TechTalkTuesday – Spoofing

Welcome to #TechTalkTuesday – where tech terms are defined, explained, and no longer a mystery.

Today's term is spoofing.

Have you heard of the term spoofing? It largely pops up as a part of cybersecurity awareness campaigns. Spoofing is a form of cyberattack that takes place when fraudsters disguise themselves as a trusted person or company so that they can get access to private data or info.

Typically, the primary goal of a spoofing attack is to access personal info, steal products or money, spread malware, or bypass secure network protocols. Fraudsters use spoofing to steal assets and identities.

Do you know how to protect yourself, your identity, and your business against spoofing attacks?

What does spoofing look like?

Spoofing can be used across several communication channels and doesn't necessarily require that the would-be fraudsters have high levels of technical knowledge. That said, to complete a spoofing attack and persuade victims into giving up their info, there needs to be a degree of social engineering involved.

A fraudster will use social engineering tactics to play on vulnerabilities that many of us have.

  • A sense of fear
  • Greed and greedy tendencies
  • A sense of naïveté

What might this look like for you? A popular form of social engineering will rely on the targeted victim's sense of fear for loved ones to get money or info out of the targeted victim. The fraudster will contact the target pretending to be a close family member who is in trouble and needs money to get home or to get out of a difficult situation. Fraudsters often focus their attention on elderly victims who may not be as tech-savvy as younger potential targets.

Fraudsters may also pretend to be the IRS, a bank, or a business offering a great deal or incentive in exchange for money or personal info.

Spoofing attacks can also take some of the following forms.

  • Caller ID spoofing. The fraudster will manipulate their outgoing caller ID info to reflect false information. For example, they could show the number as being from the IRS, a local business, or even from someone you know. Once the call is answered, the fraudster will try to convince the targeted victim to divulge info that will allow them to steal money or the individual's identity.
  • Email spoofing. The fraudster will send emails that appear to be from a legitimate source, such as a bank or a social media platform. The intent will be to steal your login credentials, ask for money, or infect your device with malware.
  • Website spoofing. A fraudster will attempt to create a phony website that looks like a legitimate site, using the same logos and colors as perhaps your bank or your mobile phone carrier. These websites may appear to be the real deal if you aren't paying close attention. They are designed to encourage you to log into the site and give away your login credentials.
  • SMS spoofing. A fraudster may send an SMS or text message that appears to be from someone you know or from a legitimate business. The messages will often include a link to a phishing website or a malware download that can potentially infect your device.

There are other spoofing methods, some of which are very sophisticated and difficult to detect.

Protecting yourself against spoofing attacks

Fraudsters aren't going to slow down their attempts to scam people. That means it's up to you to protect yourself as much as you can.

  • Pay close attention to the email address if you're not sure whether an email is legitimate or not. Fraudsters often create email addresses that look very close to the real thing. If the sender's email address appears to be correct, but the content of the email is raising a red flag for you, simply reach out to the sender directly.
  • Take care when opening attachments, even if you believe the message is coming from someone you know. When in doubt, simply don't open it up.
  • Be on the lookout for poor grammar and other minor things that a large company is unlikely to send out in an email.
  • Verify the website's address is secured before you enter your login credentials. Secured websites will include HTTPS:// versus HTTP://. If a site doesn't appear to be secured, this is not an automatic sign that it's a spoofed site. You can also look for a small lock symbol on the address bar.
  • Ensure that your virus scanning software is up-to-date. These valuable cybersecurity tools can be an excellent first step to help protect yourself and your devices.
  • Don't volunteer your personal information unless you are confident that it's a trusted individual on the other end of the phone or communication.

Be sure to have healthy password practices. For example, don't reuse passwords across websites and apps, as convenient as this may be. Instead, use passwords that exclude the names of your spouse, children, pets, and even your favorite sports team.

Spoofing is likely to be a concern for each of us for the foreseeable future. However, with increased awareness, we can do our part to help protect ourselves