Are you being Spoofed? How to Spot and Avoid Spoofing

We explain some of the most commonly reported methods of spoofing, and how to avoid falling prey to them.

What is spoofing?

Your phone rings. A recorded, robotic voice with an American accent says you it’s from HMRC and you are about to go to prison for tax evasion. But you can save the day by going to a specific website immediately to report if you believe there has been an error. That was a crude but common attempt at spoofing.

The message was not from HMRC and the website was not the real HMRC website.

Unfortunately, many spoofing attempts are much more convincing and can be very hard to distinguish from communications that come from the real organisation or company. Cyber attackers are increasingly using spoof communications that deceive victims into handing over data or money – either their own, or their company’s. The UK is now the most dangerous country for such attacks in Europe.

Phishing emails, the commonest spoofing at work

What is phishing?

This is an extremely prevalent type of spoofing attack. Cybercriminals send emails that seem to be from respectable organisations or contacts. When the victim clicks on the link in the phishing email, they may be directed to a spoof website payment page where cybercriminals can steal their details or money. Alternatively, they may have malicious software loaded onto their device where cybercriminals can take control of that device, log keystrokes, gain access to personal information and financial data for financial theft and identity theft, or simply direct the victim to a payment page.

How to recognise phishing emails

These are the main ways to detect phishing emails.

1. Emails from genuine sources, especially government agencies or banks, never contain online demands for personal and financial information. Your bank will message you regularly telling you they will never phone up to ask you to give out your details to them.
2. Impersonal greetings are a warning sign. Scammers are less likely to personalise the email greeting and subject with your name, though unfortunately some of them are able to do this nowadays.
3. Spelling and grammar errors can be indicators of a hoax email. Scammers often put these in deliberately to filter in the most vulnerable potential victims, and to filter out the type of people who will realise they’re being scammed as the trickery progresses, and ultimately report them.
4. Verify the email address by hovering your cursor over the link in the email without clicking. On a mobile phone, tap the email address. This can rapidly show whether or not the email is genuine. If you get a genuine email relating to your Tesco account, it will not come from tesco@hotmail.com nor will it come from anything like &&^%$£%^(^%^&$^&&*()&*@ob.fn.
5. Never react to strongly worded, emotional or threatening messages that tell you to respond quickly or are designed to make you panic. Would any trustworthy organisation consider that a professional way to communicate? These are warning indicators of scam emails designed to circumvent your logic and elicit a knee-jerk response that you will repent at your leisure.

Vishing, the voice message spoofing

What is vishing?

Vishing is a combination of the words “voice” and “phishing,” and it refers to the illegal practise of employing internet telephone service (VoIP) calls to trick victims into disclosing personal and payment information. Vishing scams targeting domestic residences frequently use recorded audio messages claiming to be from banks and government agencies to fluster victims into responding right away.

Scammers’ technology has advanced to the point where speech imitation might be employed in more sophisticated attacks on large corporations. In other words, you could hear a recorded message that sounds just like a boss you know and trust, but is not really them.

Examples of vishing include spoof calls claiming to be from banks or credit card companies, with messages instructing you to call a specific number to reset your password; exaggerated or “too good to be true” investment opportunities; bogus requests for charitable donations to urgent causes and recent disasters you have heard about in the news; calls claiming to be from government agencies like HMRC or the Home Office; or bogus tech support calls to fix fake computer problems.

How to protect against vishing

The biggest danger of vishing attempts is if they claim to come from an organisation that you really are a customer of, and are expecting communications from.

Methods to keep you and your company safe from vishing include:

1. Don’t rely on caller ID to be 100% accurate. Numbers can be faked.
2. Do not answer calls from unknown numbers.
3. Be suspicious of unsolicited phone calls purporting to be from banks, credit card companies, or government authorities.
4. Include phishing, vishing, smishing, and other forms in your staff security awareness training.
5. Do not use a gift card or a direct money transfer service.
6. Do not succumb to peer pressure. Con artists on the phone are highly skilled at persuasion, they operate in real call centres so you hear the call centre background noises, and they are trained in exactly the same way as genuine call centre staff. Don’t be fooled.

SMS phishing, the spoofing in your text messages

What is SMS phishing?

SMS phishing is the practise of disguising who sends an SMS message by replacing the sender’s mobile phone number (or sender ID) with letters.  Instead of seeing a sender number on your phone, you will see “Post Office” of the name of some other company that you probably do buy from sometimes. This fraudulent text message may show up among genuine texts you have previously received from the Post Office, for example, even though it is not really from the Post Office.

Impersonating a user who has roamed onto a foreign network and is submitting communications to the home network is an example of this technique, as is impersonating a bank and including a phishing message that lures users into clicking on a link.

