What is a spoofing attack? Everything to know about this type of fraud

A spoofing attack occurs when a deceitful party disguises its identity and pretends to be a reliable company. Posing as a trusted brand, the attacker communicates with the intended victim and attempts to extract funds or valuable information.

According to research from PwC, 47% of all companies have experienced some type of fraud in the last 24 months. Even when the company itself isn’t targeted by fraudsters, these deceitful parties can use a brand’s image to take advantage of its customers and employees. Unfortunately, protecting your business from spoofing attacks and even knowing when fraudsters spoof your company information isn’t easy, especially if you have a large team or client base. 

About 62% of people receive spoofed calls from fraudsters pretending to be reliable organizations. While it may be an old tactic, it remains one of the most popular methods that fraudsters use to extract valuable information. But, there are many different types of spoofing - educating yourself about the various techniques that criminals use is the first step to protecting your brand, employees, and customers. 

In a previous post on spoofing, we offered ideas on how to stop phone spoofing of your company’s phone numbers. Now we’ll take a look at the different types of spoofing attacks and how they work.

What is a spoofing attack?

The main goal of most spoofing is for the imposter to extract funds or valuable information, such as social security numbers, dates of birth, passwords, and other sensitive data. Victims of spoofing attacks can be consumers or employees who have access to valuable information.

Spoofing attacks can take place through a variety of methods, including telephone, email, websites, and other channels. Not only this, but fraudsters have also developed techniques that involve technical elements, like IP, ARP, and DNS servers to bypass modern security measures.

Besides the technical side, spoofing attacks focus on exploiting pre-existing relationships, whether it’s between a company and its clients or a company and its employees. Spoofing can be combined with other types of fraud to extract large sums of money or large data sets that contain sensitive information.

Nearly 40% of consumers surveyed for Hiya's recent State of the Call research reported losing an average of $182 to phone scams in 2020 and more than 7% of these victims lost more than $500.  

The impact of these attacks goes beyond financial ramifications. It also negatively affects the companies that have been spoofed. When you consider the significant financial impact on targeted individuals, it's unsurprising that consumers lose trust in businesses that are spoofed.

Nearly half of the consumers surveyed for Hiya’s recent State of the Call report are suspicious of calls from a business that has been spoofed; nearly a quarter of respondents say it has eroded their trust in the company and/or has negatively affected their perception of customer care. This degradation of trust can result in long-term negative impacts on a company's caller reputation.

Spoofing makes both consumers and businesses more susceptible to future security and perception issues. From a consumer’s perspective, providing personal information to a fraudster can also result in identity theft, which in turn can affect all other areas of a person’s life. For companies facing spoofing attacks, the fallout tends to garner negative attention, they may find themselves vulnerable to other types of cyberattacks, and could even be subject to investigation by the authorities depending on the extent of the problem.

Types of spoofing

One of the biggest challenges that come with combating spoofing is that fraudsters can use this technique to target almost every single communication channel business to interact with customers and employees. 

Deceitful parties have learned how to mimic everything short of physical meetings and internal paper memos - consequently, companies need to monitor all of their resources to create and protect a safe environment. If the monitoring process is kept in-house, it can put a huge amount of pressure on your business, so seeking a partner to protect you against the most common spoofing attacks can increase your chances of success.

As we mentioned before, illegal spoofers have not only learned how to clone company phone numbers and emails. Some imposters use sophisticated spoofing tools that allow them to bypass corporate security systems by presenting false digital credentials. The methodology used by deceitful fraudsters varies but these criminals always try to achieve a similar goal, which is to extract something valuable through every interaction.

There are many different types of spoofing, not to mention that fraudsters are constantly working on developing new methods. That said, the most common and dangerous types of attacks include:

Caller ID spoofing

Through caller ID spoofing, fraudsters can make illicit phone calls and make them appear as if they are coming from reliable callers. In some cases, the number that the receiver sees can come from a known or trusted person. Bad actors will also choose a reliable company, spoof its numbers, and make it seem as if the call is coming from this brand.

