Cyber Security:
Spoofing
What Is Spoofing?
A 'spoof' was a harmless joke or comedic 'sed up' in the olden days. But nowadays it has taken on a darker meaning.
'Spoofing' in cyber-security speak is the act of impersonation by cybercriminals - either of an organisation or of a person attempting to 'log into' an organisation.
This type of cyber-criminal is called a 'threat actor' - someone pretending to be someone else in order to fool you for malicious reasons. They are a threat to you.
The threat-actor's communication manipulates the technology into believing that the imposter communication is coming from a trusted source. But in reality, it's coming from an unknown source that could be ready to cause a malicious attack.
Spoofing is used for identity theft, computer viruses, and denial-of-service (DOS) attacks that shut down popular websites.
With the advancement of facial recognition technology, today's modern definitions of spoofing now includes biometric spoofing. Facial biometric spoofing is rare for now but it is early days!
Today's sophisticated scammer will use social engineering and multiple spoofing methods to gain your trust. The more techniques you can recognize, the better you will become at thwarting attacks.
They prey on people's trust and design their spoofing scams, often tracking your website movements to gain access to your personal information so they can more easily hack your passwords and financial information via a 'spoof' to obtain the information.
Spoofing vs. Spam
Spoofing and Phishing are two sides of the same coin - a 'con' to steal access to your digital world.
Spoofing is when there is an attempt to imitate in order to deceive, and that works hand in hand with phishing - when someone steals your sensitive information - using social engineering and deception.
Spam is just plain annoying!
Types Of Spoofing
Email Spoofing
Email spoofing involves an attacker sending you a message that looks like it's coming from a legitimate email address. Spammers can attack a mail system by changing the information stored in email 'envelopes' which enclose the messages themselves. This allows a spammer to disguise their actual address by writing new addresses for the sender (such as replacing their own address with that of 'TrustedBank') and the destination for receipts.
Since SMTP servers do not perform any authentication, they simply pass on the email without checking that it was sent out by TrustedBank.
Simple spoofing is now being challenged by technologies that allow genuine senders to authenticate messages which can be checked by the recipient's mail server, however only about half of all mailboxes have any protection against spoofing.
The spoofed email often contains a link with an enticing 'call-to-action'.
For example:
The email may appear to come from a supermarket and offer a free £50 gift card if you 'click on a link', but it will install malware on your computer after you click the link.
The email may say it is from your bank and entice you to hand over your personal information because your guard is down, thinking you're dealing with a credible source.
Caller ID Spoofing
Caller ID Spoofing is when a scammer uses technology to conceal their location and identity when they call you. Most of the time, they will make it look like the call comes from an individual or organization that you know. They're able to manipulate the area code on your phone's caller id, so it looks like the call is coming from your neighborhood. The hacker knows that if they can trick you into thinking the phone call is local, there is a greater chance you'll pick up the phone. Once you do, their scam begins.
GPS Spoofing
GPS stands for Global Positioning System, and it is used heavily in logistical supply chain management, banking networks, and power grids. It’s easy to see how dangerous it would be for a hacker to access any of these systems.
You can 'spoof' your GPS to make it look like you’ve climbed Mount Everest, trick your phone into finding rare Pokemon, or fool your Instagram followers that you’re traveling the world.
Changing your location may seem harmless enough, but the security threat is real - someone might seem to be in the UK when in fact they are contacting you from India or Russia.
Website Spoofing
Website Spoofing is when malicious actors create look-alike websites to fool visitors.
These look-alike URLs are usually sent through email and mimick the domain names of websites you often use, like your bank, favourite online retailer, or social media platform.
The spoofed website will have a familiar-looking login page, but the scammers are the ones receiving your information as you log in. After the hacker gets your information, they can access the actual website, change your password, make purchases or access your contact lists.
It is very important that you never log into a site from a link in an email - and always double check the address if you have 'Googled' the address.... 
IP Address Spoofing
IP Address Spoofing is a severe threat to a company’s network traffic and critical data.
Hackers mask their location by spoofing their IP address while sending or requesting large amounts of requests to a website all at once.
This is called a denial-of-service attack (DoS) and is mainly used to shut down websites by overwhelming the servers. Hackers will sometimes modify their IP Address to look like it’s coming from a trusted source or computer on the shared network, making the hacker harder to find or shut down.
Text Message Spoofing
Text Message Spoofing is on the rise and has a new name: SMS phishing or 'Smishing' is similar to Caller ID and Email Spoofing.
The scammer wants you to believe the text message is coming from a legitimate person or business. Once you click the link in the text message, the scam begins by downloading malware - usually a trojan - onto your device.
They could also gain access to your contact list.
You need to make sure you have strong mobile security on all of your devices - an never follow links from an unexpected text message.
Facial Recognition Spoofing
Facial Recognition Spoofing is relatively rare, but as the demand for this technology grows and more companies add facial biometric access control readers to their physical security systems, facial spoofing concerns will continue to grow.
At the moment (2022), imposters are using photographs and video stills found on social media to imitate individuals and create fake access. Sometimes they may even attempt to use a 3D printed mask. With facial recognition systems that use image databases, the risk of false positives due to people with similar facial features is there.
None of these spoofing attempts will work with facial recognicial software that requires the person to be scanned. A photograph, video still, or 3D mask all reflect infrared light in a very different way than an actual person does, so when these items are presented at a sensor, they will fail to be recognized.
How To Protect Against Spoofing Attacks
Knowing the types of spoofing attacks that are out there is the first step in protecting yourself from scammers, hackers, and cybercriminals. Security awareness goes a long way in protecting you by making you cautious. Pay attention to the latest scams and other suspicious activity happening in your home-town.
You should:
Watch for poor grammar and bad spelling in an e-mail of text.
Pay very close attention to the sender address in the emails you receive - you should check any address that looks slightly suspicious - or seems different to one you have dealt with before.
Only use a reputable antivirus and malware app - never use a suspiciouly 'cheap' offer.
Never click on unfamiliar links or download attachments to emails or texts.
Turn on spam filters and then carefully sift through any spam you receive for wrongly sorted messages.
Always use two-factor authentication for logging into all of your accounts.
Consider using a password manager to generate and store all of your passwords.
Watch that the websites you are visiting have active SSL certificates and never enter information into one that does not have one.
Limit the personal information you give out online - especially on social media pages.
If you do fall victim to a Spoofing or Phishing scheme, contact your local Consumer Complaint Center for assistance.
