Spoofing

Spoofing is the act of making a message, call, network packet, website, address or identity appear to come from somewhere else. It is used in legitimate testing and administration, but it is also common in fraud, phishing, malware delivery and network attacks.

The common point is false origin. A spoofed call may show a trusted number, a spoofed email may appear to come from a known organisation, and a spoofed network packet may carry a forged source address.

Caller ID Spoofing

Caller ID spoofing changes or falsifies the number shown to the person receiving a call. The Federal Communications Commission describes it as deliberately falsifying caller ID information to disguise identity.

Scammers use caller ID spoofing to impersonate banks, police, government departments, delivery firms, relatives, employers or local numbers. The displayed number is therefore not proof that the call is genuine.

Email and Message Spoofing

Email spoofing makes a message appear to come from a person, business or domain that did not actually send it. It is often used with phishing links, invoice fraud, malware attachments and business email compromise.

Text-message spoofing and smishing can also make a message appear inside a real conversation thread. This can make bank, delivery or authentication-code scams more convincing.

Network Spoofing

In networking, spoofing can involve forged IP addresses, ARP spoofing, DNS spoofing or other attempts to make traffic appear to come from a trusted source. NIST's cybersecurity glossary describes spoofing in terms of faking a sending address or inducing a user or resource to take incorrect action.

Network spoofing can be used for denial-of-service attacks, man-in-the-middle attacks, traffic redirection and access attempts.

Protection

Useful protection depends on the type of spoofing. For calls, a person should verify important requests using a known number or official channel. For emails and messages, links and attachments should be treated carefully, especially where money, passwords or urgency are involved.

For organisations, controls include domain authentication, mail filtering, call-screening tools, network monitoring, secure DNS configuration and staff training. These controls reduce risk but do not remove the need for human checking.

See Also

• Scambaiting
• Phishing
• Cybersecurity

References

• Federal Communications Commission: caller ID spoofing
• Federal Communications Commission: caller ID authentication
• NIST CSRC glossary: spoofing
• National Cyber Security Centre: phishing scams
• GOV.UK: report suspicious emails, websites and phishing