What Is Spoofing? How Scam Works and How To Protect Yourself

What Is Spoofing?

Spoofing is a type of scam in which a criminal disguises an email address, display name, phone number, text message, or website URL to convince a target that they are interacting with a known, trusted source. Spoofing often involves changing just one letter, number, or symbol of the communication so that it looks valid at a quick glance. For example, you could receive an email that appears to be from Netflix using the fake domain name “netffix.com.”

Key Takeaways

  • Spoofing to trick you into divulging personal information can be done through email, text messages, caller ID, and even GPS receivers.
  • Be skeptical of any request for personal information, download files only from trusted sources, and install reputable antivirus and antimalware software.
  • If you think you’ve been spoofed, file a complaint at the Consumer Complaint Center of the Federal Communications Commission (FCC). If you have lost money, contact the local police.

How Spoofing Works

Spoofing criminals try to gain your trust, and they count on making you believe that the spoofed communications are legitimate. Often, using the name of a big, trusted company—such as Amazon or PayPal—is enough to get targets to take some kind of action or reveal information.

For instance, a fake email from Amazon might indicate a problem with a recent purchase, which could motivate you to click on the link to learn more (hint: Don’t click on the link). From that link, you could download malware or be directed to a fake login page, where you unknowingly enter your username and password.

Spoofing can lead you to disclose personal and financial information, send money, and download malware, which can lead to infected computers, financial fraud, and identity theft. Spoofing can be used to spread malware via links and attachments, bypass network access controls, and restrict access through denial-of-service (DoS) attacks. At the corporate level, spoofing can cause infected computer systems and networks, data breaches, and loss of income.

There are several kinds of spoofing, including email spoofing, text message spoofing, caller ID spoofing, and URL and GPS spoofing. Essentially, if there’s a form of online communication, spoofers are trying to scam their way into it—and into your identity and your assets.

How to Protect Yourself From Spoofing

There are several ways to protect yourself from would-be spoofing scammers:

  • Turn on your email’s spam filter. This will prevent many spoofed emails from ever landing in your inbox.
  • Don’t click on links or open attachments in emails from unknown senders. If there’s a chance that the email is legitimate, reach out directly to the sender to confirm that it’s real.
  • If you get a suspicious email or text asking you to log into your account for some reason, don’t click on the provided link. Instead, open a new tab or window (or the dedicated app on your phone) and log in directly to your account.
  • Display file extensions in Windows. Windows does not display file extensions by default, but you can change the setting. To do so, click the “View” tab in File Explorer and check the box to show file extensions. While this doesn’t prevent scammers from spoofing file extensions, you’ll be able to view any spoofed extensions and avoid opening any malicious files.
  • Invest in reputable cybersecurity software. Good software will alert you about potential threats, stop downloads, and prevent malware from taking over. Keep in mind that the software only works if you keep it updated and use it regularly.
  • If you get an inquiry seeking personal information, don’t provide it. Hang up (or log off) and then look up the phone number or customer service email address from the entity purportedly contacting you for your personal information.

If you think you’ve been spoofed, you can file a complaint at the Consumer Complaint Center of the Federal Communications Commission (FCC). The FCC doesn’t act on individual complaints but will add that information to its database. If you’ve lost money because of spoofing, the FCC recommends contacting your local police department.

Types of Spoofing

Email Spoofing

Email spoofing is the act of sending emails with false sender addresses, typically as part of a phishing attack intended to steal your data, ask for money, or infect your computer with malware. This tactic is used by both dishonest advertisers and outright thieves. The spoofer sends emails with a falsified “From:” line to trick victims into believing that the message is from a friend, their bank, or some other legitimate source. Any email that asks for your password, Social Security number, or any other personal information could be a trick.

These emails typically include a combination of deceptive features, including:

  • False sender addresses that look like someone who you know and trust
  • A missing sender address, or at least one that is hard for the average user to find
  • Familiar corporate branding, such as logos, colors, call-to-action buttons, and the like
  • Typos, bad grammar, and unusual syntax (e.g., “Good day sir, please made certain this data is well and good”).

Text Message Spoofing

Sometimes referred to as smishing, text message (SMS) spoofing is similar to email spoofing. The text message appears to come from a legitimate source, such as your bank or a doctor’s office. It may request that you call a specific phone number or click on a link within the message to get you to divulge personal information.

Caller ID Spoofing

Here, the spoofer falsifies the phone number from which they are calling in the hope of getting you to take their call. On your caller ID, it might appear that the call is coming from a legitimate business or government agency, such as the Internal Revenue Service (IRS). Note that the IRS says it doesn’t call taxpayers to tell them they owe taxes without first sending them a bill in the mail.

Spoofing comes in many forms, but the goal is usually to trick people into divulging personal information that criminals can use.

Neighbor Spoofing

This is a type of caller ID spoofing in which the call appears to be from someone you know or a person who lives near you. The FCC says that the Truth in Caller ID Act prohibits “anyone from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm or wrongly obtain anything of value.” If they’re caught (and that’s a big “if”), the spoofer can face penalties of up to $10,000 for each violation.

URL or Website Spoofing

URL spoofing happens when scammers set up a fraudulent website to obtain information from victims or install malware on their computers. For instance, victims might be directed to a site that looks like it belongs to their bank or credit card company and be asked to log in using their user ID and password. If the person falls for it and logs in, the scammer could then use the information that the victim typed in to log into the real site and access their accounts.

