What is Spoofing and How Does it Work?
Chances are that you’ve been the victim of a spoofing attempt by now. Spoofing is a type of cyberattack where someone pretends to be a trusted source so they can gain access to your personal information. In this article, you’ll learn what spoofing is, and more importantly, what you can do to keep your personal information safe.
What is Spoofing?
Spoofing is when criminals attempt to gain access to your personal information. The goal is usually to steal your money, although sometimes they just want to spread malware via infected links or attachments. Either way, spoofing is extremely expensive, both to individuals and to corporations.
A successful cyberattack can lead to identity theft, infected computer systems and networks, data breaches or (if you’re a company) loss of revenue.
Types of Spoofing
Cybercriminals are getting increasingly sophisticated, targeting you through social media, emails, mobile apps and phone calls.
You’ve probably received several of these emails already. They are designed to look like an email from a trusted company, such as Amazon or Netflix. The emails indicate there’s a problem with your account or your password has been compromised and they include a link so you can click on that and access your account. Of course, the email is not actually from these companies and cybercriminals now have your information. This is also known as phishing and it’s very popular among scammers because it’s easy and works. Even if just a tiny percentage of the people scammers target actually click on the link, it’s worth it to them.
Certain companies are phished more often than others, with the most often impersonated companies being:
- Publishers Clearing House
Anytime you get an email from any of these companies, be suspicious. It could be legitimate, but it could be phishing. Do not click on the link in the email! Instead, search for the company in a web browser to see if it’s really from them. You can right-click and copy the hyperlink found in the email and paste it in a text document to see if it matches the website that shows up in search results. You can also check the hyperlink text to see if it has HTTPS, which means the server is encrypted and secure. Another way to check is to enter the URL into Google’s Transparency Reporting tool.
These emails prey on emotions like fear or greed. Such manipulation of your emotions to give up your personal information is called social engineering.
Some common phishing examples last year included:
- Your account has been compromised and will be deactivated unless you click on this link and confirm your account details.
- Your account has temporarily been suspended (Click here to verify your account).
- Receive $10 off your next purchase when you click here. Some of these are actually legitimate, so it’s best to write down whatever coupon code they give you and type it in the company address.
- Your order is confirmed. $312 will be withdrawn from your account when your order ships.
Did you know your credit card information sells for somewhere between $12 and $20 on the dark web? Terrifying, isn’t it?
Caller ID Spoofing
Caller ID spoofing is when a caller falsifies the information transmitted through caller ID. This can make it look like the call comes from a reputable company or even a government agency. Scammers know you’re more likely to answer a call that comes from the same area code you live in, because you think it’s from someone you know, so replicating your area code is a favorite tactic.
Website spoofing is when a scammer sets up a website to mimic a trusted website, such as Amazon or PayPal. Often, you can be led to such sites by clicking the link sent in a phishing email.
ARP stands for Address Resolution Protocol. This is when hackers intercept information between two devices in the same Local Area Network (LAN). Basically, it lets hackers impersonate your PC and steal all of your traffic. This type of attack uses something called man in the middle attacks, where someone intercepts communication between two parties in order to either use or manipulate the information.
How to Protect Yourself From Spoofing
Now that you know what spoofing is, how can you protect yourself against it?
Email Spoofing Protection
- Check suspicious emails for typos and language that seems slightly off or uses poor grammar.
- Don’t click on any links sent via email. If you have questions, go to the company’s website and see if there are any problems with your account (odds are, there won’t be).
- Don’t open any attachments from someone you don’t know.
- Check the sender’s address: if it seems weird or has a string of unrelated numbers and letters, it could be a scam.
Caller ID Spoofing Protection
- Don’t answer calls if you don’t recognize the number. If it’s a legit call, they’ll leave a message and you can call back.
- If you do pick up, don’t give out any personal information. If you don’t recognize the person, just hang up.
- If they say they are from the IRS, the social security administration, or the FBI, tell them you’ll call back. Then look up the number of the government agency and call them directly. The odds are they are not from any government agency. If they’re legit, they’ll understand.
Cell phone security is getting better at blocking spam calls, but hackers are always one step ahead. Protect yourself.
Website Spoofing Protection
- Check the address. Legitimate companies usually use HTTPS because it’s encrypted, whereas scammers usually use HTTP because it’s not.
- Change your passwords Don’t use the same password for multiple websites.
- Use multi-factor authentication.
- Use anti-virus and anti-malware software on your computer. Set it so that it updates automatically.