Spoofing is when a cybercriminal disguises themself as another person, business, or entity in order to commit malicious acts.

Cybercriminals use a range of tactics to spoof their identity. Spoofing cyber attacks can range from the less technical with spoofed email addresses, websites, or phone numbers to more advanced spoofing tactics including spoofed IP addresses, Domain Name Servers (DNS), or Address Resolution Protocol (ARP).

Regardless of the tactic used, the ultimate goal of spoofing is to steal from and damage victims. Using savvy social engineering tactics, cybercriminals use spoofed email addresses, websites, and phone numbers to trick victims into providing confidential information, downloading attachments, or into clicking links that install malware.

Like most cyber attacks, spoofing relies on social engineering to be successful. Cybercriminals choose to spoof email addresses, websites, and other online entities that most people are familiar with. This reduces the level of doubt and suspicion, making it possible to take advantage of the human nature of trust.

What Are The Different Types Of Spoofing?

Email Spoofing

Email spoofing happens when the cybercriminal uses a fake email address to commit a cybercrime. Depending on the email spoofing tactic, the criminal may spoof the email address, email sender name or both. Additionally, the cybercriminal can assume multiple identities, that of the sender, the company, or both.

For example, the sender’s name is [email protected] but Joan Smith does not work for XYZ Widgets. The recipient works at XYZ Widgets, a large multinational company and does not know that Joan is not an actual person. The recipient trusts the email since it uses the company logo and asks her to do legitimate work-related tasks.

Similar to phishing, the spoofed email uses urgent and convincing language to spur the recipient into immediate action. This sense of urgency does a couple of things – it limits the chance for hesitation and questioning and it convinces the recipient that they are helping and doing the right thing.

Caller ID Spoofing

Caller ID spoofing is a common tactic that uses a phone number that appears to come from your area code. We are all more likely to answer a call when we see it is a local number.

When their call is answered, cybercriminals use social engineering tactics to keep people on the phone and to trick them into acting. The cybercriminal may pretend be a police officer and because the caller ID looks real, the victim is convinced to pay fines that don’t exist, to provide confidential information, etc. all under the threat of being arrested.

Some cybercriminals go so far as telling the victim to call them back on the number if they don’t trust them. This advanced social engineering technique strengthens the relationship and gives a sense of legitimacy to the call.

Website Spoofing

Website spoofing uses a fake website that looks legitimate. A spoofed website looks exactly like the real website – the logo, branding, colors, layout, domain name, and contact details are all the same. Without very close inspection of the domain name or looking for small flaws in the text, it’s very difficult to identify a spoofed website.

Cybercriminals use spoofed websites for a range of reasons including collecting login details, stealing credit card information, installing malware, or another malicious act. Often the victim receives a spoofed email first that directs them to the spoofed website.

Text Messaging Spoofing

Text messaging spoofing uses a spoofed phone number to send malicious text messages. The cybercriminal hides behind the phone number, sender name, or both. This type of spoofing relies on advanced research to understand what types of text messages the recipient is likely to receive and respond to.

The text message may include a phone number for the recipient to call or a link to a malicious website that is then used to commit additional cybercrimes. The text message uses social engineering tactics to convince the recipient to respond quickly.

GPS Spoofing

GPS spoofing sends a fake GPS signal to a GPS receiver which then causes all GPS devices in the area to show an incorrect location. Cybercriminals use GPS spoofing to gain control of vehicles, boats, drones, and anyone relying on a navigation system. GPS spoofing is an advanced tactic that can be used to hijack drones or ships and to interfere with military navigation systems.

IP Address Spoofing

IP address spoofing hides the true identity and location of the computer or mobile device used by the cybercriminal. Cybercriminals might spoof an IP address for a network that uses IP address authentication, making it easy for them to gain access to the network.

Typically, IP address spoofing is used to commit a denial-of-service attack, thereby overwhelming the network with traffic and ultimately shutting it down. In other scenarios, the cybercriminal simply wants to hide their location from the recipient, this approach can be used with email spoofing or website spoofing to add more legitimacy to the attack.

ARP Spoofing

Address Resolution Protocol or ARP spoofing is an advanced and technical cyber attack that connects the cybercriminal’s Media Access Control (MAC) address to a real IP address. This allows the cybercriminal to intercept and steal data that is intended for the owner of the IP address. ARP spoofing is typically used to steal data, to commit man-in-the-middle attacks, as part of a denial-of-service attack, or during session hijacking.

DNS Spoofing

Doman Name Server or DNS spoofing makes it possible for cybercriminals to redirect traffic from the intended legitimate IP address to a faked IP address. Cybercriminals may use this spoofing tactic to direct victims to websites that install malware.

Extension Spoofing

Extension spoofing disguises the file type, making it easier to convince people to download and install attachments. Cybercriminals know that people have been warned against installing executables. The cybercriminal may disguise a malware executable with a spoofed extension such as doc.exe. The file displays in the email as newfile.doc, and the recipient does not think twice about downloading and installing it.

Facial Spoofing

Facial spoofing is a new type of spoofing that relies on facial recognition software to unlock devices or access a secure building. This type of spoofing is relatively rare but with advances in facial recognition technology and more companies using facial recognition as part of their security system, the risks with facial spoofing will grow. A cybercriminal can use pictures found on social media to build a likeness of an individual and then use this to unlock any security system that uses facial recognition.

