All You Need to Know About Spoofing Scams

All You Need to Know About Spoofing Scams

Modern technology has weaponized scammers in new and dangerous ways. Spoofing, in particular, has become more sophisticated and difficult to spot. Let’s examine spoofing, how it works, and red flags that can alert you to a possible spoofing scam.

What is spoofing? 

Spoofing is the criminal act of disguising a communication from an unknown source to appear as if it’s being sent from a trusted and known contact. The ultimate goal of spoofing is to get the target to share their sensitive information and money with the scammer. For example, a spoofer may pretend to represent a victim’s credit card company and lead them into sharing their account details.

Types of spoofing

Cybercriminals have a variety of ways to pull off their spoofing. Here are the more common forms: 

1. Email spoofing - In email spoofing, an attacker sends an email message appearing to be from a known or trusted source. The emails typically include links to harmful websites or attachments that will infect the victim’s device with malware. Alternatively, the scammer may use social engineering to persuade the recipient to share sensitive information. 
2. IP spoofing - In IP spoofing, an attacker tries to gain access to a system by sending messages via a bogus or spoofed IP address, which appears to be from a recognized, trusted source, such as one on the same internal computer network. The spoofed IP address will mask the actual source, which is a third party that is out to infect the victim’s device with malware and steal their information.
3. Caller ID spoofing - Here, attackers make a phone call to a target that appears to be from a known caller. The scammer will often pose as the victim’s bank or credit union. The victim, believing they are speaking with a financial institution representative, will disclose their account information and even passwords, which can lead to the scammer emptying their accounts and stealing their identity. Sometimes, the scammer will give the victim a phone number to call, allegedly connecting them with their bank or credit union. This number, of course, will only connect the victim to a scammer.


4. Facial spoofing - In this most recent form of spoofing, a scammer uses a photo or video of a target’s face to simulate their facial biometrics. This enables them to unlock accounts that can only be opened via facial recognition.

5. Website spoofing - In website spoofing, a scammer creates a bogus site that looks just like a reputable website that the victim often visits. Attackers lure victims to this site to steal their login credentials and personal information.

6. Text-message spoofing - In this scam, also known as smishing, a victim receives a text message on their personal device appearing to have been sent via a trusted source, such as the victim’s financial institution, place of work, or doctor’s office. The text asks the victim to share personal information. The victim will often do so, mistakenly believing the sender of the text message to be who they claim to be.

7. Man-in-the-Middle (MitM) attacks - There are three players involved in MitM attacks: the victim, the party the victim is attempting to communicate with, and the “man in the middle,” otherwise known as the scammer who intercepts the communications. In these spoofs, the scammer tries to eavesdrop on the interaction between the victim and the other party. Alternatively, they may try impersonating the other party to get the victim’s personal information.

8. Deepfakes and spoofing - Deepfakes is a relatively new and dangerous tool for spoofers. A deepfake is a fake image, video, or audio clip edited to appear authentic. For example, a scammer may create a deepfake video using an image and audio recording of a celebrity, making it seem like they are telling you to open a link or support a specific cause. Scammers use deepfakes to trap victims and appear as if they represent a trusted source.

Protect yourself

Spoofing is a formidable danger for consumers across the economic spectrum, but with the right tools and knowledge, you can avoid falling victim to these scams. Here’s how to protect yourself from a spoofing attack:

  • Turn on your email’s spam filter, and mark incoming emails that look suspicious as spam. 
  • Use two-factor authentication and biometric logins when possible.
  • Use strong, unique passwords across all of your accounts.
  • Ensure your device’s security system is at its strongest setting and uses the most updated patches. If you haven’t already done so, invest in robust security software. 
  • Never click on links or open attachments that are sent from an unverified source. 
  • Never share personal information online or over the phone with an unknown contact.
  • If you’re allegedly contacted by your financial institution and asked to provide your login credentials or account details to fix a supposed issue with your account, don’t respond. Instead, delete the message or abort the call and contact your bank or credit union directly to ask about any possible issues with your account. 
  • Don’t take phone calls at face value, even with caller ID. If you suspect foul play, Google the phone number on the caller ID to see if it’s associated with scams.
  • Consider an app like Hiya that filters out known scammers, spoofers, and other nefarious numbers.  
  • Opt to display file extensions in Windows. This will enable you to view any spoofed extensions to avoid opening malicious files.
  • Identify deepfakes by looking for small details that give them away. Zoom into the image or video to verify if the words and lip movements are in sync. Look for lip color that looks unnatural, unrealistic facial hair, exaggeratedly wrinkled or smooth skin, and non-existent moles. 

Red flags

Look out for these red flags that can alert you to a possible spoofing attack:

  • Websites with a URL that is very similar to the URL of a reputable site
  • Websites riddled with typos, unusual syntax, and spelling errors
  • An alleged bank or credit union rep asks you to call a number not associated with your financial institution.
  • You’re asked to share your login credentials or account number with an unverified contact
  • Familiar corporate branding, such as logos, colors, and call-to-action buttons, are used within a message asking you to take a non-typical action  

If you’ve been targeted

If you believe you’ve shared sensitive information with a scammer through a spoofing attack, there are steps you can take to mitigate the damage. 

First, contact your financial institution to let them know about the attack. You may place a credit alert or a credit freeze on your accounts, making it difficult or impossible for a scammer to take out a loan in your name. If you believe your identity has been stolen, check out to learn what your next step should be. Finally, change the passwords on all your accounts to protect them from further attacks.

Spoofing has become much more dangerous in recent years, but you can avoid getting scammed with proper awareness and basic protective measures. Use the tips outlined here to stay safe.