Spoofing: An introduction

April 30, 2020

A common element of most cyber security scams is that they try to trick victims.

Most people would not willingly give up sensitive information (like personal information or credit card information) or agree to have their devices infected with malicious software. Cyber criminals rely on trickery or threats to get victims to provide that information or access.

One of the most common ways of tricking victims? Spoofing.

open envelopes marked with the number 1What is spoofing

Spoofing is a tactic in which a cyber criminal disguises malicious communication or activity as something from a trusted source. Cyber criminals use spoofing to fool victims into giving up sensitive information or money or downloading malware.

Cyber criminals can spoof emails addresses or even websites.

For example, a cyber criminal might create a website that looks like a trusted banking institution by using similar colours, logos, and designs. Cyber criminals hope that you fall for their trick so that you enter (and give up) your personal information.

Cyber criminals frequently use spoofing to carry out phishing attacks.

For example, a scammer may send you an email from an address that resembles a colleague, friend or trusted company. At first glance, the email may seem real, but the scammer is hoping that you click on a link, open an attachment, or give up personal information.

Other examples of ways that cyber criminals use spoofing include:

  • A phone call claiming to be from a legitimate company or government agency
  • A text message that looks like it is from a friend or colleague

How to protect yourself against spoofing

Know the signs

Cyber criminals are good at designing messages or websites that look trustworthy. They use the same, or similar, graphics and logos that a trusted company uses. But there are signs of that a message or website is spoofed. If you look carefully, you can often notice that something is slightly off. An email address might end with another domain. In other cases, the email address might have one letter missing or added. Check characters carefully. For example, the lowercase letter A could be swapped for the Cyrillic letter α, leading to a spoofed website.

When unsure, verify

If you’re not sure whether you are receiving a legitimate communication, do what you can to verify it. For example, if you get an email claiming to be from your bank, look up the bank’s phone number online and give them a call to verify the message or request.

Use your instinct

Listen to your gut. Most companies put a lot of time and effort into their communications. If something doesn’t quite look right in an email or on a website, it may be spoofed.

Similarly, if you receive a call from someone who claims to be from a government agency, think twice. Before you give up your information, ask yourself if the government would contact you in this way.

In almost all cases, the answer is no. You can always hang up and call back using the contact information from the official website.


We all know, instinctively, that tricking people is wrong. The problem is that knowing when you’re being tricked is sometimes difficult.

By educating yourself on what spoofing is you can better protect yourself  from becoming a victim.

If you are a victim of a spoofed message or website, report it to the Canadian Anti-Fraud Centre and your local police.

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: