As you go through life, you may encounter someone who pretends to be someone or something they are not. This pretence is known as ‘spoofing’; spoofing has likely been part of humanity since we walked on two legs. Spoofing in cyber security is a type of social engineering that manipulates trust to gain the target’s confidence.
Cybercrime that involves some form of social engineering and trickery costs businesses heavily. For example, the FBI recorded around $2.4 billion worth of losses in 2021 that were attributed to Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints, a sophisticated form of cybercrime that uses some forms of spoofing.
Here is a look at what spoofing is and how to prevent it.
Cyber spoofing tricks a person into believing someone or something, e.g., a computer or website, is trustworthy, even when it is not. Spoofing is used to gain access to something important or sensitive, such as data, a device, or a web server, allowing a cybercriminal to steal information, install malware, or extort money.
Types of spoofing
Spoofing takes many forms and will likely continue to adapt as businesses change its operating models. Here are some of the most prevalent forms of spoofing:
Fraudsters create emails that look like they are from a particular company or person: trust is the key word here. Fraudsters use the trust developed by well-known brands, such as Microsoft or an individual like a CEO to trick people into doing things. For example, a phishing email may look like an Office 365 email; the email will contain a link that, if clicked, goes to a website that looks exactly like the Office 365 login page. The user, tricked by the realistic-looking website, will enter their login credentials, which are then stolen by a cybercriminal.
Email spoofing is often paired with a fake website to steal login credentials or other data or as a steppingstone to malware infection. A spoofed URL tricks the person who navigates to that site into believing it is the actual website. The URL will be similar to the URL of the actual website; however, this website will be malicious and set up to steal data or do some other harm.
Typosquatting / website spoofing
People can easily mistype a URL of a trusted domain name. Scammers will use this common mistake to spoof individuals into thinking they have landed on the actual website. From there, the fraudsters will use this deception to steal login credentials or other data or use the site as a steppingstone to infect a device with malware.
Text message spoofing
Text spoofing tricks a person into believing an SMS text message is from a company or person they know and trust. Spoof text messages come in several forms. Some examples include texts that contain a phishing link, messages that look like a family member asking for money, and texts that seem to be from a bank requesting personal or financial information.
IP addresses (Internet Protocol) is a numerical address of a device on the Internet. This address is essential as it allows data to be transferred to and from trusted device locations. IP spoofers create a false IP address to impersonate a trusted device. This allows the fraudsters to trick another device into receiving or sending sensitive or personal information to that source. Man-in-the-Middle (MitM) attacks often work by IP spoofing. MitM attacks intercept data as it flows between sources allowing data to be manipulated or stolen.
Deep fake spoofing (facial spoofing)
Any form of trusted communications can be spoofed. As facial recognition systems become familiar and remote digital communications are normalised, facial (and voice) spoofing will follow. Deep fake technology uses artificial intelligence to generate realistic but fake images and voices of individuals. Deep fake scams are expected to increase over the coming years and will likely be used by fraudsters to spoof communications. For example, deep fake voice technology was implicated in a Business Email Compromise (BEC) scam in 2019.
How does spoofing work?
All forms of spoofing have one thing in common, they use trust between humans and/or computers to steal or manipulate data. By pretending to be a trusted entity, a fraudster can more easily manipulate the human operator (or device) at the other end of the transaction.
Trust is a crucial security element; therefore, scammers focus on manipulating and abusing trust. Email spoofing and phishing are great examples of how trust can be misused to spoof people. In the UK Government’s “2022 Cyber Security Breaches Survey“, 83% of UK businesses reported phishing attempts. In addition, a 2021 Cisco survey into threat trends recorded that 86% of organisations had at least one user navigate to a spoof website. The report concurs with the fact that trust delivers opportunities to fraudsters when it concludes:
“Phishers usually masquerade as a trustworthy entity in an electronic communication. That’s probably why it accounts for 90% (that’s not a typo) of data breaches.”
How to protect against spoofing?
By hijacking our instincts to trust something or someone, scammers can more easily request and receive sensitive information. A framework for spoof prevention must begin with understanding how trust works. Preventative measures that help employees to spot and stop a spoofing attack include:
Spoof awareness training: spoof awareness training is part of a more general security awareness training campaign and helps employees to understand how spoofing works. Phishing and spoofing tactics are often paired to manipulate an employee’s behaviour—train employees about how spoofers exploit that trust. For example, use a phishing simulation platform to send out simulated phishing emails that use typical spoofing elements, including trusted brands, a sense of urgency to act, and a link to a spoofed website.
Use a VPN: a Virtual Private Network allows an employee to hide their IP address. This helps to prevent IP spoofing. A VPN also encrypts data during transfer to prevent Man-in-the-Middle attacks.
Security hygiene exercises: teach employees the importance of good security hygiene habits. This should include robust password creation and management, two-factor authentication and understanding the control of the urge to click a link or download an attachment in an email or text message.
Report spoofing: encourage your employees to report any suspected (or successful) spoofing attempts. Specialist reporting platforms provide a way to easily report spoofing events, allowing an organisation to respond quickly and effectively.
Deploy anti-spoofing processes: set up various anti-spoofing processes in your business to stop spoof attempts. For example, have checks and balances that state another pair of eyes must check payments over a certain amount.
Spoofing is something that humans have always encountered. But even in a digitised world, spoofing still relies on trust. By making employees aware that their trust will be abused and giving them the tools to recognise spoofing attempts, an organisation can help protect itself from cyber harm.