This is a blind spot for businesses as only 38% of them even know whether or not they’ve been spoofed. The long-term negative impacts make it critical that businesses understand the threat of spoofing attacks and use new tools like Hiya Connect Secure Call to stay informed and protected.

Spoofers call customers for various reasons, but most of them involve some sort of financial or personal information request with businesses in the financial or healthcare industries being spoofed most frequently. If a spoofed call is targeting a consumer, the fraudster may request credit card numbers, bank details, and other pieces of information with the excuse of processing a payment.

As mentioned previously, deceitful parties that employ caller ID spoofing can not only target a company’s customers but also its team members. In these cases, spoofers may request badge numbers, passwords, company information, and sometimes even false monetary transfers. When these spoofing attacks are successful, it often opens up the door to additional threats with similar methods. 

Text message spoofing

Similar to voice call spoofing, fraudsters also use text messages to launch their attacks. The major difference is that text messages are often used for more casual communications, like meeting reminders and similar events. This means that fraudsters usually take a different approach, for instance, sending a false reminder and asking customers to call a phone number in case they haven’t made the appointment. 

In the scenario above, the user would call the number that appears on the text message, proactively starting a spoofed voice conversation. As with voice calls, spoofed texts employ either known phone numbers or use a tactic known as neighbor spoofing, where they use numbers that have the same area code as the receiver to appear familiar. This increases the chances of catching the receiver’s attention, especially if the message includes convincing and somewhat accurate content.

Keep in mind that text message spoofing is less common than voice calls and other approaches, but can be equally as devastating. Always remember to determine whether you know a number before opening its text messages and be wary when opening links or calling support phone numbers that you receive via text.

IP spoofing

A device’s IP address can be used to determine its location, so this piece of information is commonly used by security systems to verify a user’s location. That said, fraudsters often spoof IP addresses to conceal their true identity and avoid being detected by security measures. This type of attack is often used in tandem with other fraudulent approaches, which can overwhelm the target network and lead to a security breach in the process.

IP spoofing is a relatively technical approach that aims to interrupt a network by simply overloading it with requests from false IPs. Fraudsters can also opt for a more traditional approach by pretending to be a device that’s trusted on the network if they have access to a list of pre-approved gadgets. IP spoofing is not usually an isolated incident, so pay close attention if you notice a spike in IP spoofing attempts targeting your business, customers, or employees.

Browser extension spoofing

Browser extensions can improve functionality and allow you to perform a variety of different tasks that are normally not possible in a web surfing tool. But, even though it may seem like these additional resources come from reliable developers, this is not always the case. When a deceitful entity provides a browser extension while impersonating a reliable developer, it’s called browser extension spoofing. 

Like caller ID spoofing, this type of fraud can target both consumers and employees from a specific company. 

Spoofing a browser extension may seem far less harmful than other forms of fraud, but the truth is that the average consumer regularly inputs a huge amount of information into digital platforms. This includes dates of birth, credit card numbers, company passwords, and similar details, which are exactly what illegal spoofers are looking for.

Email spoofing attacks

Although most people trust their email provider to create an ultra-safe environment, the security protocols that rule this communication method aren’t completely shielded against potential attacks. Skilled fraudsters can make these messages appear as if they are coming from a legitimate source, bypassing the email spam filter that captures suspicious exchanges. 

Email spoofing attacks can have severe repercussions because this form of communication is viewed as being more official. In other words, consumers and employees are used to receiving important emails and responding to sensitive data. When a spoofed email makes it to the receiver, deceitful parties have a much higher chance of exploiting the situation than with other forms of spoofing.

It’s important to understand that email hoaxes sometimes target high-level executives and company leaders as well as customers. The best way to avoid this form of spoofing is to work with your technology team and develop custom protocols that provide an additional layer of protection.

Address resolution protocol spoofing

Internet-capable devices rely on a collection of different technologies that work together to transmit information and display it to online users. One of these technologies is known as Address Resolution Protocol (ARP), which is a set of rules that link IP addresses to each physical device.

