Spoofing: What it is and how to protect yourself

Follow:

Overview

Cyber criminals try to trick people into giving away personal information, money or access to their accounts and devices. One of the most common methods they use is called spoofing.

open envelopes marked with the number 1What spoofing is

Spoofing is a method where cyber criminals disguise malicious communication or activity as coming from a trusted source. They do this to make their messages, websites, or phone calls look real.

Some common sources cyber criminals use to spoof include:

  • email addresses
  • websites
  • text messages
  • social media pages
  • phone calss

By using spoofing, cyber criminals are trying to make you:

  • share your personal or financial information
  • click a harmful link
  • download and spread malware
  • send money

Examples of spoofing

A cyber criminal can create a website that looks almost the same as your bank’s webpage. The URL might have a small spelling change, but the page design looks familiar. They hope you enter your banking information without noticing their malicious website isn’t legitimate.

Spoofing is often used in phishing attacks. For example, you may get an email that looks like it came from a colleague, friend or trusted company. The message may ask you to click a link, open an attachment or confirm account details.

Other spoofing examples include:

  • a phone call claiming to be from a company or government agency
  • an email asking you to verify information to keep access or receive a package
  • an email asking you to verify information to keep access or receive a package

How to spot spoofing

Cyber criminals are good at designing messages or websites that look trustworthy. They use the same, or similar, graphics and logos that a trusted company uses. But there are usually signs that a message or website is spoofed.

Common warning signs include:

  • a sender you do not recognize
  • an email address with extra or misplaced characters (for example, a letter missing or added, case sensitive letters, or uncommon symbols and fonts)
    • hover your cursor over the sender’s name or check the message details to see the full address
  • spelling or grammar mistakes
  • requests for personal or confidential information
  • urgent or threatening language
  • unsolicited links, attachments or QR codes
  • poor audio quality on a phone call (although technology is making it more difficult to recognize)

Emerging examples of spoofing

While there are many signs of spoofing, scams are getting harder to recognize. Some examples that cyber criminals use include:

  • AI-generated phishing messages that can be personalized and lack obvious spelling and grammar errors
  • AI-generated content and deepfakes used to create visuals and audio that closely impersonate organizations
  • fake webpages with mismatched URLs that closely match the legitimate web address (for example, having small misspellings or ending with .co instead of .com)
  • unusual payment requests that involve gift cards or cryptocurrency
  • QR code phishing through emails or documents to direct victims to malicious sites
  • security verification requests asking you to verify login attempts or reset your account through provided links

How to protect yourself

Verify the source

Many phishing and spoofing threats are getting more difficult to recognize as technology advances – if you are unsure about an email, message, website or phone call, check whether it is real.

Always reach out to the organization using their official contact channels found using your own search (for example, the organization’s verified webpage).

Do not use links or phone numbers included in the suspicious message, as it could lead you directly to the cyber criminal’s connection.

Use your instincts

Most companies put a lot of time and effort into their communications. If something doesn’t quite look right in an email or on a website, it may be spoofed.

Similarly, if you receive a call from someone who claims to be from a government agency, think twice. Before you give up your information, ask yourself if the government would contact you in this way.

In almost all cases, the answer is no. You can always hang up and call back using the contact information from the official website.

If you become a victim

If you think you were tricked by a spoofed message or website:

By knowing the signs and taking time to verify messages, you can lower your risk and protect your information.

Related Links

Phishing: An introduction
The 7 red flags of phishing
What is malware: How to protect yourself
Malware infographic detected!
Date modified: