Spoofing is a widely used cyber threat technique involving impersonation. In spoofing attacks, adversaries may impersonate websites, emails, phone numbers, and geolocations to perpetuate scams, commit financial crimes, or steal identities.
One of the most common uses of spoofing today is phishing, a type of social engineering attack wherein a threat actor poses as a legitimate institution to lure targets into providing personally identifiable information. The recent increase in successful phishing attacks illustrates how threat actors can use spoofing to their advantage and why it’s become a popular method of manipulation.
For both organizations and end-users, identifying spoofing attacks before they do damage is a vital part of protecting sensitive information, including login credentials, credit card numbers, or other compromising data.
This guide explains what spoofing is and how it works, provides types and examples of spoofing, and offers spoofing protection and prevention strategies to avoid this increasingly common attack and its consequences.
What Is Spoofing?
Spoofing is a scam in which adversaries disguise themselves as legitimate users or devices to convince targets they are someone or somewhere else.
Threat actors typically imitate known, trusted sources and manipulate email addresses, display names, phone numbers, text messages, or website URLs to aid their malicious activities.
The initial goal of spoofing attacks is often for an adversary to engage with a target and access their systems or device. Typically, the end goal is to steal information, extort money, or install malware on the target’s device.
There are several types of spoofing, including email spoofing, caller ID spoofing, text message spoofing, and GPS and URL spoofing, to name a few. If a form of online communication exists, it’s possible spoofers will attempt to use it for a scam.
Spoofing vs. Phishing
Although sometimes used interchangeably, the words “spoofing” and “phishing” do not always mean the same thing.
Spoofing typically involves an adversary using a fake identity or location for malicious purposes.
Phishing often involves spoofing to trick targets into providing personal data that adversaries can use for malicious purposes.
Spoofing is the manipulation itself, while phishing uses the manipulation in a particular form, typically a phishing email. Like phishing, spoofing can also come in many forms.
How Spoofing Works
Adversaries successfully gain the trust of their targets by tricking them into believing that spoofed communications are legitimate. To convince their victims, spoofers may use the name of a large trusted company or someone the target knows personally. Then, spoofers typically ask their targets to take action (e.g., clicking a link or downloading an attachment) or reveal sensitive information (e.g., visiting a website and entering login credentials).
If successful, spoofing attacks can lead targets to disclose personal or financial information, send money directly, or download malware, resulting in infected computers, financial fraud, or identity theft.
Which spoofing techniques a threat actors use often depends on the type of spoofing attack. In email spoofing, for example, threat actors may hack an unsecured mail server to hide their true identity. However, there are also simpler, non-technical spoofing techniques, such as creating an email address that looks similar to an email address the target already knows. In this case, an adversary might change a single letter, number, or symbol within the email address so it appears legitimate at first glance.
For example, a spoofer might use an email address with the domain “PayPaI,” substituting the lowercase “L” for an uppercase “i,” so that the email appears to be from the company PayPal. They might also use PayPal’s colors, logos, and language to trick recipients into thinking the email is actually from PayPal and not a spoofer.
Adversaries may also spoof multiple contact points to initiate communication with targets and carry out attacks. For instance, the fake PayPal email might falsely inform the recipient that someone made an expensive purchase using their account. This unexpected information could motivate the target to instinctively click on the link embedded in the email to review the transaction.
In this scenario, the link could take the target to a spoofed website with a fake login page that looks almost identical to PayPal’s legitimate site. There, the victim might enter their login credentials to access their account and view their purchasing history, but in reality, they may unknowingly give their username and password straight to the spoofer.
In another scenario, clicking on the link in the email might download malware onto the target’s device, which could cause infected computer systems and networks and result in a data breach.
Becoming familiar with the various types of spoofing attacks may help end-users better understand how these attacks work so they are more prepared to prevent them.
Spoofing Types and Examples
Spoofing attacks can take many forms. While some are relatively simple, others are far more sophisticated. Reviewing the common types of spoofing attacks may help end-users identify them before it’s too late.
1. Email Spoofing
Email spoofing is one of the most common types of spoofing attacks today. This type of spoofing occurs when an adversary impersonates a regular or plausible contact via email. It’s also called a homograph attack or visual spoofing.
Spoofed emails often contain links to malicious websites or infected attachments. Spoofers may use other social engineering techniques like conducting thorough research on their target before launching an attack to convince recipients to divulge personally identifiable or otherwise sensitive information.
