Have you received an email or phone call from a seemingly legitimate organization only to later discover that it was all a farce? Scammers dedicate their time to trick consumers to gain access to your personal information through fake websites or malware spread through infected attachments or malicious links. Scammers launch thousands of phishing attacks like these every day — and they’re often successful.
What is Spoofing
Spoofing is a cyberattack that occurs when a scammer is disguised as a trusted source in an attempt to gain our confidence, get access to our systems, steal data, steal money, or spread malware. Spoofing can happen through websites, emails, phone calls, texts, IP addresses and servers.
How Scammers Lure Victims
Oftentimes, just seeing the name of a trusted organization is enough to get consumers to give up information or take some kind of action. For example, a spoofed email from your bank might inquire about transactions you never made. Concerned about your account, you might be motivated to click the included link. From that malicious link, scammers will send you to a malware download or a fake login page—complete with a familiar logo, website and spoofed URL—for the purpose of obtaining your username and password.
There are many more ways a spoofing attack can play out. In all of them, fraudsters rely on the actions of their victims.
Types of Spoofing
Website spoofing is all about making a malicious website look like a legitimate one. The spoofed site will look like the login page for a website you frequent—down to the branding, user interface, and even a spoofed domain name that looks the same at first glance. A spoofed website will generally be used in conjunction with an email spoof, in which the email will link to the website.
Call spoofing happens when scammers fool your caller ID by making the call appear to be coming from somewhere it isn't. Scammers have learned that you're more likely to answer the phone if the caller ID shows an area code near your own or from a business you recognize. In some cases, scammers will even spoof the first few digits of your phone number in addition to the area code to create the impression that the call is originating from your neighborhood.
Email spoofing is the act of sending emails with false sender addresses, usually as part of a phishing attack designed to steal your information, infect your computer with malware or just ask for money. But a spoofed email address isn't always enough to fool the average person. Imagine getting a phishing email with what looks like a Facebook address in the sender field, but the body of the email is written in basic text with no design —not even a logo. That's not something we're accustomed to receiving from Facebook, and it should raise some red flags. Accordingly, phishing emails will typically include a combination of deceptive features including false sender addresses designed to look like it's from someone you know and trust, familiar branding, typos and unusual sentence constructions.
How to Stay Safe and Prevent Becoming a Victim
Stay safe by being alert and aware of what not to do when you suspect a spoofing attack.
Don't click on links or open attachments in emails if the email is coming from an unknown sender. If there's a chance the email is legitimate, contact the sender through some other channel and confirm the contents of the email.
Log in through a separate tab or window. If you get a suspicious email or text message, requesting that you log in to your account and take some kind of action, like verifying your information, don't click the provided link. Instead, open another tab or window and navigate to the site directly. Alternatively, log in through the dedicated app on your phone or tablet.
Call directly. If you've received a suspicious email or phone call, from someone you know or an organization you trust, don't be afraid to call them directly and confirm that they, indeed, sent the email or called you. This advice is especially true if you received out-of-character requests.
Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.
Report suspected theft. If you think a scammer has your information, like your Social Security, credit card, or bank account number, go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost.
Learn more about saying safe from potential scams by visiting https://www.consumer.ftc.gov