Spoofing is where cyber criminals pretend to be someone else, (an individual or an organisation) in order to perform a phishing scam, or other cyber attacks. They usually masquerade as reputable brands, businesses, or individuals to trick their victims into releasing sensitive information or offering up financial retribution.
What types of spoof are there?
A spoof is the medium used in which to perform the attack – this can be a text message, or more commonly an email, but more examples exist as below. The design of the attack uses social engineering to both convince the victim that the attacker is who they say they are, and to also follow through with the call to action. It is a manipulation of trust.
There are a few different types of spoof:
Name | Description |
The email appears to come from a creditable company or individual. | |
URL | Usually included in the email will be a link that seems to be believable but is actually malicious if clicked. |
Website | Sometimes called ‘Typosquatting’, if you accidentally misspell a well-known website in the address bar, you might find yourself on a fake version of the real website set up by cybercriminals. |
Text | Could be a message from supposedly someone you know and trust asking for money, could have a phishing link, could be a fake bank asking for personal or financial information. |
Extension | Changes the file type to seem more convincing – better for tricking you to download the attachment. |
IP | IP addresses are numbers that reveal your device location – a spoof of this would give off an incorrect IP hiding the actual location of the attack, and perhaps posing as a trusted IP. |
Caller ID | Criminals may use your area code to trick you into answering the phone, and/or pose as someone you know or would respect like a police officer. If you engage in conversation, you may receive further scam attempts. |
Deep fake/facial | Uses AI to create realistic images or voices of individuals. This can be used for impersonations via phone calls, spreading false communications in video messages, or in some instances, to bypass facial-recognition for MFA or building access – this is rare, but good to be aware of. |
GPS | Can change the location a device shows and is used to hijack vehicles, boats, drones, even ships and military navigation systems – an advanced type of spoofing. |
What’s in a spoof?
Spoofing and phishing are closely related – phishing scammers may use spoofing methods. Spoofing emails may encourage one of the following:
- Money transfer
- Grant access permissions
- Unknowingly download malware
- Use login credentials for a disguised malicious website
How to spot a spoof (and therefore avoid it)
- Turn your inbox’ spam filter on – most spoofed emails will go here instead of your main inbox.
- Check the email address – they can be sent or redirected from suspicious looking accounts and the sender name and email may not match up.
- Banks and other such services will never ask you to reveal sensitive information by email – be sceptical.
- If there’s a sense of urgency it might be social engineering rather than real.
- Criminals can spend lots of time on the design and including logos, but less time spelling and grammar checking – look out for errors and typos.
- Web addresses may have typos in to seem legitimate at first glance – second glance? They’re probably not.
- There may be other inconsistencies like incorrect fonts used – just keep your eyes peeled.
- Don’t answer calls from unknown callers – if it’s urgent and real, they’ll leave a message which you can then verify. If not, the call is best ignored.