Email spoofing is often part of phishing campaigns and spear phishing emails and typically includes a similar combination of the following deception techniques:
- False “From” email addresses that appear to be from someone the target knows and trusts at first glance
- Familiar corporate branding, including logos, colors, call-to-action buttons, and more
- Unsolicited links or attachments coupled with a sense of urgency around opening them
2. Text Message Spoofing
Text message spoofing is similar to email spoofing in that the message typically appears to come from a legitimate source. However, text message spoofing can be even more specific and customized than email spoofing.
For example, a text message from someone pretending to be the target’s bank might request that they click a link within the message and enter login credentials or other sensitive information.
In another example, a spoofer might pretend to be someone close to the target who recently changed their phone number. In this type of text message spoofing attack, the spoofer might play to the target’s emotions by reporting that they are in a dire situation and asking for a direct transfer of funds to help.
3. Caller ID or Phone Spoofing
Phone spoofing, also called caller ID spoofing, occurs when a spoofer falsifies the phone number they are calling from so the target will answer the call.
This type of spoofing attack may even trick the target’s phone into thinking the call is coming from a legitimate source. For example, the target’s caller ID may show that the call is from a business or government agency.
More recently, spoofers have begun picking phone numbers with the target’s area code, making them less likely to ignore the call. This type of phone spoofing is called neighbor spoofing and is explained in more detail below.
If the target of a phone spoofing attack answers the call, the spoofer may pose as a customer support agent, debt collector, bank personnel, or another official figure to gather personal information, such as:
- Credit card numbers
- Banking details
- Social security numbers
- Dates of birth
4. URL or Website Spoofing
URL spoofing, also called website spoofing, is when a spoofer creates a fraudulent website mimicking an existing site to obtain information from targets or install malware on their devices.
Like in the PayPal example above, the use of a spoofed website may help threat actors obtain login credentials from their targets. The spoofers could then use that information to log in to the real PayPal site, access their target’s account, and steal their funds.
5. Neighbor Spoofing
Neighbor spoofing is a specific type of phone or caller ID spoofing in which the spoofed phone number appears to be from someone with the same area code as the target.
The Federal Communications Commission’s (FCC) Truth in Caller ID Act legally prohibits “anyone from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm or wrongly obtain anything of value,” with penalties of up to US$10,000 for each violation. However, neighbor spoofers aren’t often caught.
6. GPS Spoofing
GPS spoofing is slightly different from other types of spoofing. This type of spoofing attack typically tries to trick a GPS receiver into thinking it’s in a different location by broadcasting fake GPS signals.
This type of spoofing is often used in warfare or by gamers instead of targeting individual consumers or organizations. However, anyone can be vulnerable to this type of attack.
For example, GPS spoofing could redirect a vehicle’s navigation systems, including passenger cars and commercial airplanes.
7. IP Spoofing
Internet Protocol (IP) spoofing occurs when an adversary attempts to hide or disguise the location from which they are sending or requesting data by replacing the source IP address with a fake one.
In this type of spoofing attack, the IP address often appears to be from a trusted source but is masking its true identity. Advanced adversaries often use this technique in Distributed Denial of Service (DDoS) attacks where attackers alter their IP addresses, flood the victim’s site with traffic, and limit access for authentic users.
Virtual Private Network (VPN) services also use IP spoofing to mask users’ IP addresses and locations. However, unlike IP spoofing attacks, VPNs are often used for legitimate reasons, including privacy or streaming content when traveling overseas.
8. ARP Spoofing
Address Resolution Protocol (ARP) matches Media Access Control (MAC) addresses to IP addresses for data transmission. In an ARP spoofing attack, an adversary typically links a legitimate network IP address to their MAC so they can receive data meant for the IP address’s valid owner.
To avoid an ARP spoofing attack, first check if an intruder is lurking on the network by opening up the command line and entering: arp-a. This commonly shows the ARP table of the device used to issue the command. If two or more IP addresses share the same MAC address, there could be an intruder on the network.
Adversaries often use this type of attack to steal or modify data, but they may also use ARP spoofing in DDoS attacks, man-in-the-middle (MITM) attacks, or session hijacking.
9. DNS Spoofing
Domain name system (DNS) spoofing attacks typically involve adversaries changing domain names, so they are rerouted to a new IP address. Since DNS servers have a database of public IP addresses and hostnames used to help navigate the network, spoofers can effectively alter the list of IP addresses and redirect traffic.
When the target enters a website URL, they arrive at a spoofed domain instead of the intended site. Attackers also use this method to spread worms and viruses across networks.
