Spoofing
Spoofing is a tool to make a scam seem legit. It is a crime of falsifying contact information to make it seem authentic and then using it to mislead people for personal gain.
Spoofing simplified
For example, you may receive a call from a scammer whose caller ID might appear as the Social Security Administration or any other name variant. This prompts people to become more vulnerable and believable to what the scammer is about to say. Spoofing can also be easily done with emails or websites.
The same can be easily done with emails or websites. Domains can be spoofed through subdomains like “https://microsoft.com.office365.ru” (microsoft.com is a subdomain here) vs. “https://microsoft.com/office365” (microsoft.com is a domain here). They can also be falsified through typosquatting (E.g., https://twirtter.com (do not visit) instead of https://twitter.com) or malformed prefixes (http://google.com (do not visit) vs. https://google.com ). Spoofing is often used together with other cybercrimes like phishing, ransomware, or malware attacks.
Types of spoofing
Email spoofing
Using a fake email address to perform a cyberattack is considered email spoofing. Hackers often spoof their email addresses to make it look like they belong to a legitimate company. They use fake names and real company logos to make the scam look legit. Using spoofed emails allows them to extract money or information that can later be monetized through various other attacks.
Website spoofing
Website spoofing often happens by manipulating URL links. Website domains can be spoofed through subdomains like “https://microsoft.com.office365.ru” (microsoft.com is the subdomain here) vs. “https://microsoft.com/office365” (microsoft.com is the domain here). They can also be falsified through typosquatting (E.g., https://twirtter.com (do not visit) instead of https://twitter.com) or malformed prefixes (http://google.com (do not visit) vs. https://google.com). Spoofing is often used together with other cybercrimes like phishing, ransomware, or malware attacks.
Caller ID spoofing
Scammers spoof their Caller IDs to make them seem like they’re calling from your local area. They can then pretend to be someone from the police department or another authoritative institution. Often, the attacker will use this technique in an attempt to scare and extort money from their victims.
File spoofing
Hackers often mask malicious files with normal names and this is known as file spoofing. For example, someone might send you a PDF attachment named “Financial statement 12.03” but it’s actually an empty file with malware inside of it.
Tips to prevent spoofing
Check the domain
Inspect the website’s domain name for typos and misleading brand naming. Hackers often spoof the website’s names to make them appear legit at the first glance.
Check for masked links
Sometimes there are different links under the ones that appear on your screen. Hover over them to see where they actually lead to. If it seems suspicious, don’t click!
Contact authorities
If you get a suspicious call from an agency, hang up and call them on their real number given on their site to see if there’s a problem. If they’re looking for you, they’ll tell you.
Spoofing crime stats
According to the FBI Internet Crime Reports, here's how devastating spoofing attacks were from 2018 to 2022:
Average losses and victim count
year over year
Spoofing attack cases have reached record numbers with 28.2K yearly victims (around 77 victims per day) in 2020.
Victims have reported the highest average financial loss to spoofing attacks in 2019 ($11.7K per victim).
During the 2020 COVID-19 pandemic, the number of spoofing cases grew by 9%, but the average financial loss fell by 34% (from $11.7K to $7.7K) per victim compared to 2019.
Despite the increasing awareness of online crimes, daily financial losses to spoofing attacks have grown around two times from 2018 ($191.8K per day) to 2022 ($295.7K per day).