Spoofing: The tric that makes you trust a criminal

  • The basis
  • Edited 21 December 2022
  • 3 min
  • Managing and growing
  • Secure business

Cybercriminals often pretend to be someone you trust. Consider an email with a fake invoice that appears to come from a supplier you know. The criminal then mimics the sender's email address exactly. This is called spoofing and can be done in many ways. Criminals also fake phone numbers in this way, for example. Find out what types of spoofing there are and what you can do about it.

Cyber Magazine SECURE IT!

Cyber magazine SECURE IT! contains tips and information on how to secure your business online.

Read it

What is spoofing?

Spoofing is a technical trick by which a criminal pretends to be someone else. For example, a person you know or someone from an organisation you trust, for example the bank. The criminal deceives you with a fake sender name. For example, via sms spoofing. In this case, the scammer sends you a text message that appears to be sent by someone you know. This makes you think it is okay and you click on the link in the text. The link then infects your computer with malicious software, or malware.

Many types of spoofing

A scammer can impersonate someone else in many different ways. Besides email spoofing and text spoofing, phone number spoofing also exists. The criminal uses the phone number of an organisation you trust. For example, your own bank. While you think you have a bank employee on the line, you are actually talking to a scammer. Who is trying to trick you into giving your PIN number. There is also spoofing of internet addresses, or IP numbers. And ID caller spoofing, where calls appear to come from a Dutch phone number, while the criminals are actually calling from abroad. New forms of spoofing are constantly emerging.

Difference with phishing

With phishing, a fraudster tries to get confidential information from you with valse messages. Think of credit card details, national insurance numbers or passwords. Using the spoofing technique, the scammer increases the chances of phishing succeeding. You are more likely to respond to an email that appears to come from your accountant than to an email from an unknown sender.

Do not fall for spoofing

Be alert. Does it make sense for your bank to send you a text message? Or were you not expecting an email, even if it comes from someone you know? If so, do not respond to the message, do not click on links and do not open attachments. Contact the sender by other means, call him or her, for example. And check whether the message is real or fake.

How do you recognise and prevent spoofing?

Preventing via your identity

A cybercriminal can also misuse your data for spoofing. For example, they will send a fake invoice to thousands of people in the name of your company. The email sender, your company name and even your logo - everything looks right in this fake email. This is a form of identity fraud and is illegal. You may suffer reputational damage if victims think you ripped them off.

You cannot completely prevent criminals from abusing your data for spoofing, but you can reduce the risks with these tips:

1. Watch what you share

Think carefully about what information you share, with whom and where. For example, do you need your phone number and email address to be publicly available on your Facebook page or other social media?

2. Set up a Google Alert

Set up a Google Alert on your company name. Then you will be notified automatically when someone mentions your company name on the internet. This way, you will immediately see when a scammer creates a website under your name. With a Notice-and-Take-Down (NTD) request you can have such a fake website taken offline.

3. Secure your email software

Normally, you and your employees are the only ones who can send emails from your domain name. Your domain name is the part of your email address behind the monkey tail. Often this is the name of your business. Through email spoofing, a criminal can also send emails from your domain name and scam your customers. You can prevent this with the Sender Policy Framework (SPF) (in Dutch) security technique.

This technique checks where an email really comes from. You then set the networks from which emails may be sent from your domain name. Is an email sent over the internet in your name that is not sent from a network that you have approved? Then SPF blocks the email so that it does not arrive at the recipient. This makes it harder for criminals to abuse your email address via spoofing.

The Fraude Helpdesk has a step-by-step guide (in Dutch) for installing SPF yourself. Is it too complicated? Then enlist the help of your IT partner or a cybersecurity specialist. Then also ask about other security techniques (in Dutch), such as DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Also of interest