How to protect yourself against fake SMS messages

To avoid being a victim of spoof SMS messages, keep the following in mind:

1. Don’t let your guard down just because you are expecting a particular type of message. Suppose you have a parcel on the way: don’t let this make you temporarily extra trusting of text messages about parcel tracking. If you have just signed up for a new store card or subscription, this is no reason to automatically trust any SMS that appears to be from them.
2. Never trust offers that seem too good to be true, and keep in mind that organisations such as your bank are extremely unlikely to text you and will never ask for personal information.
3. Do not click on links in SMS messages. Instead, if you think a message might be genuine, go to the relevant organisation’s website and call using the number listed there, or email instead.
4. Only disclose your phone number if absolutely necessary.
5. Never trust SMS texts requesting personal information, such as verification codes or password resets.
6. Inform Action Fraud about any SMS spoofing efforts.

Smishing, when they’re spoofing a real organisation’s text messages

What is smishing?

Smishing occurs when an attacker sends a text message that appears to be from a trustworthy firm, often the Royal Mail or a parcel delivery company or courier service. The concept is that the recipient, who may be expecting a parcel delivery, is duped into clicking on the link in the text message, which either sends personal information like a credit card number or password to the attacker or downloads a dangerous programme or malware to the victim’s phone. The malware can be used to eavesdrop on the user’s smartphone data or to convey sensitive data discreetly to an attacker-controlled site.

In the United Kingdom, parcel delivery scams account for more than half of all reported text phishing, or ‘smishing’ attempts. According to fresh data, from 15 April to 14 July 2021, 53.2% of reported scam SMS messages came from attackers posing as postal service companies. Furthermore, between June 14 and July 14, parcel and package delivery scams accounted for 67.4% of all smishing efforts.

How to protect against smishing attacks

You can defend yourself and your business from smishing by doing the following:

1. Remember that financial organisations never send text messages requesting credentials or money transfers. Credit card details, ATM PINs, or banking information should never be supplied to someone via text message.
2. Be wary of scam messages promising quick money, for instance from winning prizes or collecting cash after entering information.
3. Receiving a message from a number with only a few digits indicates that it was most likely sent from an email address, which is a common indicator of spam or scams.
4. Avoid storing your banking information on a mobile device, in case it becomes infected with malware.
5. Be suspicious of any delivery-related SMS messages that turn up outside usual delivery times.
6. If you receive a smishing text message, forward it to your telephone provider’s number so that it can be investigated.
7. Inform Action Fraud as well.

Other Scams and Spoofing Attacks

Man-in-the-middle attacks

If cyber-criminals acquire access to a person’s communications accounts, such as their email, they can intercept web traffic and communications between two people. They can then re-route cash, or solicit sensitive personal information such as credit card numbers or logins.

Extension spoofing

This is where attackers disguise executable malware files in emails as a different file type, in order to fool victims into believing they are safe to click on. An executable file is a security red flag if received in an email. It can make major changes to your computer and would be a typical file type for malware. It normally ends in .exe but can be disguised as a simple .txt file from Notepad.

Deepfake videos, spoofing a real human

Deepfake videos employ deep learning technology and manipulated images of celebrities, politicians or public figures to create an embarrassing or scandalous video. They may include pornography, violent behaviour, or the victim saying something they would not normally say but which, if believed, could be very damaging to their reputation. The AI part of the technology lends credibility to the spoof videos. Criminals utilise deepfake films to harm victims’ reputations or to collect ransoms from their intended victims.

Deepfake audio could be spoofing your boss’s voice

Deepfake ‘ransomware’ can also involve the use of AI to modify audio in order to fake a damaging or embarrassing recording of someone, or to impersonate someone for the goal of fraud or extortion. For example, in March 2019, a group of hackers successfully stole £201,000 by using AI software to deepfake the voice of an energy firm CEO.

How to find out if your information has been stolen for spoofing purposes

Look up if you have been “pwned”

Having your data stolen through one of these scams is called “being pwned.” The word “pwned” has origins in video game culture and is a play on the word “owned”, since the o and p keys are side by side on a keyboard. It’s used to imply that you have been taken control of in a cyber breach.

Cyber criminals often sell data on the dark web, so being hacked or spoofed once usually means you keep getting attacked again and again.

Visit Have I been pwned to see whether your information has been stolen.

Other sensible precautions businesses should take

Today’s cybercriminals would rather rely on human error and spoof frauds than go to the hassle of hacking into secure systems. Human mistakes may be counted on to some extent, which is why spoofing is so effective. It appears that almost anything can now be faked.

As a business you should:

1. Implement the necessary cyber security measures including anti-virus, two-factor authentication and anti-malware protections
2. Educate employees on what spoofing scams they may encounter and how to spot them
3. Have policies and procedures in place for dealing with and verifying specific types of approaches, messages, and enquiries
4. Always encourage employees to report suspicious emails and other messages and make sure you are clear on how they should do this.

Useful links

Have I been pwned

Action Fraud