Spoofing attacks: What they are & how to protect your business

Spoofing attacks have become one of the most popular cyber attacks today. The advancement of AI helps attackers replicate the tone and fix grammar easier now than ever, making attackers realize that they can now trick even the highest executives into giving them information.

Photo by Clint Patterson on Unsplash

Spoofing attacks often happen through email or online messaging services and rely on the victim to provide sensitive information, such as login credentials or payment information the attacker uses to gain access and sell information. 

The different types of spoofing

There are many different types of spoofing, including:

1. IP Spoofing: In IP (Internet Protocol) spoofing, an attacker disguises their IP address to appear as someone else or a trusted source. The attacker then uses this identity to bypass security measures, gain access to a network, or launch various types of attacks.
2. Email Spoofing: Email spoofing involves forging the sender’s email address in an email message to make it appear as if it’s coming from a different sender, often someone trustworthy. It is commonly used in phishing attacks to deceive recipients into revealing sensitive information or downloading malicious attachments.
3. Website Spoofing: Website spoofing occurs when an attacker creates a fake website that closely resembles a legitimate one and is often used in phishing attacks to trick users into entering their credentials or personal information.
4. Caller ID Spoofing: In this type of spoofing, the attacker manipulates the caller ID information displayed on the recipient’s phone, making it appear that the call is coming from a different number or entity. 
5. MAC Address Spoofing: MAC (Media Access Control) address spoofing involves altering the hardware address of a network device to impersonate another device on the network. This can be used to bypass network access controls or carry out man-in-the-middle attacks.
6. DNS Spoofing: Domain Name System (DNS) spoofing involves manipulating the DNS records to redirect users to fraudulent websites or intercept their traffic. This can lead to various forms of cyberattacks, including phishing and data theft.

How spoofing can affect your business

Mainly, attackers use spoofing to trick employees into opening phishing emails, which can lead to malware infections or ransomware attacks. Spoofed emails also impersonate executives and request resources, such as money or gift cards, or request access to sensitive data, such as financial reports or customer information. If employees fall for these scams, it can lead to data breaches or even financial loss for the company. 

Besides the loss of money and privacy, spoofing attacks can also have these consequences:

• Reputation damage: Customers, clients, and partners may lose trust in an entity that fails to protect against such attacks, especially if their personal information is compromised or they fall victim to phishing scams associated with spoofed emails or websites.
• Legal consequences: Organizations could face lawsuits, regulatory fines, or other penalties if they fail to adequately protect against spoofing attacks, leading to data breaches or privacy violations. Insurance rates could also increase if you fall for a spoofing attack. 
• Operational disruption: IP spoofing attacks can lead to network outages, resulting in downtime, lost productivity, and frustrated customers.
• Resource drain: Dealing with the aftermath of a spoofing attack, including incident response, investigations, and security enhancements, can consume significant time and resources for an organization.

The spoofing case that cost $46.7 million

What are a couple of gift cards, right? We can spare $50! Spoofing can be for more than just $25 gift cards. Take, for example, the 2016 case of Ubiquiti. 

Employees had received a spoofed email from what they thought were lawyers working with the company to complete an acquisition. They exchanged banking details and authorized multiple payments totaling over $46 million. The biggest kick? No one noticed anything wrong with these transfers until they were notified by the FBI. Had the FBI not stepped in, the transfers would have continued. 

The company could have easily stopped this scam sooner. For starters, the attacker sent emails from a “@consultant.com” email rather than the lawyer’s domain email. Had the accountant dealing with these emails taken proper spoofing and phishing training, they should be able to recognize this isn’t the lawyer’s domain or email. Secondly, all payments should have a double-authorization policy and a second person who can double-check that this was an agreed payment and is going to the correct sender. 

Consider this case next time you think your employees will never fall vulnerable to a spoofing attack. 

How to protect your business from spoofing

Don’t want to risk losing millions or developing a bad reputation in the industry? There are a few things you can do to protect your business and prevent employees from falling for a spoofing attack:

Set up detection services

There are many tools used to stop spoofing attacks from happening before they even reach your employee’s inbox. If you haven’t already, set up these systems in your business’s network:

• Intrusion Detection System (INS) – Monitors the network for suspicious activity or policy violations and notifies you if anything occurs. 
• Domain Name System Blocking (DNS) – Block employees from going to suspicious domains on the internet. Even if your employees do click on a phishing link, they won’t be able to input information because it will block them before they get to the domain. 
• Email Authentication Systems (EAS) – These systems can block suspicious emails or alert you if something seems suspicious. 

Policies & culture 

Even with all these tools available, some spoofing attempts will still get through. That’s where your people come in. Ensure you have the correct policies to help guide your team into making good decisions. What do they do if they think an email is suspicious? Do they need approval to send payments? Sign contracts? Give private information?

In the end, your culture is the best thing to help with spoofing attacks. If your employees feel inclined to talk about suspicious emails and ask questions, they are less likely to make rash decisions and give information to the wrong person. Focus on building a positive security culture to encourage this type of energy from your employees. 

Awareness programs

Education is a key tool to protecting your business from spoofing. By educating your employees on the different types of spoofing and how they can identify them, you empower your workforce to be the first line of defense. Employees trained in security best practices can help report and respond to potential spoofing incidents promptly, minimizing the damage and potential data breaches.

Consider having a module specifically for spoofing so your employees have the time needed to focus on the important subject. Also, create a customized group for higher executives or employees with access to finances or important data, as they are more likely to be targeted with higher-calibrated spoofing attacks. 

Create customized groups for spoofing attacks using Click Armor’s new customized groups tool. Schedule a call to learn more. 

It’s important to be aware of the risks that spoofing attacks pose to your business and what you can do to prevent them. The best line of defence against spoofing is a combination of technology and employee awareness. Ensuring that your employees are aware of these threats and promoting a culture of cyber security will go a long way in keeping your business safe. It’s up to you to take the action needed to protect your company.

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.