacks succeed, users may be convinced to provide their usernames and passwords, in turn giving attackers access to business accounts. Companies can protect against this eventuality with multi-factor authentication (MFA). This security framework requires users to provide an additional piece of information along with usernames and passwords to verify their identity. For example, accounts might require a one-time SMS code or the use of a physical USB key. Companies can also leverage biometrics such as fingerprints or retinal scans to ensure only authorized users can gain access.
By leveraging MFA, successful phishing attacks will trigger security alerts when malicious actors try (and fail) to access user accounts.
Put simply, spoofing baits the hook for more effective phishing. While phishing efforts don't require spoofing — and spoofing alone isn't enough to compromise businesses — they're a dangerous duo in combination.
Stop the spoof and fight the phish with LastPass. Start your free trial today.
