Skip to main content
Cyber Security

Don’t Whiff on Spoofing: A Business Guide to Preventing and Protecting Against Spoof Attacks

By September 2, 2021November 11th, 2021No Comments

What is Spoofing?

“Spoof” sounds like a sound effect for an airbag going off in a car or something. Sure, “spoofing” sounds like a funny word but when it comes to security it is anything but. It is the intentional act of camouflaging malicious actors and intent under the guise of legitimate behavior.

Spoofing attacks take advantage of your trust and technology to use them against you and gain access to sensitive information, infrastructure, and even your livelihood.

To make matters worse, these are almost never one-off attacks. Spoofing is an advanced persistent threat and if you’re identified as a vulnerable target with multiple weak links and attack vectors, hackers will continue to come after you until you either give them an opening or close up your weaknesses.

Some spoofing attacks take the form of social engineering (think real-life Jedi mind tricks that take the form of fake websites, emails, and phone calls), while others target your network infrastructure to gain access to your systems and data. Not to worry, all you need to address this issue is a clear understanding of the threat intelligence and an actionable plan to mitigate the risks of spoof attacks.


3 Common Types of Spoofing:

  • Email Spoofing

    Email spoofing is a lot simpler than the previous attack types and is one you’ve probably encountered countless times over the years. Email spoofing is most often used in phishing or other types of social engineering attacks. An attacker sends emails to potential victims for the purposes of collecting personal information, spreading malware, tricking you into sending money, or simply blackmailing you.
    Common email spoofing attack types include (but are not limited to):
    • Impersonating well-known brands: Attackers send falsified emails from trusted companies with false links or instructions to send personal information.
    • Impersonating your higher-ups: Attackers send falsified emails pretending to be your manager or CEO asking for sensitive information, including logins and passwords, data, or identifying information.
    • Sending links to file downloads: Attackers send falsified emails appearing to be from trusted brands like Microsoft or Apple prompting you to “download updates” or other files from a provided link in order to trick you into installing malware.
    These attacks are some of the most common types of hacks as they require little technical knowledge and effort on the part of the attacker.
  • Website Spoofing

    This type of spoof typically goes hand-in-hand with email spoofing. Website spoofing is when an attacker creates a fake (some more believable than others) website using a similar URL to a legitimate website. For example:
    • Legit site:
    • Fake site:
    I just made up this fake URL on the spot; when I checked, I saw that Bank of America has already taken the initiative to redirect this misspelled address to their legitimate site. However, this is not always the case. It’s hard for brands to keep up with every single misspelling of their URL, and hackers take advantage of this at every opportunity.
    These spoofed websites are created for the purpose of extracting sensitive information from you, including your login credentials, personal data, and other information. Many times these spoofed websites are sent in spoofed emails.
  • Caller ID/Text Message Spoofing

    Chances are you’ve experienced this form of spoofing far more than you care to mention. If I’m being honest, I am sick to death of getting these spoofed ID calls from spammers. I hope their mothers screw up their favorite meal this week and they cry themselves to sleep about it.
    If you aren’t familiar with caller ID spoofing, it’s a method of phone scamming in which the attacker uses an online calling software to create a fake number that matches the area code of the victim they are calling or texting.
    This method is meant to trick the victim into answering the phone by preying on the familiarity of the area code. After all, it’s easy to think a call or text is legitimate if it’s coming from your current area or from a previous area that you’ve lived in before.
    Like most spoofing attacks, this method is used for lots of different reasons, such as collecting personal information, selling you on scams (such as IRS or tech-support scams), or selling you fake products.

How to Recognize and Prevent

  • Recognize and Prevent Email Spoofing

    It’s all easier from here, trust me. Recognizing and preventing email spoofing attacks only requires you to read the warning signs and to trash emails that throw up red flags. Here are the red flags to watch out for:
    • Grammatical errors in the email body text
    • Misspelled URL links
    • Uninitiated requests for password changes
    • Pushy or overly urgent language, e.g.: “Click here or we will deactivate your account”
    • Sender address doesn’t fully match up to the brand
    • Uses generic greetings like “Hello Customer”
    • Unnecessary email attachments (DO NOT OPEN THESE)
    • Requests for information they either do not reasonably need or should already have (social security numbers, account numbers, date of birth, etc.)
    At the end of it all, trust your gut. If you feel even a little bit uncomfortable with an email but aren’t sure about its authenticity, then Google the number of the business and call them directly about the matter. If it is real then they will know exactly what you are talking about and if not then you’ll know exactly which email is going in the trash bin.
  • Recognize and Prevent Website Spoofing

    Despite the best efforts by everyone to reign in the digital Wild West known as the internet, there is no way you can prevent website spoofing 100% of the time. But, what you can do is recognize spoofed websites and avoid them at all costs. Similar to email spoofing, there are lots of red flags to watch out for, such as:
    • Misspelled URL links
    • Grammatical errors
    • Mismatched logos and color schemes
    • Broken links within the website
    • Seemingly off-brand images
    Most of these websites are shared through spoofed emails or suspicious-looking social media accounts. A great rule of thumb with the internet is to never click on anything from anyone you don’t actually know.
    This rule will carry you far and prevent you from dealing with malware, unwanted ads, hacks, and personal data leaks. If you can’t 100% verify the authenticity of the website with a simple Google search of the URL, then just avoid the website altogether. Easy as pie.
  • Recognize & Prevent Caller ID/Text Message Spoofing

    Dear Lord! If you know the secret for preventing calls from all spoofed phone numbers I will give you the world’s biggest hug, I promise. While some companies like Apple have made strides in blocking unwanted spam calls from spoofed numbers, the problem hasn’t been 100% solved and I’m not sure anyone can solve it. It’s like playing a game of world wide web whack-a-mole with some of the most annoying people on the planet.
    With all that on the table, there are ways to recognize caller ID spoofing. Some of the warning signs are:
    • Calls from random numbers with your area code
    • Calls where no one answers immediately when you pick up
    • Calls from area codes where you used to live but the number isn’t stored in your phone
    Caller ID spoofers do their homework on you and try to scrape as much information about their lists of victims as possible from the internet. Then they will make phone calls with numbers based on areas that you’ve lived. The truth is, if you answer one of these calls or send them straight to voicemail, you’ve alerted them to the fact that someone is actually in possession of that number and will continue to harass you.
    This is a hard attack to beat, especially in the corporate world, but the major rule of thumb to abide by is to never give out any company information over the phone under any circumstances to anyone you don’t already know. If you start receiving calls asking for sensitive information, immediately bring this to the attention of a supervisor.
    Oh, and one more piece of information: I don’t care if it’s Apple, HP, Microsoft, or supposedly “Jeff Bezos” himself, no company will ever in a million years call you off the cuff about some “issue” with any of your devices.
    If you receive an uninitiated call or text about your computer in any form, you can safely assume it’s a scam. As a former Apple Genius Bar employee, I can say for certain that these companies have better things to do than remotely monitor the operating condition of your devices.



JH @ nextlevel | IT

Author JH @ nextlevel | IT

More posts by JH @ nextlevel | IT

Next Level IT

231022B TWP 474
Gwynne, AB
T0C 1L0

T: +1 (780)364-6548