10. MITM Attacks
Man-in-the-middle attacks typically involve three players:
- The target
- The entity the target is trying to communicate with
- The “man in the middle” intercepting communications
To be considered a spoofing attack, the spoofer must impersonate one of the parties involved in the communication. In other types of MITM attacks, adversaries may attempt to eavesdrop on an exchange without spoofing.
MITM attacks using spoofing often include email spoofing, website spoofing, or a combination of both. A MITM attack usually aims to intercept useful, sensitive, or potentially profitable information. Once hijacked, that information may be used for identity theft, to approve financial transactions, or be sold on the dark web.
11. Facial Spoofing
Facial spoofing, also called deep faking, is a new form of spoofing in which an adversary simulates a person’s face using facial biometrics obtained from photos or videos.
This type of spoofing is typically involved with bank identity fraud or money laundering. However, since many people now use facial recognition to unlock their devices, threat actors are beginning to explore how facial spoofing might exploit other vulnerabilities.
Other implications for this emerging technology include simulating embarrassing or incriminating footage of high-profile individuals for extortion.
12. Social Media Spoofing
Social media spoofing involves using social media platforms to trick targets into divulging sensitive information or downloading malware.
This type of spoofing attack often uses fake social media profiles in combination with some offer or threat. For example, a profile might claim that the owner is a celebrity or recognized public figure (someone who recently won the lottery, for instance) and is giving away “free” money to a certain number of new followers.
Once a target follows the fake account, they might receive a direct message instructing them to send a “small fee” in exchange for a large sum of money. If enough users fall for this scam it could be very profitable.
In another example, a social media profile impersonating someone known to the target might send a direct message. For instance, the target might receive a message from someone pretending to be a relative or friend with a link. Once the recipient clicks the link, it may trigger a malware download or send the target to a spoofed website. The message may also request funds or other private information.
13. Other Types of Spoofing
As technology advances, there will likely be more types of spoofing soon to follow. It’s worth repeating that as long as online communications exist, threat actors will continue to find ways to exploit them.
Is Spoofing Illegal?
Although the FCC has cracked down on caller ID spoofing, whether or not spoofing is generally considered legal or illegal is largely still up for debate and often depends on the particular circumstances.
Spoofing is illegal when it goes against the rules set forth by the FCC, which defines unlawful spoofing as spoofing done with the “intent to defraud, cause harm, or wrongly obtain anything of value.” However, catching spoofers is often tricky and rarely happens.
Spoofing Protection and Prevention Strategies
There are several ways individuals and organizations can protect themselves from spoofing attacks.
End-User Detection and Prevention
For end-users, detecting spoofing attempts right away is often the best way to avoid them. Spoofing attacks can be sophisticated, so the key is paying close attention to the details.
It’s also essential to trust end-user instincts: if someone thinks an email, text message, phone call, or website might be spoofed, they’re probably right.
To avoid spoofed emails, closely examine the sender’s address, keeping in mind that spoofers often use fake domains similar to legitimate ones. Other red flags include typos, bad grammar, and unusual syntax. Pay attention to alterations in small details, like the capitalization of certain letters (e.g., “i” and “I,” and “l” and “L”) or two letters next to each other in an attempt to mimic another (e.g., “m” vs. “nn”).
If an email comes from a seemingly legitimate source, contains urgent language, and asks the recipient to take action, consider checking with the source directly before following through. For example, visit paypal.com directly to verify recent transactions rather than clicking the link in an email. Practice caution by hovering the mouse over links to reveal the URL before clicking on any links contained in emails. As a rule, if an URL looks suspicious, do not click it.
Additionally, copying and pasting the contents of the email into a search engine may reveal whether it’s part of a known circulating scam.
To avoid spoofed websites, pay close attention to URLs and whether they contain correct spelling. It can also help to be wary of websites with no lock symbols in the URL bar or URLs that begin with HTTP instead of HTTPS (the encrypted version of HTTP).
For users with a password manager, consider paying attention to whether or not it auto-fills login information, which could be a sign that it doesn’t recognize the website.
To avoid spoofed phone calls, the FCC advises not to answer calls from unknown numbers. However, this isn’t always possible. If a recipient must answer a phone call, stay alert for any requests for personal information. For example, a representative from a credit card company should already know details such as credit card numbers and shouldn’t need to ask for this information.
Ask for additional information before discussing anything sensitive in nature. If someone claims to be a debt collector, look up the company and verify that person is an employee there. If the caller claims to be someone an individual knows personally, the individual should hang up and call the person directly.
