What is a Spoofing Attack?

Bart Lenaerts-Bergmans - September 2, 2022

Spoofing Definition

Spoofing is a technique through which a cybercriminal disguises themselves as a known or trusted source. Spoofing can take many forms, such as spoofed emails, IP spoofing, DNS Spoofing, GPS spoofing, website spoofing, and spoofed calls.

In so doing, the adversary is able to engage with the target and access their systems or devices with the ultimate goal of stealing information, extorting money or installing malware or other harmful software on the device.

Learn More

Spoofing in the Real World – Learn about how CrowdStrike defends and protects their customers from real world spoofing threats:Critical Windows Spoofing Vulnerability

How does Spoofing Work?

Spoofing techniques vary based on the type of attack. For example, in email spoofing, the adversary can hack an unsecured mail server in order to hide their true identity. In a MitM attack, an adversary can create a Wi-Fi access point in order to intercept any web activity and gather personal information. There are also relatively simple or non-technical spoofing techniques, such as altering the “From” field in an email address.

It is fairly common for attackers to spoof multiple points of contact, such as an email address and website, in order to initiate the communication and carry out the actual attack. For example, cybercriminals may spoof an email address in order to engage a potential victim and then use a spoofed website to capture the user’s login credentials or other information. Familiarizing yourself with the different types of spoofing attacks is critical in understanding how spoofing works.

Types of Spoofing Attacks

Spoofing attacks take many forms, from the relatively simple to advanced. Common types of spoofing attacks include:

Email Spoofing

One of the most common types of spoofing attacks is email spoofing. This occurs when an attacker purports to be a known, familiar or plausible contact by either altering the “From” field to match a trusted contact or mimicking the name and email address of a known contact. For example, a spoofed email address may use a zero (0) in place of the letter O, or substitute an uppercase I for a lower-case L. This is called a homograph attack or visual spoofing.

In most email spoofing attacks, the message contains links to malicious websites or infected attachments. The attacker may also use social engineering techniques to convince the recipient to divulge personal data or other sensitive information.

Learn More

Think you could spot a fraudulent email? Test your skills and learn all the telltale signs here: How to Spot a Phishing Email

Caller ID Spoofing

Similar to email spoofing, caller ID spoofing disguises an adversary’s actual phone number with one that is familiar. If the recipient answers the phone, attackers typically pose as a customer support agent to gather personal information, such as:

  • Social security number
  • Date of birth
  • Banking details
  • Passwords

Some advanced telephone spoofing attacks can reroute the call to an international or long-distance carrier, causing the victim to rack up extensive bills.

Website or Domain Spoofing

Domain spoofing is when an attacker creates a website that mimics an existing site – often by slightly changing domain names. The goal of these attacks is to have users attempt to log into their account, at which point the attacker can record their account credentials or other personal information. The attackers can then use the credentials on a trusted website or sell the information. Website spoof attacks are usually triggered by an email spoof—meaning that the attacker first reaches out using a fictitious email account and drives traffic to the spoofed website.

IP Spoofing

Attackers can alter their IP address in order to hide their real identity or impersonate another user. This technique is commonly used by advanced adversaries in a DoS attack. Using this technique, attackers alter their IP address in order to flood the victim’s site with traffic, limiting access for authentic users. Learn more about DoS attacks.

Address Resolution Protocol (ARP) Spoofing

Address Resolution Protocol (ARP) is the process of matching IP addresses to Media Access Control (MAC) addresses in order to transmit data. In an ARP spoofing attack, the adversary links their MAC to a legitimate network IP address so the attacker can receive data meant for the owner of that IP address. ARP spoofing is commonly used to steal or modify data. However, it can also be used in DoS and man-in-the-middle (MitM) attacks or in session hijacking.

GPS spoofing

GPS spoofing is the act of altering a device’s GPS so that it registers in a location different from the user’s physical location. While this technique is mostly used by players of online games, such as Pokémon GO, it has far more sinister implications. For example, GPS spoofing can be used to redirect navigation systems in vehicles of all kinds, including passenger cars, commercial airplanes, naval vessels, public busses and everything in between.

Man-in-the-middle (MitM) attack

A man-in-the-middle (MITM) attack is a type of cyberattack in which a third party infiltrates a conversation between a network user and a web application. The goal of this attack is to surreptitiously collect information, such as personal data, passwords or banking details, and/or to impersonate one party in order to solicit additional information or spur action, such as changing login credentials, completing a transaction or initiating a transfer of funds. This type of attack often includes either email spoofing, website spoofing or both in order to trigger activity and carry out the transfer of data.

Facial spoofing

One emerging spoofing technique is related to facial recognition. Since many people now use such technology to unlock their phones or apps, cybercriminals are exploring how to exploit potential vulnerabilities. For example, researchers have demonstrated that it is possible to use 3D facial models built from pictures available on social media to unlock the user’s device via face ID. Further implications for this technology include simulating embarrassing or even criminal video footage of high-profile individuals, such as celebrities, politicians and business leaders in order to extort money.

Spoofing EPP Post image

How can I detect Spoofing?

In many cases, spoofing attacks are relatively simple to detect and prevent through diligence and awareness. We offer the following list of questions that users can reference to identify a spoofing attack:

  • Is this request solicited? For example, if a user receives a password reset email without requesting it from the site, it may be a spoofing attempt.
  • Does the message request sensitive information? Reputable businesses and government agencies will never ask people to share sensitive information like passwords or social security numbers in full by email or phone.
  • Is the organization using a different domain? When receiving a message that contains links, hover over the hyperlink text to preview where the link leads. Banks, doctors, schools or other legitimate service providers will never attempt to route activity or communication through a URL that does not match their current domain.
  • Does the website or link point to an HTTPS address? Secure sites almost always use HTTPS, the encrypted version of HTTP, when transferring data.
  • Does the message contain an unsolicited attachment? Legitimate companies will direct users to their official website to access and download files. Never download an unsolicited attachment even from a trusted or familiar source, such as a family member or colleague.
  • Is the message personalized and professional? Reputable service providers will interact with customers in a personalized and professional way. Very few will begin emails or other messages with generic greetings such as, “Dear customer,” or “To whom it may concern.”
  • Does the correspondence contain obvious grammar and spelling errors? One of the easiest ways to spot a spoofing attempt is through poor grammar, spelling, design or branding. It is a deliberate technique used by hackers to weed out savvy users and entrap easier targets.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

How can I protect against Spoofing Attacks?

For everyday users, the best way to protect against spoofing is by being vigilant for the signs of such an attack. As noted above, these include:

  • Never click unsolicited links or download unexpected attachments.
  • Always log into your account through a new browser tab or official app — not a link from an email or text.
  • Only access URLs that begin with HTTPS.
  • Never share personal information, such as identification numbers, account numbers or passwords, via phone or email.
  • When contacted by a customer service representative via phone or email, perform a Google search to determine if the number or address is associated with any scams.
  • Use a password manager, which will automatically enter a saved password into a recognized site (but not a spoofed site).
  • Use a spam filter to prevent a majority of spoofed emails from reaching your inbox.
  • Invest in cybersecurity software, which will detect many threats and even stop them from infecting your device.
  • Enable two-way authentication whenever possible, which makes it far more difficult for attackers to exploit.

Due to the advanced nature of the threat landscape, as well as the complexity of the global business operations, organizations must leverage the latest digital technologies to stay a step ahead of online adversaries.


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.