GPS Spoofing

GPS spoofing has a somewhat different purpose. It attempts to trick a GPS receiver into believing it is in a different location or headed in a different direction by broadcasting bogus GPS signals or other means. At this point, GPS spoofing is more likely to be used in warfare or by gamers (e.g., Pokémon GO players) than to target individual consumers, although the technology exists to make anyone vulnerable.

Man-in-the-Middle (MitM) Attacks

These spoofing attacks involve three players: the victim, the entity that the victim is trying to communicate with, and the “man in the middle” who intercepts the communications. The spoofer attempts to eavesdrop on the exchange or impersonate one of the parties. The goal is to intercept information that is useful, sensitive, or potentially profitable (e.g., login credentials and credit card information). Stolen information can be used to approve financial transactions, for identity theft, or it may be sold to a third party.

IP Spoofing

This type of scam happens when someone wants to disguise or hide the location from where they’re sending or requesting data, so they replace the source Internet protocol (IP) address with a fake one. The spoofed IP address looks like it’s from a trusted source (the original IP address) while masking its true identity: an unknown third party. Virtual private network (VPN) services allow users to mask their IP and location, which can also be used for legitimate reasons such as privacy or streaming content went traveling overseas.

Facial Spoofing

This is the latest form of spoofing. With facial spoofing, a criminal uses a person’s face and simulates their facial biometrics by using a photo or video to replace their identity. Facial spoofing is most commonly used to commit bank identity fraud. However, it is also used in money laundering.

Spoofing vs. Phishing

Spoofing involves faking one's identity, and can be used for various attacks such as identity theft.

Phishing is one such use of spoofing that attempts to steal somebody's personal information or credentials by having them volunteer that information from a nefarious source that looks legit. For instance, a phishing email may appear to come from your bank, but the link inside would direct you to a phony version of the bank's website. If you enter your credentials, they are subsequently turned over to the attacker.

How to Detect Spoofing

Spoofing can be sophisticated, so the key is to pay close attention to the details and trust your instincts. Be wary of websites with no lock symbols or green bars, or URLs that begin with HTTP instead of HTTPS, the encrypted version of HTTP. Another way to tell a fake website is if your password manager doesn’t autofill your login—a sign that it doesn’t recognize the website.

With emails, take a close look at the sender’s address, keeping in mind that scammers will use fake domains that are very similar to legitimate ones. Of course, typos, bad grammar, and unusual syntax in the email are also red flags. If you’re still unsure, copy and paste the contents of the email into Google, where a quick search can reveal if a known scam is circulating. Finally, always hover over an embedded link to reveal the URL before you click on it. If the URL looks suspicious, it is likely a scam. Expand the details of the sender to see if the email address is correct and not just the name. Also pay attention for alternations in small details like a capital "i" (I) for a small "L" (l).

With phones, caller ID is easily spoofed. Scammers often use neighbor spoofing, so it appears that calls are coming from a local number. They may also spoof a number from a government agency or business that you know and trust. The FCC advises people not to answer calls from unknown numbers—and to hang up immediately if you do answer such a call.

To hover on a link that’s on your smartphone, hold your finger on the link for a few seconds. A window will pop up that shows the full URL of the link. This can help you determine if the link is reliable or suspicious.

Is Spoofing Illegal?

Spoofing can be illegal depending on the type of spoof, the intent, and the jurisdiction involved. If you mask your phone number but there is no harm, spoofing is legal. But in the U.S., the FCC prohibits anyone from transmitting misleading or inaccurate caller ID information with the intent to defraud, with fines up to $10,000 per instance.

What Is an Example of Spoofing?

A common spoofing scenario happens when an email is sent from a fake sender address, asking the recipient to provide sensitive data. Typically, the recipient is prompted to click on a link to log into their account and update personal and financial details. Links in spoofing emails also infect the recipient’s computer with malware.

What Is the Difference Between Spoofing and Phishing?

The terms “spoofing” and “phishing” are often used interchangeably, but they mean different things. Spoofing uses a fake email address, display name, phone number, or web address to trick people into believing that they are interacting with a known, trusted source. Phishing tricks you into providing personal data that can be used for identity theft. Many phishers use spoofing tactics to trick their victims into believing they are providing personal information to a legitimate, trusted source.

The Bottom Line

People have pretended to be other people or the representatives of other organizations since time immemorial. However, with the advent of the internet and online communications, "spoofing" has become much easier and more widespread. Websites, emails, geolocations, and phone numbers today can all be spoofed by bad actors to commit crimes, steal identities, or perpetuate scams. Knowing how to spot and protect against spoofing is important in the digital age. At the same time, spoofing can provide anonymity for internet users for legitimate purposes of privacy. The use of VPNs, for instance, can mask your location and identity when surfing the web.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. Consumer Complaint Center-Federal Communications Commission. "Home."

  2. Avast. “What Is Spoofing and How Can You Prevent It?

  3. Malwarebytes. “What Is a Spoofing Attack?

  4. Federal Communications Commission. “Consumer Guide: Caller ID Spoofing.”

  5. Norton. “IP Spoofing: What Is It and How Does It Work?

  6. Federal Communications Commission. “Caller ID Spoofing.”

  7. Rochester Institute of Technology. “‘Hovering’ Before You Click.”

Take the Next Step to Invest
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.