Spoofing: prevent abuse of your email address

Cybercriminals often pretend to be someone you trust. This makes you more likely to fall into their trap. Consider an email with a fake invoice that appears to come from a supplier you know. The criminal then mimics the sender's e-mail address exactly. This is called spoofing and can be done in many ways. Criminals also fake phone numbers in this way, for example. Find out what you can do about it.

What is spoofing?

Spoofing is a technical trick by which a criminal pretends to be someone else. For example, a person you know or someone from an organisation you trust. This is a form of identity fraud and is illegal. The criminal deceives you with a fake sender name. For example, via SMS spoofing. In this case, the scammer sends you a text message that appears to be sent by your bank. This makes you think it is okay and you click on the link in the text. The link then infects your computer with malicious software, or malware.

Difference with phishing

With phishing, a fraudster fools you and tries to get confidential information from you. Think of credit card details, national insurance numbers or passwords. Using the spoofing technique, the scammer increases the chances of phishing succeeding. You are more likely to respond to an email that appears to come from your accountant than to an email from an unknown sender.

Many types

A scammer can impersonate someone else through many channels. Besides e-mail spoofing and text spoofing, you have phone number spoofing, for example. The criminal uses the phone number of an organisation you trust. For example, your own bank. While you think you have a bank employee on the line, you are actually talking to a scammer. Who tries to get your PIN with fancy talk. There is also spoofing of internet addresses, or IP numbers. New forms of spoofing are constantly emerging.

Reputation damage

A cybercriminal can also misuse your information for spoofing. Suppose they send a fake invoice to thousands of people on behalf of your business. The email sender, your company name and even your logo, everything is true about this fake email. You may suffer reputational damage if victims think you ripped them off.

Do not fall for spoofing

Be alert. Does it make sense for your bank to send you a text message? Or were you not expecting an e-mail, even if it comes from someone you know? If so, do not respond to the message, do not click on links and do not open attachments. Contact the sender by other means, call him or her, for example. And check whether the message is real or fake.

Preventing spoofing

You do not want criminals to misuse your information, such as your company name, e-mail address and phone number, for spoofing. You cannot prevent it completely, but you can reduce the risks with these tips.

Watch what you share

Think carefully about what information you share, with whom and on which channel. For example, do you need your phone number and e-mail address to be publicly available on your Facebook page or other social media?

Set up a Google Alert

Set up a Google Alert on your company name. Then you will be notified automatically when someone mentions your company name on the internet. This way, you will immediately see when a scammer creates a website under your name. With a Notice-and-Take-Down (NTD) you can have such a fake website that misuses your name taken offline.

Avoid e-mail spoofing

Normally, you and your employees are the only ones who can send e-mails from your domain name. Your domain name is the part of your e-mail address behind the monkey tail. Often this is the name of your business. Through e-mail spoofing, a criminal can also send e-mails from your domain name and scam your customers. You can prevent this with the Sender Policy Framework (SPF) security technique.

This technique checks where an e-mail really comes from. You then set the networks from which e-mails may be sent from your domain name. Is an e-mail sent over the internet in your name that is not sent from a network that you have approved? Then SPF blocks the e-mail so that it does not arrive at the recipient. This makes it harder for criminals to abuse your e-mail address via spoofing.

The Fraude Helpdesk has a step-by-step guide (in Dutch) for installing SPF yourself. Is it too complicated? Then enlist the help of your IT partner or a cybersecurity specialist. Then also ask about other security techniques (in Dutch), such as DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

How do you recognise and prevent spoofing?