Spoofing: What It Is and How to Prevent It
 

Spoofing Definition and How It Works

For centuries — whether in folklore or real life — frauds have pretended to be someone else to gain access to things they cannot or should not have. In the information age, spoofing attacks have emerged as a way to trick people into opening infected emails or going to fake websites and handing over data or money to a cleverly disguised stranger. 

Spoofing is that disguise. It’s a common phishing technique using an email or web address that looks familiar so the attacker can appear to be a person or brand that an individual trusts. Once the trap is set, the attacker uses plausible pretexts, branding elements and other social engineering tricks to coax the individual to click on a link or attachment in an email, provide sensitive information, download software, or send money.[1]

Types of Spoofing

There are many techniques used for spoofing. Attackers can create false caller ID information, IP addresses, MAC addresses, domain names, geolocations, or HTTP referral headers. Most recently, a new type of attack has emerged: image spoofing, which tricks facial recognition software systems into granting access.[2]

That said, two of the most common spoofing types are email spoofing and website spoofing. A combination of training and technology can help companies detect and prevent these attacks.

Email Spoofing Phishes Remote Workers

Email spoofing incidents have been on the rise during the pandemic since companies shifted to remote work. Attackers have been taking advantage of insecure home Wi-Fi connections, which block fewer suspicious emails than company’s security systems. And employees who may be distracted by family members may be more liable to open illegitimate emails.

Email spoofing involves sending email with a forged sender address, which makes it look like it’s coming from a trusted source such as a colleague, executive, or well-known vendor. It is commonly used in phishing email, spear phishing, and brand impersonation attacks that try to trick an individual into giving attackers access to networks, data, or financial resources. 

According to Mimecast’s State of Email Security 2022 (SOES) report, one-third of companies are unprepared or only somewhat prepared to deal with email spoofing attacks. Not surprisingly, sectors such as technology and professional services are most likely to describe themselves as prepared, while retail, transportation, and manufacturing companies are least prepared. 

Website Spoofing Erodes Brand Value

Website spoofing, on the other hand, involves creating a website that mimics a trusted brand in design, layout, colors, logos, and nearly identical domain name. Once a fake website is up, attackers send phishing emails to convince a brand’s customers, partners, and employees to visit the site and share sensitive information such as credit card numbers or Social Security numbers — for example, under the ruse that this information is necessary to restore access to an account.

Because website spoofing occurs outside of a company’s security perimeter, it is often difficult for security teams to know when their own brand is being impersonated somewhere on the web. Anti-website spoofing services scan the entire web to help find and take down cloned websites, so they can no longer damage the company’s brand or steal from duped visitors to the site.

The SOES report indicates that companies had identified, on average, 10 different instances of website clones within the past year. Companies in the energy, healthcare, and financial services sectors are the most likely to be targeted. Sectors’ relative preparedness to address website spoofing differs slightly from email spoofing. Here, the construction and property management sector joins technology among the industries that feel most prepared, while retail, energy, and healthcare companies describe themselves as the least prepared.

How Spoofing Uses Social Engineering

Email and web spoofing attacks use social engineering, which is a way of luring individuals into divulging sensitive information. Social engineering attacks take advantage of human psychology to gain people’s trust. 

Once the attackers perform their technical sleight of hand with email and web domain names, there are two social engineering elements to a spoofing attack: The pretext and the action.[3]

• Pretext: This is the lie that a scammer is hoping an individual may act on. It could be an urgent request from a corporate executive, a limited-time offer for a valuable product or service, or a notice that access to an account has been suspended.
• Action: The action is the step that an individual must take, whether it’s clicking on a link, entering personal or financial information into a form, or initiating a financial transfer. 

Plausibility is key to spoofing attacks. If a request is not specific or relevant, or if it seems hard to believe, then the recipient is likely to realize it’s fake. Similarly, the action needs to be something an individual is capable of taking, given their day-to-day job responsibilities. A request that’s outrageous or seemingly impossible will be ignored.

How to Detect Spoofing

Organizations can use email security technology that detects attacks that use domain similarity to impersonate executives as well as trusted and well-known partners and brands. Organizations should seek out a service that scans all inbound emails in real-time, looking for the traits of malware-less, social engineering-based impersonation campaigns. A well-suited solution can identify header anomalies, domain similarity, recently registered domains, sender spoofing, suspect body content, and international character sets that are often part of impersonation attempts.

How to Prevent Spoofing

The SOES research indicated that a lack of resources, technology, and knowledge tend to stand in the way of addressing email and website spoofing attacks. Companies can take steps, including the following, to address their challenges and prevent attacks:

• Regular cyber awareness training helps employees detect — or at least be wary of — spoofing attempts. The most effective training programs are short, engaging, and customized to an individual’s role, risk factors, and past behaviors, such as clicking on infected email attachments. In addition, training must be regularly updated to keep pace with the latest cyber exploits. 
• Adopting the Domain-based Messaging Authentication Reporting and Conformance (DMARC) protocol enables companies to automatically block incoming emails from spoofed domains and report any abuses to the brand that is being impersonated. Taking an automated approach to brand protection enables companies to conduct far more scans of spoofed websites and phishing emails. Artificial intelligence helps fight spoofing by analyzing hundreds of millions of registered domain names, to get confirmed spoofed sites taken down before they can cause damage.

The Bottom Line

Email spoofing and website spoofing are sophisticated social engineering attacks that cloak legitimate domain names to lure unsuspecting readers and visitors. Once the victim is hooked, the attacks use social engineering to imitate individuals and brands that people trust to get them to disclose sensitive information or send money. Detecting and preventing spoofing attacks require resources, technology, and cybersecurity knowledge — all of which are in short supply in many of today’s companies. Read more about how Mimecast’s security awareness training and brand protection solutions enable companies to better protect against scams that prey on their employees and on the trust in their brand.

[1] “Spoofing and Phishing,” FBI

[2] “What Is Image Spoofing and How to Prevent It?”, Security Boulevard

[3] “What Is Spoofing?” CompTIA