Spoofing refers to an attack where hackers use various ways to disguise their identity so that their victims think they are talking to their coworker, boss, or business. The methods used to achieve this are the typical phishing tropes such as fake websites, links, and social engineering.
When spoofing is involved, it’s often more helpful to focus on detecting the facade rather than looking at the specific illicit approach being used. The difficulty comes from the fact that hackers are often very adept at replicating a company's identity or look and feel.
The best way to detect these frauds is by identifying odd behaviors, such as a company or coworker asking for information they usually wouldn’t. The method of communication can also be unusual, a bank might ask for specific information, for example, but they would only do so through their website, never over email.
This article will outline the nine most common spoofing scenarios and give you tips on identifying them.
Coworker Impersonation
Hackers that use this method will gather a lot of personal information about their victims, where they work, and even their coworkers to make their emails so convincing that the target willingly shares information with the hackers.
Since the information in the email all checks out, victims are less likely to double-check the provenance of the email. Like other social engineering attempts, the email address will not have the correct affix, and spelling mistakes might be present.
The best way to counter these attacks is to have users double-check with their coworkers in person or on work chat platforms like Teams before sharing information.
Fake Invoice
The same way people receive hundreds of emails every day, accounts payable departments in large companies receive hundreds of invoices daily, often from companies they don’t know directly.
These attacks are hard to detect because they’ll often come from the same domain or company name present on the invoice but be for goods or services that were never delivered.
Attacks like these emphasize why it’s crucial to implement a two-step verification process for all invoices. One person prepares the invoice, and a second verifies the information on the invoice with the concerned department to ensure the invoice is genuine.
Malicious Extension
A common phishing tactic is to get a victim to download a malicious file to infect their machine with malware. This attack is usually combined with social engineering tactics to convince users that the file is an ordinary work file.
White Paper - How to Protect Your Data from Social Engineering
Learn how to detect common social engineering tactics and threats and protect confidential data from cybercriminals.
One of the most common tactics is to name an executable file something innocuous like “Q3 earnings reports,” hoping that the victim won’t notice it’s a .exe instead of an Excel file. Hackers may also try to cover it by adding an extension at the end, such as Q3EarningsReport.bat.pdf.
Remind users always to check the file extension of documents they are about to download and never download an extension they don’t recognize. It’s also best to never download a file from an unknown source without scanning it with an antivirus.
Without modifying the extension affix, more skilled hackers have also found ways to embed executable files in files like a pdf. This example demonstrates why it’s crucial to have file scanning software in place for all company emails.
Facial Spoofing
This type of spoofing has seen quite the rise, with facial recognition becoming the norm to unlock both smartphones and computers without using a password. Hackers have found numerous ways to use pictures, videos and even 3D renderings of a victim’s face to unlock their devices.
This attack can only happen if the hacker has prolonged physical access to the device. A detailed policy for lost or stolen hardware is the best way to handle this. Another efficient way is to set devices to ask for a PIN or password before facial recognition unlocking if the device has been inactive.
The hacker usually has to steal the device before attempting facial spoofing later. That time would be enough to warrant inputting the PIN to log in, thus rendering the device useless.
Fake Fines
Typically combined with vishing or email phishing, hackers present themselves as officials from the city the victim resides in or a collections agency and ask for an immediate fine payment.
The hackers will usually have gathered information on the victim to increase their chances of success. They’ll often know the person’s full name and information like the make and model of their car or license plate. The victim is then pressured to pay the fine over the phone via credit card.
These often work because they sound realistic, and the victim bends under pressure. Remind your users that such fines are always paid via official means such as a bank transfer or a credit card payment on a secure website, never over the phone. If they get pressured for payment, tell them to ask to see the fine in question and for it to be paid securely.
Malicious Social Media Profiles
This type of attack happens on social media when hackers create fake social media pages or tech support accounts to get users to give them personal information. The most common tactic is to find a user who posted about issues with a particular service online and contact them by posing as the company.
The user then believes he’s getting preferential treatment and sends over their password or enters it in the attacker's fake password reset webpage. The social media accounts are often identical to the official one word for word and can be challenging to detect.
Again, these attacks are foiled by reminding users to never share information over social media and only reset passwords on official websites.
Search Engine Phishing
These attacks are incredibly elaborate and involve the creation of complete websites that are then indexed on Google through traditional and black hat SEO methods. The companies involved in these attempts often sell fake products and services, prompting users to input their bank or credit card details for the purchase.
The funds are then stolen, and the financial information is used to steal the victim’s identity further. The main giveaway of these attacks is that they don’t use a recognized payment processor. Remind your users to only shop on websites they trust that use a major payment processor such as Shopify, Stripe or PayPal.
Awareness is Key
These attacks succeed primarily because people don’t realize they are happening. Thankfully, the steps required to catch them often only take seconds or minor behavior modifications. Running a varied phishing simulation program, including spoofing attacks, is the best way to show people the different ways these cyber security breaches happen.
Spoofing isn’t going away anytime soon and will continue to evolve as different types of communication and platforms pop up. Ensure your users are careful and take the steps mentioned in this article everywhere, and your company data will remain safe.
Cyber Security Hub: Access Exclusive Cyber Security Content
Take advantage of the free Cyber Security Hub – it is your one-stop cyber security awareness and knowledge center with one-click access to the Work From Home Kit, Password Kit, Phishing Kit and more.