Today, many spoofed and spam calls use pre recorded messages triggered automatically when the recipient answers the call. A silent pause or a click at the beginning of a call may signify that a prerecorded message is in use.
Spam filters are programs that automatically detect unsolicited and unwanted emails. They aim to prevent these attempts from ever reaching the recipient in the first place.
For example, many smartphones today have settings allowing users to silence or block unknown callers automatically. This option can help cut down on the number of spoofed or spam calls, but it can also prevent legitimate callers from being able to get through.
Additionally, some phones can identify callers as “potential spam.” However, this feature is more beneficial for spam calls, which are typically more generic and less sophisticated than spoofed calls, and, therefore, may be less effective at preventing them.
Users can also apply spam filters to social media. For example, many social media platforms use spam filters to limit the number of fake accounts.
To limit spam on social media, users can also:
- Set accounts to “private”
- Disable similar account suggestions
- Block spam accounts and report them
Email spam filters are also commonly used by internet service providers (ISPs) and online email services to prevent email spoofing attacks.
Some email spam filters are less effective than others. They may trigger false positives (i.e., legitimate emails are flagged and filtered as spam). There are more sophisticated email filtering programs that can identify spam messages using machine learning (ML) or artificial intelligence (AI) to recognize suspicious word patterns or frequency.
Other common types of spam filters include:
- Blocklist filters: Block spam emails from senders on a spam list.
- Content filters: Examine the content of emails and use that information to decide whether or not they are spam.
- Header filters: Analyze email headers to determine if they originate from a legitimate source.
- Rule-based filters: Enable users to establish specific rules, apply them to incoming emails, and use content filtering to identify and automatically forward emails that meet the criteria to a spam folder.
Two-Factor or Multi-Factor Authentication
Additional authentication for interactions between devices may help prevent spoofing attempts from becoming successful.
Two-factor authentication (2FA) is the use of two methods of authentication. For example, 2FA might prompt a user to enter a code sent to their cell phone via text message when attempting to sign into an email account.
Using 2FA can help enterprises ensure that end-users are who they say they are. However, threat actors increasingly exploit 2FA. They might, for instance, send users an overwhelming number of 2FA requests until the target gets fed up and follows through with the intended action.
Multi-factor authentication (MFA) requires users to present at least two but typically more authentication methods. All 2FA is MFA, but not all MFA is 2FA. MFA may be beneficial for organizations or individual users guarding sensitive data, but it can also be cumbersome and interrupt a user’s workflow.
Detection and Prevention Tools
It’s helpful to be on high alert for the signs of spoofing attacks but there are also tools that can provide additional protection.
For example, network analyzers or bandwidth monitors may help detect IP spoofing attacks. Monitoring networks regularly can help identify anomalous or abnormal traffic and behavior. This behavior could signal an IP spoofing attack and may warrant further investigation.
Other spoofing detection and prevention tools include:
- Packet filters: Inspect packets in transit, which can help prevent IP address spoofing attacks by blocking packets with incorrect source address information.
- Antivirus software: Detects and protects endpoint devices against known malicious software signatures.
- Firewalls: Helps keep unwanted intruders off networks.
- VPNs: Encrypts data so external parties cannot read it.
- Intrusion detection tools: Monitor activities that don’t align with normal device user behavior.
- Extended endpoint protection platforms: Extended detection and response is the next step in the evolution of Endpoint Detection and Response, a group of tools or capabilities focusing on the detection of suspicious activities on endpoints. For example, the Singularity XDR platform from SentinelOne can track and alert anomalous behavior in real-time. It has all the benefits of a complete solution: deep visibility, automated detection and response, rich integration, and operational simplicity.
Detect and Prevent Spoofing Attacks with SentinelOne
Protecting against spoofing attacks no longer means deploying, integrating, and maintaining multiple cybersecurity tools like the ones listed above. Now, there’s a single platform that can do it all.
Singularity XDR from SentinelOne empowers modern enterprises with greater visibility and the ability to take action swiftly against many threat actors, including spoofers.
With Singularity XDR, organizations can see, protect, and resolve security incidents across every corner of the enterprise. It aggregates event information from multiple different solutions into a single dashboard, so analysts can take advantage of insights and stop attacks in progress before they impact the business.
Unlike other tools, Singularity XDR unifies and extends detection and response capabilities across multiple security layers, from endpoints to identities, networks, the cloud, and apps.
Learn more about how SentinelOne can protect organizations against all types of spoofing attacks in a single platform and request a demo today.