Spoofing is the practice of a cybercriminal impersonating a trusted entity or device in order to persuade you to do something beneficial to them and harmful to you. It's all about spoofing whenever an Internet fraudster disguises their real identity as something else. Want to know more about this? Then read our in-depth guide explaining everything about this topic.

Ben Grindlow

Ben Grindlow is the founder of ProXPN, a company that provides reviews about VPN products and services. Ben's interest in cybersecurity and privacy led him to start ProXPN, which has become one of the most well-respected VPN providers in the world. Ben is passionate about his work, and he is constantly exploring new ways to improve ProXPN's in-depth guides.

Last updated: 10:10AM 7/5/2022

ProXPN Expert Picks


Table of Contents

The news is full of stories about criminals who steal money or data using the internet. Such criminals use any tool they can find to accomplish their aims, and spoofing is a popular tool to trick you into giving up the information they want.

This article will teach you more about spoofing. The topics we will cover include:

  • A definition of spoofing
  • The different types of spoofing
  • Recognizing spoofing attempts
  • How to protect from spoofing attacks

Nobody wants to be the victim of a crime, whether online or in real life. Keep reading to learn how to avoid being a victim of spoofing attacks.

What is spoofing?

Spoofing refers to imitation — imitation of a telephone number, an email address, a legitimate website, or a customer service department. The types of spoofing don't stop there. There is also global positioning system or GPS spoofing, domain name system or DNS spoofing, address resolution protocol or ARP spoofing, and internet protocol or IP address spoofing.

If a technology exists, someone out there will probably try to exploit it, possibly using spoofing.

The idea is that something or someone pretends to be something or someone else. Often the spoofing attack involves a person who assumes a false identity online or pretends to be from a particular organization, only to lure you onto a malicious or fraudulent website.

The goal of spoofing attacks

Why would someone do this? They do it to take your money, steal sensitive data, spread malware or gain access to something they have no business accessing.

Spoofing attacks are a form of cybercrime and a growing problem throughout the world. Once you finish this article, you will be better prepared to detect spoofing.

4 examples of spoofing attacks

To help you recognize a spoofing attack, here are some common scenarios.

  1. You might get a call from the helpdesk of a large company saying that there are problems with your account or your computer. Don't believe it.
  2. An email that looks like it is from your credit card company may come in stating that your account has been temporarily blocked and you need to reactivate your card. It's a scam.
  3. You could visit a website that looks exactly like your bank's website but is completely counterfeited by the scammer. Be suspicious.
  4. You may receive a WhatsApp message that supposedly came from your son or daughter. Then they ask you to send them money quickly for some reason. Check it out before you respond.

What types of spoofing are there?

There are several types of spoofing used by scammers. Be alert to spoofing techniques like the ones below. Never be tricking into providing personal and private information.

Phone spoofing

In phone spoofing, the scammer illicitly uses the phone number of your bank or another organization. It then seems as if you are really being called by an employee of your bank or the customer service of a company.

Even if you have caller ID, there is such a thing as caller ID spoofing. Beware of spam calls like these.

The reason behind phone spoofing attacks

The scammer doing the phone spoofing will often try to convince you to:

  • Do something to secure your money
  • Provide your login credentials
  • Transfer money somewhere
  • Send them something, or receive a package for them
  • Install malware or some kind of app
  • Tell them your PIN or give them access to your computer

Don't fall for it. Contact your bank or the company independently to report this.

WhatsApp spoofing

In WhatsApp spoofing, you receive a message from an unknown number. In this kind of spoofing attack, the person may pose as a son, daughter or other close relative.

Often some version of the following script will be followed.

“Hi, Mom and Dad. I have a new number because I lost my phone. Please add my new number.”

Their next step is to try to get money from you. The scammer invents an excuse that makes it seem your relative has to pay some expensive bills urgently.

SMS spoofing

With text message or SMS spoofing, you are often approached by a company or organization and urged to take action immediately for some invented reason.

For example, your telephone provider might say that you missed a payment and ask you to pay the bill using a payment link. They say that if you don't pay, your phone and internet connection will be cut off.

Have you ever received an SMS like the above? Never respond to such messages. In particular, do not click on any links. It may be an SMS spoofing attack.

Email spoofing

Email spoofing has been occurring for years. What is email spoofing? Email spoofing is when a message is sent from an email address that is not actually the sender's email. You might receive an email from a familiar company's customer service department, for instance and the sender's address looks plausible even if it is not the exact email address.

The mail actually came from an unknown sender who is trying to scam you. This is an email spoofing attack, and your spam filter will not necessarily screen out spoofed emails.

Website Spoofing

An example of website spoofing is when a website of a familiar place like your bank or lender, is copied and duplicated to try to look legitimate. Often you click on a plausible looking link via email only to end up on a spoofed website.

Usually, the URL in the address bar for spoofed websites is almost the same as the actual URL, but usually a character or two in the address is different in the fake website. The spoofed websites may end in a different version of the actual .com, .org, or .net. When you visit the spoofed website, you are often asked to enter sensitive information.

IP spoofing

Criminals may try to gain access to a target network by taking over an IP address from another person: this is IP address spoofing. Another malicious reason for using the IP spoofing technique is to perform DDoS (distributed denial of service) attacks.

