If you’ve ever had someone try to trick you into giving them your private details online, in a phone call or even through a text message, you’ve been a target of a growing security threat: spoofing.
Spoofing is a serious problem that impacts the average consumer as well as big businesses. Phishing, smishing, IP spoofing and more are all names for the spoofing tactics thieves use to steal personal information by pretending to be legitimate businesses or government agencies. Scammers have pretended to be FBI or IRS agents, for instance, demanding the victim pay back college loans, overdue taxes or other common bills.
What is spoofing?
Spoofing is an attempt to deceive you into believing that the information you are seeing or hearing is real, when it is, in fact, a hoax. It can involve email, websites, phone calls and text messages.
Spoofing via the internet typically uses email to entice you into clicking fake links and going to websites where you are asked to enter personal information, such as your email address, login information, passwords, or even PIN codes and Social Security numbers.
When it happens on a phone, it can be either through a phone call or text message that is unsolicited but seems harmless. The scammer makes the call or text appear to come from someone you know but usually involves asking you to click a link, supply personal information or send money that must be paid immediately.
Spoofing has become a billion-dollar business for scammers in the past five years, according to Paige Hanson, chief of identity education at Norton LifeLock. About 45% of U.S. mobile phone traffic will involve scam calls by the end of 2019, compared to just under 4% two years ago, according to First Orion, a spam-blocking technology company.
It’s not just criminals who spoof: Telemarketers have been fined hundreds of millions of dollars by the Federal Communications Commission for using spoof techniques on unsuspecting consumers. The deceptive practice can impact financial markets, too. In late 2018, two former financial services traders pleaded guilty to participating in a $60 million fraud and spoofing conspiracy that attacked the U.S. commodities market.
The bottom line is that, no matter how the spoof occurs, the person on the other side is not who they say they are.
How Does Spoofing Work?
From a technical standpoint, spoofing involves impersonating another device or user on a computer or telephone network. There are many different ways this can happen. A scammer might disguise an email by using settings in email programs, such as Outlook or Gmail, to change the From or Reply-to names in an email. Or they might alter the IP address that generates an email, use technologies that make a hacker appear to be located somewhere they are not and even reroute a trusted website link to a different site altogether. These spoofs can involve the use of virtual private networks (VPNs) to make a hacker’s true location unknown, even to law enforcement.
Sometimes hackers use internet protocol (IP) spoofing to hide their identity or impersonate an entire computer system. This is usually the case with attacks on businesses, where a hacker is attempting to gain access to large networks to gain information, but it can also be used when a hacker is attempting to knock out a corporation’s website or internal network.
Spoofed phone calls and texts, too, involve scammers who use internet-based phone numbers to mimic numbers from people or businesses you trust. Your office phone number showing up on your phone’s display, for example, makes it more likely you’ll answer the call and potentially provide sensitive information than if a completely unknown number is calling you.
Common spoofing scams
Spoofing can happen in different ways. The most common scams involve email and phone calls that are either grounded in promises that are too good to be true or threats, according to Hanson. Stay calm and analyze what’s really being asked of you, she said.
“They’ll say something’s wrong with your account,” said Hanson,"‘or something’s wrong with your family member; anything that will cause you to react quickly and hand over your information. They will even play sounds in the background to make a call seem more believable. A baby might be crying or a dog might be barking to add to the believability."
Scammers are always seeking new ways to target you. Typical scams you might see are:
Spoof caller ID scams
Spoofed phone calls involve the manipulation of the caller identification information that shows up on your phone every time someone calls you. When the call comes in, it will look like a call from an official organization to encourage you to answer it. Here are some common methods that can look official on your phone:
With this method, the scammer falsifies the caller ID using a phone number and prefix so it looks like a local call (potentially from someone you know).
These scammers use sophisticated methods to make the caller ID match the official Social Security Administration phone number. Variations can involve different government agencies, including the Department of Homeland Security, the IRS and the FBI.
Also known as voice phishing, these calls can look like they are from your local bank or credit union, accompanied by an alarming-sounding message asking to call back and confirm personal information that could be used to steal your cash or identity.
Technical support call spoofs
These calls appear to be from an established tech company like Microsoft or Apple, and the scammer claims to have detected an error on your computer that can only be resolved by taking immediate steps to fix the problem. The “steps,” however, secretly download software to access your computer or install ransomware.
Hackers have been using email spoofing for decades to trick people into clicking misleading links or sending personal information to supposedly legitimate organizations. Because email addresses can easily be manipulated to change Reply-to headers, they appear to be from someone you know or a business you trust. In addition, the email might include links to “official” websites that are actually attempts to trick you into providing passwords, usernames, and sensitive information such as your home address or Social Security number.
Sometimes called “smishing,” these scams can pop up on your phone in the form of a text message. The spoof text message can appear to be from your bank, medical provider or someone else you trust and might even include a link to a website you must immediately visit to clear up some problem. These messages typically ask you to enter PIN codes, usernames, passwords and other information that can be used to commit fraud. Other variations include bogus store offers for free shopping sprees once the provided link is opened.
How can I protect myself from spoofing?
The best protection against spoofing is vigilance. Phone calls are some of the most difficult spoofs to protect yourself from because you are tricked into believing the person on the other end is legitimate. If you do answer a spoofed call and realize you’re caught in a scam, hang up immediately, Hanson said.
Scammers specifically look for audio that includes “yes” answers so they can later use the recording to apply for bank accounts or other financial items. They can then open credit accounts and steal money under your name.
She cautions against responding quickly to texts that seem to originate from your mechanic, dentist, doctor or others that you regularly correspond with. Even emails that seem to come from your own employer can be suspect when viewed on a smartphone because those are often truncated to redact identifying information. When in doubt, wait until you get home and can review the message on your computer to check all the sender’s information.
When responding to emails, phone calls or texts, remember these tips:
Whether it’s an email, text or phone call, you are never obligated to answer any call or email unless you already know who is on the other end and you have agreed to the communication in advance.
Hang up immediately
If you feel a call is not legitimate, don’t stay on the line. “Even if you’re in the middle of speaking, hang up,” Hanson said. “Don’t give them any more audio or any more ammo. One of the scams that’s popular is to record the audio of the person they’re targeting.”
Don’t be rushed
Let calls go to voicemail, for instance, and use a reverse phone search to try and determine where the call originated. If it’s legitimate, you can always call people back or respond to an email or text later.
Personal or sensitive information
Never provide personal or sensitive information to a caller.
Don’t click links in unsolicited texts or emails
You can search any email address to try and figure out where it’s coming from and who might have sent it.
Look for clues
Poor spelling or grammar, unusual sentence structure and email sender addresses that are one or two letters off from official business names are good tipoffs that you’re reading a spoofed email or text.
Contact your phone provider
Call your phone provider about call-blocking technology to help stop spoofed calls and texts from ever reaching you.
What to do if you’ve been spoofed
If you realize later that you were targeted, think carefully about the information you provided. Hanson said you should first tell a trusted friend about the call or email, then determine your actions from there. Another person listening to what happened can help you confirm whether or not the call, email or text was appropriate or not. If you realize you’ve given out information you shouldn’t have, don’t despair.
“There’s a possibility that you could have an identity theft event,” Hanson said. “You can monitor your credit or place a freeze on your credit, but a longer-term security approach is to enroll in an ID theft program.”
Spoofing is real and it’s dangerous, but you can stay safe using vigilance and staying calm.