How Does Spoofing Happen?

Spoofing happens when cybercriminals take advantage of weaknesses in technology or its implementation. If successful, they trick people into believing that the faked email, website, phone call, text message, or other approach is real. To be successful, cybercriminals rely on savvy social engineering tactics to convince victims that they are safe and making smart decisions. Cybercriminals rely on human behaviors including trust, wanting to help, not reading carefully, and not paying attention to details. This is why it’s so important that security awareness programs put a priority on reducing the human risk.


Website Spoofing Clues

  • If the padlock is missing from the website address bar, the website is not secure and is likely spoofed.
  • The URL uses http and not https. Do not trust websites that do not use the https encryption prefix.
  • Many websites autofill your username and password. To protect against automatically logging into a spoofed website, use a password manager to store your login details. If the password manager does not recognize the website, it will not autofill your login details.
  • Spelling errors, broken links, suspicious contact us information, missing social media badges, can all be indicators that the website has been spoofed.
  • Website addresses that contain the name of the spoofed domain, but are not the official domain.

Email Spoofing Clues

  • Spelling errors or an incorrect domain name in the sender’s email address indicate a spoofed email.
  • Email language that urges you to act quickly, to transfer money, or to provide confidential information.
  • Embedded links that have URLs you don’t recognize. Hover your mouse or highlight the URL before clicking to double-check the legitimacy.
  • Spelling errors, poor grammar, and unfamiliar language can be indicators the email is a spoof.
  • Attachments and an email message that urges you to download the attachment. Verify the attachment does not have a hidden EXE extension.
Asset 5

Caller ID or Text Message Spoofing Clues

  • If the phone number displays without brackets () or dashes -. For example, 4567893543.
  • The caller ID is your own phone number or looks very similar.
  • The phone number or caller’s name are hidden.

It is a bit more complicated to identify APR spoofing, IP address spoofing, and DNS spoofing. Talk to your IT team about what you need to be aware of for these advanced technical spoofing tactics.

How To Prevent Spoofing

1. Implement technical controls and procedures to protect against email, website, IP and DNS spoofing.

2. Put a focus on educating your team about social engineering. Educate your team on how social engineering happens. Use real-world scenarios and training to show how easy it is to be tricked by social engineering.

3. Take advantage of security awareness programs that use flexible learning models to teach adults. Ensure that all training is engaging, relevant, and uses real-world scenarios.

4. Remind employees of the risks that arrive in their inbox. Use simulations, email newsletters, communication campaigns, and cyber heroes to keep communication about spoofing and cyber security ongoing.

5. Ensure that all applications, operating systems, browsers, network tools, and internal software are up to date and secure. Install malware protection and anti-spam software.

6. Provide regular and consistent security awareness training campaigns that remind people of the risks associated with providing confidential information, passwords, corporate data, and credit card details online.

7. Educate your team about spoofing. Use simulation software and training that includes real-life examples of spoofing attacks.

8. Regularly monitor employee awareness levels of spoofing, social engineering, and other cyber threats with simulations.

9. Create a corporate culture that encourages behavior change. Create a work environment that gives employees the time and resources required to develop cyber security awareness.

10. Be proactive in creating a cyber aware culture. Read The Human Fix to Human Risk to learn step-by-step guidelines on how to develop an effective security awareness program that stimulates behavior change.


Benchmark Report 2020


Download your complimentary report to find out.

While spoofing and phishing are different types of cyber attacks, phishing often relies on spoofing to be successful.

Phishing simulations are an ideal way to measure employee awareness of social engineering and the risks that come through the inbox.

Phishing simulation allows you to incorporate cyber security awareness training into your organization using an interactive and informative format.

People see how savvy language is used in emails to steal confidential information and corporate data. Real-time phishing simulations are an ideal way to reinforce the indicators of email spoofing and other spoofing tactics.

Phishing simulations give you 10 key ways to protect your employees from spoofing attacks

1. Reduces the cyber threat risk level.

2. Increases awareness and alertness of social engineering and spoofing risk.

3. Measures the degrees of corporate and employee vulnerability.

4. Fosters a cyber security aware culture and develops internal cyber heroes.

5. Changes human behavior to  help avoid the automatic trust response.

6. Reinforces security awareness training messages.

7. Creates upper management buy-in on the need for ongoing security awareness training and campaigns.

8. Keeps employees vigilant to spoofing, phishing, and social engineering attacks.

9. Meets industry compliance obligations.

10. Assesses the performance of cyber security awareness training.

Social Engineering

Spoofing is a key component of a successful social engineering attack. Cybercriminals use strategic social engineering techniques to convince victims to click links, download attachments, fill-out web forms, and respond to text messages.

Social engineering success requires only one thing – trust. It’s critical that your employees understand how social engineering works. Give your employees the training and simulations that makes it possible for them to change their behavior.


Spoofing is often used as part of a larger cyber attack. The cybercriminal may use email spoofing to direct a victim to a spoofed website that then installs ransomware on the victim’s computer.

To learn more about spoofing and how to keep your organization cyber secure, take advantage of these free resources:

Contact us at 1-866-889-5806 or at [email protected] to learn more about spoofing.

Terranova Security is committed to delivering people-centric training that makes your organization cyber security aware.