Some fraudsters use ARP spoofing to mimic this piece of data and bypass antivirus software and other security mechanisms designed to halt suspicious interactions. By mimicking a device’s ARP, malicious spoofers can link their own computers and other gadgets to a user’s IP. So, if these deceitful parties attempt to log into a client or employee portal, the connection appears as if it’s coming from a local source.

Simply put, if they use ARP spoofing and have the right login credentials, fraudsters can access client and employee portals because the connection looks legitimate.

DNS server spoofing

Similar to ARP, the domain name system (DNS) provides an additional layer of security whenever employees and customers access your website. The DNS check ensures that the URL being displayed belongs to the website that the user is visiting. But, fraudsters can actually introduce corrupt DNS information into a platform’s cache, effectively hijacking the name/URL of a website. 

DNS spoofing is usually performed at the same time as other types of attempts, like man-in-the-middle attacks. In this type of fraud, users access a fraudulent website thinking it belongs to your company, so they enter sensitive information that can range from passwords to payment details and everything in between. 

Remember that once the IP has been spoofed, performing a similar spoofing attack on the DNS becomes much easier. The best approach is to develop a robust security mechanism that covers all potential attack points, including caller ID spoofing.

Website spoofing

Spoofing an entire website is much more complicated than any of its individual parts, but the effects of this type of fraud are catastrophic. During this type of spoofing attack, fraudsters create a false version of your company website that looks and behaves identically to your actual site.  

Spoofed websites tend to have tell-tale signs, but these false platforms are still relatively successful at extracting sensitive information. This approach can be used against employees and customers. Plus, if fraudsters have already spoofed a website’s IP, DNS, and ARP, the fake website becomes more convincing because it likely won’t be flagged by a security tool.

If a client or employee uses a spoofed site without realizing it, this person will likely return to this false URL multiple times. This makes it one of the most popular ways that fraudsters use to collect information gradually.

How to detect caller ID spoofing attacks

Spoofing attacks may not seem like they directly affect the company being spoofed. But, the truth is that these can have a detrimental effect on a business's reputation, especially if it refuses to take some responsibility or address the situation.

To combat caller ID spoofing, business owners should organize employee training sessions and also invest in educating clients. Make sure that employees get into the habit of assessing every single call and give customers resources that help inform them about the dangers of caller ID spoofing as well as identity theft.

Moreover, you can also partner with voice intelligence and performance providers like Hiya. Hiya Connect gives you full visibility into your caller reputation with insights into how many times your calls have been marked as spam or fraud, and whether or not your numbers have been spoofed. Combined with insights gained from Branded Call Intelligence these factors will help mitigate the harmful effects of spoofing.

How to protect against spoofing attacks

There are numerous tools and features available for individuals to protect themselves from the forms of spoofing outlined above. To protect against email spoofing, make sure to turn on your spam filter and avoid clicking on links or attachments from unknown senders. If you receive a suspicious email or text asking you to log in to an account, never click the link they provide. Open another tab and go directly to the site or use the company app.

If you receive a suspicious call requesting sensitive information, call back using the phone number they provide on their official website. Call blocking apps (like Hiya) can also detect spoofed calls and alert you to suspicious activity.

Businesses can protect their customers from spoofing attacks by displaying a branded caller ID that verifies your identity every time you place a call. If customers don’t see your branded ID, they’ll know not to answer.

Minimize the impact of spoofed calls on your brand

Every single person that receives a suspicious call from your number will have a negative perception of your brand. And, the more this happens, the more users will be discouraged from doing business with your company. 

Your business phone numbers are representations of your brand reputation as you reach out and connect with present as well as future customers. Not only this, but they help your team stay informed and in communication, so protecting the numbers that represent your business should be a priority. 

When you think about protecting your company, implementing a robust security infrastructure may be the first thing that comes to mind. However, spoofed calls are now among the most common types of cybercrime, so your security team also needs to safeguard your business from the harmful effects of fraudulent phone number spoofing.

Take the next steps to secure your voice call channel. Check out our 4 Steps to Minimize Fraud & Maximize Security.

 

WP-2101-How-To-Stop-Spoofing-CTA