WHAT IS SPOOFING?
Spoofing is when a cyber criminal disguises themself as an individual, business, or entity to commit malicious acts.
Cyber criminals utilize various tactics to spoof their identity, ranging from spoofed email addresses, websites, or phone numbers to more advanced strategies like fraudulent IP addresses, Domain Name Servers (DNS), or Address Resolution Protocol (ARP).
Regardless of the tactics used, the goal of a spoofing scam is to steal from victims and damage their reputations.
Cyber criminals leverage common social engineering maneuvers and employ fake email addresses, websites, or phone numbers to trick victims into divulging confidential information, downloading attachments, or clicking links that install malware.
Scammers ease the average victim's suspicion by relying on entities most people are familiar with, such as recognizable brands, financial institutions, government offices, and so on. As a result, their guard is let down, making it possible to take advantage of the human nature of trust.

Source: Panda Security

Website Spoofing Clues
- If the padlock is missing from the website address bar, the website is not secure and is likely spoofed.
- The URL uses HTTP and not HTTPS. Do not trust websites that do not use the "https" encryption prefix.
- Many websites autofill your username and password. Use a password manager to store your login details to protect against automatically logging into a spoofed webpage. If the password manager does not recognize the website, it will not autofill your login details.
- Spelling errors, broken links, suspicious contact us information, and missing social media badges can all be indicators that the website has been spoofed.
- Website addresses containing the name of the spoofed domain are not the official domain.

Email Spoofing Clues
- Spelling errors or an incorrect domain name in the sender's email address indicate a spoofed email.
- Email language urges you to act quickly, transfer money, or provide confidential information.
- Embedded links that have URLs you don't recognize. Hover your mouse or highlight the URL before clicking to double-check the legitimacy.
- Spelling errors, poor grammar, and unfamiliar language can indicate the email isn't originating from a genuine source.
- Attachments and an email message that urges you to download the attachment. Verify the attachment does not have a hidden EXE extension.

Caller ID, Text Message, or SMS Spoofing Clues
- If the phone number displays without brackets () or dashes -. For example, 4567893543.
- The caller ID is your phone number or looks very similar (e.g., one digit may differ).
- The phone number or caller’s name are hidden.
How To Prevent Spoofing

Source: Panda Security
1. Implement technical controls and procedures to protect against email, website, IP, and DNS spoofing.
2. Put a focus on educating your team about social engineering. Educate your team on how social engineering happens. Use real-world scenarios and training to show how easy it is to be tricked by social engineering.
3. Take advantage of security awareness programs that use flexible learning models to teach adults. Ensure that all training is engaging, relevant, and uses real-world scenarios.
4. Remind employees of the risks that arrive in their inboxes. Use simulations, email newsletters, communication campaigns, and cyber heroes to keep communication about spoofing and cyber security ongoing.
5. Ensure that all applications, operating systems, browsers, network tools, and internal software are updated and secure. Install malware protection and anti-spam software.
6. Provide regular and consistent security awareness training campaigns reminding people of the risks of providing confidential information, passwords, corporate data, and credit card details online.
7. Educate your team about spoofing. Use simulation software and training that includes real-life examples of spoofing attacks.
8. Regularly monitor employee awareness levels of spoofing, social engineering, and other cyber threats with simulations.
9. Create a corporate culture that encourages behavior change. Create a work environment that gives employees the time and resources to develop cyber security awareness.
10. Be proactive in creating a cyber-aware culture. Read The Human Fix to Human Risk to learn step-by-step guidelines on developing an effective security awareness program that stimulates behavior change.
While spoofing and phishing are different types of cyber attacks, phishing often relies on spoofing to succeed.
Phishing simulations are ideal for measuring employee awareness of social engineering and the risks that come through the inbox.
Phishing simulation lets you incorporate cyber security awareness training into your organization using an interactive and informative format.
People see how savvy language is used in emails to steal confidential information and corporate data. Real-time phishing simulations are ideal for reinforcing the indicators of email spoofing and other spoofing tactics.
Phishing simulations give you ten key ways to protect your employees from spoofing attacks
1. Reduces the cyber threat risk level.
2. Increases awareness and alertness of social engineering and spoofing risk.
3. Measures the degrees of corporate and employee vulnerability.
4. Fosters a security-aware culture and develops internal cyber heroes.
5. Changes human behavior to help avoid the automatic trust response.
6. Reinforces security awareness training messages.
7. Creates upper management buy-in for ongoing security awareness training and campaigns.
8. Keeps employees vigilant to spoofing, phishing, and social engineering attacks.
9. Meets industry compliance obligations.
10. Assesses the performance of cyber security awareness training.
Social Engineering
Spoofing is a crucial component of a successful social engineering attack. Cyber criminals use strategic social engineering techniques to convince victims to click links, download attachments, fill-out web forms, and respond to text messages.
Social engineering success requires only one thing: trust. Your employees must understand how social engineering works. Give your employees the training and simulations that allow them to change their behavior.
Spoofing
Spoofing is often used as part of a larger cyber attack. The cyber criminal may use email spoofing to direct a victim to a spoofed website that then installs ransomware on the victim's computer.

Get Valuable Coaching Advice and Protect Your Organization
Learn how you can protect yourself against spoofing and social engineering attacks. Enroll in a 30-minute coaching session with one of our Security Awareness Experts. In this session, a CISO will help you:
- Evaluate your current security awareness program and level of exposure to risk and constraints
- Reduce the human risk factor within your organization
- Define goals, objectives, and key performance indicators to measure results
- Identify the key personnel required to design and execute your security awareness program
- Design an effective internal communication strategy
To learn more about spoofing and how to keep your organization cyber secure, take advantage of these free resources:
Contact us at 1-866-889-5806 or at [email protected] to learn more about spoofing.
Terranova Security is committed to delivering people-centric training that makes your organization cyber security aware.