Learn to recognize spoofing

Be alert to spoofing attacks starts with thinking critically about all the calls and messages you receive via the internet. There are a lot of them, of course, so being automatically wary is an especially good idea with anything involving money, credit, personal information, your device's manufacturer, or branches of the government that people commonly interact with (such as tax agencies). Spoofers will often try to trick you into revealing information that you would never give a stranger.

Spoofing attacks often use what is known as ‘social engineering', which is a fancy way of saying that spoofers take advantage of predictable human habits, desires and responses.

Times to be extra alert

Extra caution is needed if one of these organizations contacts you:

  • Your bank or insurer
  • Your credit card provider
  • Your telephone provider
  • A computer company
  • A government agency

These organizations should never unexpectedly ask you to make a payment, do banking, or provide sensitive information. Call the number you usually use for your bank, or look up the real telephone number, and ask if the organization really needs this information.

Suspicious situations

Spoofing often involves a situation where the scammer makes you think you need to act quickly. They try to create pressure on you by using the ‘social engineering' mentioned above.

The following are familiar cases of spoofing:

  • You are informed of an urgent request to transfer money because you allegedly have an insufficient balance or overdue payments.
  • Active fraudsters may make unauthorized payments from your bank account.
  • You get a notice that an organization detected suspicious attempts to access your account.
  • You learn that your account or credit card has been blocked or declined.
  • You see suspicious payments or withdrawals in your account.

What to do

What should you do if you are not sure if it's spoofing, phishing or an actual problem you need to handle?

Contact the organization independently by looking up the phone number on the organization's website. Find a reliable website and phone number using Google Maps or on the organization's official website.

Ways to fight spoofing

Many of us will not be able to completely avoid criminals forever or thwart all their attempts to take advantage of you. With proper precautions you can, however, prevent yourself from becoming a victim of spoofing most of the time.

To protect yourself from spoofing, follow these three steps:

1. Examine the sender, maybe even the IP address, of an email

You have probably heard of the “Nigerian prince” scam, but there are new approaches created every day to trap the unwary. Criminals out there are always trying to gain access to private information.

Caution is key

Thoughtlessly looking at email or the web while distracted by a conversation, meeting or film is a dangerous activity. Always pay close attention to the sender and content of an email, website or message. Protect yourself by taking the time to follow these steps:

  • Identify the sender of the message by looking closely at the phone number or exact email address. Does the email sender address look a little ‘off'?
  • Look at the URL of the website. Does it look right, or does it seem unrelated?
  • Never carelessly click on links.
  • Do not open attachments you weren't expecting.
  • Keep an eye out for spelling mistakes (often seen abundantly in spoofing).
  • Notice whether the “branding” or design of the message or website looks different
  • Consider whether the content of the message or the site describes a realistic situation.

Move your cursor over the link without clicking the link to see where it will actually go. If it doesn't look like your organization's website URL, avoid it.

2. Don't respond

Be careful if you are unexpectedly asked to make a payment via email, telephone, or WhatsApp message. Ignore and delete the message immediately, or end the call.

Caution is always warranted if the sender or person on the phone asks you to share or enter sensitive information such as PINs, usernames, passwords or secret codes. There are few legitimate reasons someone would ask you to be providing personal data. Most of these requests are attempts to gain unauthorized access.

Be extra alert when asked for personal information or proof of your identity. Never just assume that you are dealing with the right organization: verify it first.

A rule of thumb

When an organization calls you about something important, stop and consider the chance it might be a spam call. You can ask for the name of the employee, hang up, and call back using the organization's main telephone number. Look up the number yourself on the organization's official website.

3. Learn to surf safely

Safer behavior while online is the best way to protect yourself from becoming a victim of spoofing. Best practices for online behavior include using different passwords and installing updates promptly.

Safe surfing

Starting now, be sure you practice safe surfing by:

  • Using common sense and carefully adjusting your online behavior
  • Making sure you have a secure home network (perhaps using a VPN)
  • Keeping all devices (computer, phone, tablet, etc.) up to date
  • Adjusting the settings on your browser carefully
  • Installing a good antivirus program on all devices
  • Using different strong passwords for each account
  • Installing a reputable password manager on your device

Frequently asked questions

A successful spoofing assault might result in the theft of personal or corporate information, credential harvesting for use in future assaults, the transmission of malware, unlawful network access, or bypassing security measures.

The most frequent goal of spoofing is to obtain personal information, steal money, circumvent network access controls, or distribute malware through infected attachments or links. Scammers will try to use spoofing in every form of online communication to acquire your identity and assets.

Spam calls, as well as spoofing assaults, can all be reduced with the help of antivirus software. Many security solutions are available to assist you avoid impersonation attacks. A spam filter will keep the majority of phishing emails off your screen. Some businesses and even some network carriers utilize similar programs to prevent unwanted telephone calls from reaching users'

What is spoofing, and when is it illegal? Anyone who transmits deceptive or incorrect caller ID information with the aim of defrauding, causing harm, or unjustly obtaining anything of value is breaking the Truth in the Caller ID Act. Anyone who unlawfully spoofs may be fined up to $10,000 for each infraction under FCC regulations.

Boiled down: Impersonation aims to gain access to sensitive information by telling the customer to provide it right away; spoofing is used to steal or transform an identity in order for harmful behavior to occur.

Protect your digital privacy and stay safe on the internet

Curious about our privacy experts' picks?