Deception is as old as crime itself, with fraudsters and tricksters using duplicitous methods to deceive people in an effort to make ill-gotten gains. Just as this type of behavior is a longstanding central pillar of criminal activity in the real world, it now extends deep into the virtual world.
Spoofing is a broad term for the type of behavior that involves a cybercriminal masquerading as a trusted user or device to get you to do something beneficial to the hacker — and detrimental to you.
Among the most widely-used attacks, email spoofing often involves things like requests for personal data or financial transactions. The emails appear to be from trusted senders — such as customers, coworkers, or managers — but they are actually from cybercriminals who deliberately disguise themselves to gain your trust and your help with the action they want you to take. The request could be for a money transfer or permission to access a system.
Additionally, spoof emails sometimes contain attachments that install malware — such as Trojans or viruses — when opened. In many cases, the malware is designed to go beyond infecting your computer and spread to your entire network.
This aspect of spoofing relies heavily on social engineering — the ability to convince a human user to believe that what they're seeing is legitimate, prompting them to take action and open an attachment, transfer money, et cetera.
Where email spoofing centers on the user, IP spoofing is primarily aimed at a network.
IP spoofing involves an attacker trying to gain unauthorized access to a system by sending messages with a fake or "spoofed" IP address to make it look like the message came from a trusted source, such as one on the same internal computer network, for example.
Cybercriminals achieve this by taking a legitimate host's IP address and altering the packet headers sent from their own system to make them appear to be from the original, trusted computer.
A spoofer who hijacks a browser can essentially divert visitors from a legitimate website to a similar-looking, fraudulent website. This website then steals visitors' personal and payment information. This is known as website spoofing.
Defenses Against Spoofing
As with most aspects of defense against cybercrime, the basic tenet of self-protection is awareness. In general, trust is a good thing, but blind trust — especially in the virtual world — is rarely a good thing and often dangerous.
If you're in doubt about the legitimacy of an email, make a phone call to confirm the information is accurate and really came from the sender.
When visiting a website, pay careful attention to how the website looks and behaves.
If anything seems suspicious, leave the site without sharing any personal information. If you really need to interact with the company, contact the company directly.
Deploying powerful security solutions such as those developed by Kaspersky Lab is also highly advisable.
Strong Internet security software can protect you from fraudulent sites and eliminate malware as soon as it tries to infiltrate your system.