Is there anything I can do to prevent Spoofing or Phishing?

Unfortunately there is nothing that an individual can do at this point in time to stop spoofing or Phishing from happening.  Users must be vigilent in making sure the emails they are responding to are legitimately from someone they know or are expecting communication from.


What is the difference between Phishing & Spoofing?

Phishing occurs when criminals obtain information about you from websites or social networking sites, and customize a phishing scheme to you. Spoofing describes a criminal who impersonates another individual or organization, with the intent to gather personal or business information. They both refer to cyberattack methods that we see over and over again. Although people often think they’re interchangeable terms, spoofing vs phishing are actually different tactics. Cybercriminals use both to misrepresent who they are and obtain data.


Is Spoofing/Phishing the same as getting Hacked?

If you get such an email—or if someone gets such an email that appears to be from you but that you did not send—does that mean that your email has been hacked? The Short answer is NO.

Hacking, Spoofing & Phishing are all different methods that bad actors use to manipulate individuals and businesses into doing things that are against their best interests. Hacking and Spoofing/Phishing can appear to be the same at first glance but are actually quite different. The risks of hacking, especially for businesses, are much greater than those posed by spoofing. 

Hacking means your email and or systems have been accessed, passwords have been acquired and your system may be at risk.


What Is Phishing?

Phishing is a prevalent type of engineering that aims to steal data from the message receiver. Typically, this data includes personal information, usernames and passwords, and/or financial information.

How does phishing typically work? 

When executing a phishing attempt, attackers send a message where the authenticity of that message is spoofed. The message (whether via email, phone, SMS, etc.) is successful when it is trusted by the user to be a valid request from a trustworthy sender. The attacker’s objective is to get their target to click on a link that redirects the user to a fake website or forces a malicious file to be downloaded. An illegitimate link will try to trick users into handing over personal information such as account credentials for social media or online banking.  

The majority of phishing attempts are not targeted but rather sent out to millions of potential victims in hopes that some will fall for the generic attack. Targeted phishing attempts are a bit more complex and require that the bad actor plan the attack and strategically deploy the phishing attempts.  Below we look at a few types of phishing attacks and the differences between them.

The 4 Types of “Phishing” 
Spear Phishing 

A Spear Phishing attack occurs when a phishing attempt is crafted to trick a specific person rather than a group of people. The attackers either already know some information about the target, or they aim to gather that information to advance their objectives. Once personal details are obtained, such as a birthday, the phishing attempt is tailored to incorporate that personal detail(s) in order to appear more legitimate. These attacks are typically more successful because they are more believable. In other words, this type of attack has much more context that is relevant to the target. 


Whaling is a sub-type of Spear Phishing and is typically even more targeted. The difference is that Whaling is targeted to specific individuals such as business executives, celebrities, and high-net-worth individuals. The account credentials of these high-value targets typically provide a gateway to more information and potentially money.  


Smishing is a type of phishing attack deployed via SMS message. This type of phishing attack gets more visibility because of the notification the individual receives and because more people are likely to read a text message than an email. With the rising popularity of SMS messaging between consumers and businesses, Smishing has been increasingly popular.


Vishing is a type of attack carried out via phone call. The attackers call the victim, usually with a pre-recorded message or a script. In a recent Twitter breach, a group of hackers pretending to be “IT Staff” were able to convince Twitter employees to hand over credentials all through phone conversations.  

What Is Spoofing?

Email spoofing is an expression used to describe fraudulent email activity in which the sender’s name, address, and possibly other parts of the email header are altered to appear as though the email originated from someone or somewhere other than the actual source.  It is essentially a form of identity fraud, as the actual sender pretends to be someone they are not in order to illicit a response from the recipient.  Typical desired responses range from merely opening a message to responding to the solicitation and sending money or revealing personal information.

Here’s a simple analogy to help you understand.  If you receive a letter through the US Postal Service, you rely on the return address as an indicator of where it originated.  However, there is nothing stopping the sender from writing a different name and address, leaving you with no guarantee that the letter is actually from the person and address listed in the return address.

What is the use of Spoofing?

Email spoofing is a technique commonly used by malicious individuals when sending out spam, phishing, or malware- laden emails to hide the origin of an email message and in turn, increase their chances that you will respond or react as they hoped you would.  By changing certain properties of the email, such as the ‘From’, ‘Reply-To’, and ‘Return-Path’ fields that are found in the message header, malicious users can make the email appear to be from someone other than the actual sender.

While most often used for malicious intent, spoofing can also be used legitimately.  An example of this might include a sender who would like to bring something to the attention of a supervisor or the authorities but prefers to remain anonymous do to the fear of retaliation.  However, it should be noted that in some jurisdictions, spoofing a third party without their consent by altering or falsifying email headers is illegal.

Why Is Spoofing Possible?

Email spoofing is possible because the main protocol used in sending email, Simple Mail Transfer Protocol (SMTP), does not include an authentication mechanism.  However, an SMTP service extension for authentication does exist that allows an SMTP client to negotiate a security level with an email server.  Unfortunately, this extension is not always used.   In instances where this extension is not used (known as an open relay server), anyone with the required knowledge can connect to the server and use it to send messages that appear to be from the address of the individual’s choice.  This can either be a valid email address or a correctly formatted fictitious one.  The same goes for the return address.

NOTE: Even when a mail server uses the available SMTP service extension for authentication, it does not stop authenticated users (those with a valid username and password to use the mail server) from being able to send out spoofed emails.

What Are The Risks of Spoofed Emails?

The risks associated with spoofed emails range from being a nuisance to endangerment of personal safety. While most spoofed emails, like spam, fall into the nuisance category, which require minimal action on the recipient’s part to remove, the more malicious varieties can cause serious problems.  These problems may range from identity theft to threats to personal safety.  For instance, a spoofed email may claim to be from someone or some group in a position of authority asking for sensitive data such as account credentials (username and password), credit card or bank account numbers, or other personal information (e.g. date of birth, social security number), any of which could be used for an assortment of criminal purposes.  Bank One, Citibank, Pay Pal, eBay, AOL, Yahoo!, the IRS, and the FDIC are a few among the many groups that have been spoofed in mass phishing campaigns.

However, having your own email address spoofed can be even worse.  For example, if an individual sending out spam uses your email address, it is possible that you may find yourself flooded with angry complaints, or even threats of physical harm, from the recipients of the spam.  You may also receive bounced-back emails (known as a bounce message) from bad addresses used by the spammers.  It is also possible in this example to end up having your address being added to a known spammers list or a group’s email blacklist which would result in your messages being banned from delivery.  Self-sending spam, a type of spoofing in which the sender is forged to be the same as the recipient of an email, makes it seem as if you sent the email to yourself.

NOTE: Please realize that in some cases, it either may not be possible to identify the origin of the spoofed email or take action against the forger as not every state or country has laws against spoofing.


What can I do?

Be AWARE! Look at every email address, take a minute to assess the email, look at the signatures and website links for legitimacy. Look at the time stamp, the time zone. When in doubt, ASK your IT professional. If the email doesnt look legit, it probably isn’t.