In cybersecurity, ‘spoofing’ is when fraudsters pretend to be someone or something else to win a person’s trust. The motivation is usually to gain access to systems, steal data, steal money, or spread malware.
What is spoofing?
Spoofing is a broad term for the type of behavior that involves a cybercriminal masquerading as a trusted entity or device to get you to do something beneficial to the hacker — and detrimental to you. Any time an online scammer disguises their identity as something else, it’s spoofing.
Spoofing can apply to a range of communication channels and can involve different levels of technical complexity. Spoofing attacks usually involve an element of social engineering, where scammers psychologically manipulate their victims by playing on human vulnerabilities such as fear, greed, or lack of technical knowledge.
How does spoofing work?
Spoofing typically relies on two elements – the spoof itself, such as a faked email or website, and then the social engineering aspect, which nudges victims to take action. For example, spoofers may send an email that appears to come from a trusted senior co-worker or manager, asking you to transfer some money online and providing a convincing rationale for the request. Spoofers often know what strings to pull to manipulate a victim into taking the desired action – in this example, authorizing a fraudulent wire transfer – without raising suspicion.
A successful spoofing attack can have serious consequences – including stealing personal or company information, harvesting credentials for use in further attacks, spreading malware, gaining unauthorized network access, or bypassing access controls. For businesses, spoofing attacks can sometimes lead to ransomware attacks or damaging and costly data breaches.
There are many different types of spoofing attacks – the more straightforward ones relate to emails, websites, and phone calls. The more complex technical attacks involve IP addresses, Address Resolution Protocol (ARP), and Domain Name System (DNS) servers. We explore the most common spoofing examples below.
Types of spoofing
Among the most widely-used attacks, email spoofing occurs when the sender forges email headers to that client software displays the fraudulent sender address, which most users take at face value. Unless they inspect the header closely, email recipients assume the forged sender has sent the message. If it’s a name they know, they are likely to trust it.
Spoofed emails often request a money transfer or permission to access a system. Additionally, they can sometimes contain attachments that install malware — such as Trojans or viruses — when opened. In many cases, the malware is designed to go beyond infecting your computer and spread to your entire network.
Email spoofing relies heavily on social engineering — the ability to convince a human user to believe that what they are seeing is legitimate, prompting them to take action and open an attachment, transfer money, and so on.
How to stop email spoofing:
Unfortunately, it is impossible to stop email spoofing completely because the foundation for sending emails – known as the Simple Mail Transfer Protocol – doesn’t require any authentication. However, ordinary users can take simple steps to reduce the risk of an email spoofing attack by choosing a secure email provider and practicing good cybersecurity hygiene:
- Use throwaway email accounts when registering for sites. This reduces the risk of your private email address appearing in lists used for sending spoofed email messages in bulk.
- Make sure your email password is strong and complex. A strong password makes it harder for criminals to access your account and use it to send malicious emails from your account.
- If you can, inspect the email header. (This will depend on the email service you are using and will only work on desktop.) The email header contains metadata on how the email was routed to you and where it came from.
- Switch on your spam filter.This should prevent most spoofed emails from coming into your inbox.
Whereas email spoofing focuses on the user, IP spoofing is primarily aimed at a network.
IP spoofing involves an attacker trying to gain unauthorized access to a system by sending messages with a fake or spoofed IP address to make it look like the message came from a trusted source, such as one on the same internal computer network, for example.
Cybercriminals achieve this by taking a legitimate host's IP address and altering the packet headers sent from their own system to make them appear to be from the original, trusted computer. Catching IP spoofing attacks early is especially important because they often come as part of DDoS (Distributed Denial of Service) attacks, which can take an entire network offline. You can read more in our detailed article about IP spoofing.
How to prevent IP spoofing – tips for website owners:
- Monitor networks for unusual activity.
- Use packet filtering systems capable of detecting inconsistencies, such as outgoing packets with source IP addresses that don't match those on the network.
- Use verification methods for all remote access (even among networked computers).
- Authenticate all IP addresses.
- Use a network attack blocker.
- Ensure at least some computer resources are behind a firewall.
Website spoofing – also known as URL spoofing – is when scammers make a fraudulent website resemble a legitimate one. The spoofed website will have a familiar login page, stolen logos and similar branding, and even a spoofed URL that appears correct at first glance. Hackers build these websites to steal your login details and potentially drop malware onto your computer. Often, website spoofing takes place in conjunction with email spoofing – for example, scammers might send you an email containing a link to the fake website.
How to avoid website spoofing:
- Look at the address bar – a spoofed website is unlikely to be secured. To check, the URL should start with https:// rather than http:// - the "s" stands for "secure," and there should be a lock symbol in the address bar too. This means that the site has an up-to-date security certificate. If a site does not have this, it doesn’t necessarily mean it has been spoofed – look out for additional signs as well.
- Try a password manager – software used to autofill login credentials does not work on spoofed websites. If the software doesn't automatically complete the password and username fields, it could indicate that the website is spoofed.
Caller ID or phone spoofing
Caller ID spoofing – sometimes called phone spoofing – is when scammers deliberately falsify the information sent to your caller ID to disguise their identity. They do this because they know you are more likely to pick up your phone if you think it is a local number calling instead of one you don't recognize.
Caller ID spoofing uses VoIP (Voice over Internet Protocol), which allows scammers to create a phone number and caller ID of their choice. Once the recipient answers the call, the scammers try to obtain sensitive information for fraudulent purposes.
How to stop someone from spoofing my phone number:
- Check to see if your phone carrier has a service or app that helps identify or filter out spam calls.
- You can consider using third-party apps to help block spam calls – but be aware that you will be sharing private data with them.
