Spoofing is a general term for tricking or deceiving. In the context of consumer data privacy, spoofing usually refers to email or caller ID spoofing. Spoofing is closely related to phishing or scamming and is sometimes used synonymously.
What is email spoofing?
Email spoofing occurs when a scammer sends an email that appears to be from a legitimate email account, but the email address is actually forged. The scammer impersonates another by assuming the other’s email address. Scams that closely resemble this include situations where a scammer closely mimics the email address of a government agency or legitimate and usually well-known business or where a scammer hacks an actual legitimate email and sends out spam email from that real email address.
Why do scammers spoof emails?
The idea is to trick you. The scammer wants to mislead you about the real origin of the message and make you think the email is legitimate. The email is designed to look official, often using forged headers and a disguised sender’s address.
What does the scammer do or say in the spoofed email?
Usually, the scammer emails the victim asking for personal information such as a username and password. Disclosing such information makes you vulnerable to identity theft, risking fraudulent debt and credit disaster.
How can you defend against email spoofing?
There are several ways you can protect yourself against scammers using email spoofing.
- Look for spelling errors. Spoofers often change small details of website and domain names to appear official. For example, a spoofer may use a disguised sending address like “firstname.lastname@example.org” instead of “email@example.com” or a disguised website link of “www.paypals.com/signin” instead of “www.paypal.com/signin.”
- Check that the email is personalized. Spoofers often address emails generally, using greetings such as “Dear customer,” “Dear valued XYZ customer,” or “Dear XYZ user.” Nearly all major businesses have adopted policies requiring the use of personalized information in official emails. For example, an official bank email will usually include your name and the last four digits of your account number. Be cautious if you receive an email addressed generally asking for personal information.
- Look for threats. Spoofers usually create a sense of urgency with their emails. They may state that an account is overdrawn or indicate impending legal trouble using implicitly threatening language. If you believe the danger could be legitimate, contact the business directly rather than by replying to the threatening email.
- Double check email addresses and links. Almost all email programs allow users to check email addresses and links. When you hover your cursor over the text of an email address or link, a pop up should appear indicating the true location of the email or link. If the pop up location does not match the text of the email or link, it may be a spoof email.
- Trust your spam filters. Spam filters are designed to detect and block emails sent from abnormal or faulty addresses. If you see that an apparently important message has been filtered as spam, check it carefully to ensure it is not from a spoof email address.
- If you have any doubts, contact the business or other email sender directly. If you have any doubts that the email or link is not from the business or other entity that apparently sent the email, contact that entity directly using information you obtain from somewhere other than the potentially spoofed email.
The following spoof email was created using an easily accessible website. The Massachusetts logo was copied from the state website, and the fake hyperlink was embedded using simple email tools. The ease with which spoof emails can be created requires that consumers remain guarded when they receive emails similar to this.
This mock spoof email was designed to look like a notification of uncollected money from the government. It includes an official-looking state seal and is from an official-looking email, “disbursements.admin@MassMail.State.MA.US.”. The subject, “ATTENTION: Outstanding Disbursement,” was made to look somewhat important and urgent. There is a website link embedded in the email, apparently leading to a login site where the recipient can collect the money owed. It also states that the disbursement will be forfeited if not collected, creating an incentive to act quickly. However, there are several warning signs that this is not from an official source.
This is a view of the spoof email website used to create the mock spoof email. As you can see, creating a spoof email is as easy as choosing a seemingly legitimate source email address and a target.
- The language used here to address the recipient is vague and seems to indicate that whoever sent the email did not know the name of its recipient. Important emails will usually include personalized information beyond vague salutations. As stated above, most major businesses have adopted policies requiring the use of personalized information in official emails.
- This threat that the disbursement will be forfeited is meant to create a sense of urgency in the recipient, compelling them to act quickly. The scammer hopes that the recipient will act without carefully evaluating the source of the email, increasing the chance that personal information will be stolen.
- In this email service, moving the cursor over the linked website displays the actual destination website on the bottom left, as shown. Most email services function similarly, displaying the destination website when the cursor moves over the displayed website. Spoofers use email tools to change the destination website from the displayed website. So, even though in this example the displayed website link is “https://www.mass.gov/portal/disbursements/login,” the actual destination website is “http://www.mass.gov/ocabr/.” If this were a real spoof email, the destination website would be something malicious and not the Office of Consumer Affairs and Business Regulation website. For example, it might be a fake website designed to look like a legitimate government disbursement site requiring your social security number for login. Alternatively, it could be a website with a computer virus.
NOTE - The Office of Consumer Affairs and Business Regulation is a legitimate state government agency, and this fake spoof email was created by the Office to be used only as an example.
CALLER ID SPOOFING
What is caller ID spoofing?
Some identity thieves disguise the number from which they are calling so it will appear as a different number on caller ID. This is often accomplished by using software that will mask the real number and show a dummy number.
Why do scammers use caller ID spoofing?
Scammers want you to believe they are calling from a legitimate source and want to hide the actual number from which they call so it is harder to trace. Many scammers use numbers in certain area codes, such as Washington D.C. or even your own area code, to make the call seem more legitimate. There are scammers that also trick your phone technology into thinking it is calling itself (so your own number will pop up on caller ID) to mask the real number.
What are scammers who use caller ID spoofing looking for?
Usually, they want your money or to gain access to your personal information to commit identity theft.
What are some examples of caller ID spoofing?
A spoofer may call with the number disguised as that of a bank and ask their victim to verify account information. Many spoofers currently use this strategy to pose as the Internal Revenue Service threatening legal action, fines, or jail. Other spoofers monopolize on an event, such as scammers pretending to be home improvement contractors that call around asking if people’s roofs were damaged in a recent storm. If this happens, the “contractors” may make a show of assessing damages, then ask for money up front, then disappear. Review information on our website on home improvement for steps on finding a contractor and other important information.
Find below an example exchange with a caller ID spoofer pretending to be from the IRS.
Spoofer: Hello, is this [consumer’s name]?
Consumer: Yes, speaking.
Spoofer: [consumer’s name], my name is John Jones. I am a police officer that works for the IRS in Washington DC. You owe a lot of money and you will be sued. The suit will be registered by your local county court within the next hour, and the sheriff will be coming to your house to arrest you for tax evasion.
Consumer: What is the lawsuit for?
Spoofer: The lawsuit is filed against you for tax evasion in violation of the Federal Judiciary Act Chapter 32B.
Consumer: Is there anything I can do?
Spoofer: If you want to settle the case out of court, you can transfer the money to the IRS. If not, you will be arrested within the hour and a lien will be placed on your assets.
Be careful if you receive a call such as the IRS spoofing call above. The real IRS would never call and threaten jail time.
How Can You Defend Against Caller ID Spoofing?
- Do not give out personal information to someone who has called you. If someone calls asking for important financial or personal information, ask for their contact information and ask to call back.
- Use an online search engine to reverse-lookup their phone number. Use the information you are given to check online whether the phone number is associated with any known scams.
- Do not trust caller ID. Unfortunately, caller ID is easily manipulated by spoofers, making it an unreliable source for identifying callers. If you have any doubts regarding the identity of a caller, hang up and call the business directly using official contact information.
- If you have any doubts, contact the source directly. Just as with email spoofing, if you have any doubts that the call is not from a legitimate source, contact the source directly using the accurate information you have obtained from a neutral source.