- If you receive a call from an unknown number, often it is best not to answer it. Answering spam calls invites more spam calls, as the scammers then consider you a potential prospect.
Text message spoofing
Text message spoofing – sometimes called SMS spoofing – is when the sender of a text message misleads users with fake displayed sender information. Legitimate businesses sometimes do this for marketing purposes by replacing a long number with a short and easy-to-remember alphanumeric ID, ostensibly so that it's more convenient for customers. But scammers also do it – to hide their real identity behind an alphanumeric sender ID, usually masquerading as a legitimate company or organization. Often, these spoofed texts include links to SMS phishing (known as “smishing”) sites or malware downloads.
How to prevent text messaging spoofing:
- Avoid clicking on links in text messages as much as possible. If an SMS appearing to be from a company you know asks you to take urgent action, visit their website directly by typing in the URL yourself or searching via a search engine, and don’t click on the SMS link.
- In particular, never click on “password reset” links in SMS messages – these are highly likely to be scams.
- Remember that banks, telecoms, and other legitimate service providers never ask for personal details via SMS – so don’t give out personal information in this way.
- Exercise caution about any “too good to be true” SMS alerts about prizes or discounts – they are likely to be scams.
Address Resolution Protocol (ARP) is a protocol that enables network communications to reach a specific device on a network. ARP spoofing, sometimes also called ARP poisoning, occurs when a malicious actor sends falsified ARP messages over a local area network. This links the attacker’s MAC address with the IP address of a legitimate device or server on the network. This link means the attacker can intercept, modify, or even stop any data intended for that IP address.
How to prevent ARP poisoning:
- For individuals, the best defense against ARP poisoning is to use a Virtual Private Network (VPN).
- Organizations should use encryption – i.e., HTTPS and SSH protocols – to help reduce the chance of an ARP poisoning attack succeeding.
- Organizations should also consider the use of packet filters – filters that block malicious packets and those whose IP addresses are suspicious.
DNS spoofing – sometimes called DNS cache poisoning – is an attack in which altered DNS records are used to redirect online traffic to a fake website that resembles its intended destination. Spoofers achieve this by replacing the IP addresses stored in the DNS server with the ones the hackers want to use. You can read more about DNS spoofing attacks in our full article here.
How to avoid DNS spoofing:
- For individuals: never click on a link you are unsure of, use a Virtual Private Network (VPN), regularly scan your device for malware, and flush your DNS cache to solve poisoning.
- For website owners: use DNS spoofing detection tools, domain name system security extensions, and end-to-end encryption.
GPS spoofing occurs when a GPS receiver is tricked into broadcasting fake signals that look like real ones. This means that the fraudsters are pretending to be in one location while actually being in another. Fraudsters can use this to hack a car's GPS and send you to the wrong place or – on a much bigger scale – can even potentially interfere with the GPS signals of ships or aircraft. Many mobile apps rely on location data from smartphones – these can be targets for this kind of spoofing attack.
How to prevent GPS spoofing:
- Anti-GPS spoofing technology is being developed, but mainly for large systems, such as maritime navigation.
- The simplest (if inconvenient) way for users to protect their smartphones or tablets is to switch it to "battery-saving location mode." In this mode, only Wi-Fi and cellular networks are used to determine your location, and GPS is disabled (this mode is unavailable on some devices).
Facial recognition technology is used to unlock mobile devices and laptops and increasingly in other areas, such as law enforcement, airport security, healthcare, education, marketing, and advertising. Facial recognition spoofing can occur through illegally obtained biometric data, either directly or covertly from a person’s online profiles or through hacked systems.
How to prevent facial spoofing:
Most facial recognition anti-spoofing methods involve Liveliness Detection. This determines whether a face is live or a false reproduction. There are two techniques involved:
- Eye blink detection – which observes patterns in blink intervals – fraudsters who can’t match these patterns are denied access.
- Interactive detection – which asks users to perform specific facial actions to check they are real.
How to prevent spoofing
In general, following these online safety tips will help to minimize your exposure to spoofing attacks:
- Avoid clicking on links or opening attachments from unfamiliar sources. They could contain malware or viruses which will infect your device. If in doubt – always avoid.
- Don’t answer emails or calls from unrecognized senders. Any communication with a scammer carries potential risk and invites further unwanted messages.
- Where possible, set up two-factor authentication. This adds another layer of security to the authentication process and makes it harder for attackers to access your devices or online accounts.
- Use strong passwords. A strong password is not easy to guess and ideally made up of a combination of upper- and lower-case letters, special characters, and numbers. Avoid using the same password across the board and change your password regularly. A password manager tool is an excellent way to manage your passwords.
- Review your online privacy settings. If you use social networking sites, be careful who you connect with and learn how to use your privacy and security settings to ensure you stay safe. If you recognize suspicious behavior, have clicked on spam, or have been scammed online, take steps to secure your account and be sure to report it.
- Don’t give out personal information online. Avoid disclosing personal and private information online unless you are 100% sure it is a trusted source.
- Keep your network and software up to date. Software updates include security patches, bug fixes, and new features – keeping up to date reduces the risk of malware infection and security breaches.
- Look out for websites, emails, or messages with poor spelling or grammar – plus any other features that look incorrect, such as logos, colors, or missing content. This can be a sign of spoofing. Only visit websites with a valid security certificate.
In the US, victims of spoofing can file a complaint with the FCC’s Consumer Complaint Center. Other jurisdictions around the world have similar bodies with their own complaints procedures. If you have lost money due to spoofing, you can involve law enforcement.
The best way to stay safe online is by a robust antivirus software solution. We recommend Kaspersky Total Security: a well-rounded cybersecurity package that will protect you and your family online and ensure a safer internet experience.