Spoofing 101: Protecting your company from digital deception
Businesses must prioritize data security and fraud prevention, as this is a key concern for their clients — and has a significant impact on a company’s reputation and bottom line. Many of the fraud practices plaguing consumers are also used to target businesses, particularly those handling sensitive information such as the payments industry.
Let’s take a look at one of the more deceptive fraud tactics, spoofing — including what it is, how it works, and, more important, what you and your organization can do to avoid it.
What is spoofing?
Spoofing is a personalized tactic that fraudsters use to gain a person’s trust. Spoofers send convincing communications that appear to be from a trusted organization that the targeted individual is known to do business with. Spoofing tactics include creating an imposter email address, sender name, phone number, or website URL — often by merely changing one letter or number — to deceive victims into believing they’re interacting with the actual, legitimate organization.
How does it work?
Spoofing is a more sophisticated tactic than phishing. While phishing might involve a fraudster calling and claiming to be a bank representative to get you to confirm or provide sensitive information, a spoofer would pose as a representative of your actual bank and call from a phone number that falsely appears in caller ID as your bank’s name.
Because spoofing is highly personalized and visually mimics trusted organizations, the victim is more likely to believe it’s a genuine contact and let their guard down.
How can spoofing impact my company?
Much like phishing, spoofing can have significant impacts on the payments industry by exploiting vulnerabilities and tricking employees into revealing sensitive information. In fact, spoofing and phishing often work hand in hand, with fraudsters using spoofing techniques to gain trust, so the targeted individual is more likely to comply with a phishing attack by clicking the link or providing the requested information.
In addition to obtaining sensitive information, spoofing can be used to spread malware — software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system — through infected links or attachments and to circumvent network access controls. Fraudsters often use spoofing to gain a foothold to execute a larger cyberattack.
Successful spoofing can wreak havoc on an organization by infecting computer networks and opening the door for data breaches. This results not only in a loss of revenue but often significant damage to the company’s reputation.
Common spoofing techniques — and how to avoid them
Caller ID Spoofing
What it is: Falsifying the incoming name on caller ID to disguise the caller's true identity.
How it works: The caller may:
- Request personal information.
- Create a false sense of urgency.
- Ask “yes” or “no” questions.
- Ask you to press buttons on your phone.
- Become demanding or make you feel uncomfortable.
How to avoid it: Refrain from answering calls from unknown numbers. If you must answer, be vigilant and hang up if the caller requests sensitive information, asks unusual questions, or acts suspiciously in any way.
Email Spoofing
What it is: Manipulating the email header or sender information to make an email appear as if it’s coming from a different sender — particularly a known contact, vendor, or other trusted source.
How it works: The email may ask you to reply with sensitive information, perform an action — such as changing vendor payment information — or click a link that may lead to a spoofed website or harmful malware.
How to avoid it: Report any suspicious emails. Do not reply or click on links. Scrutinize the sender's header, footer, and email address for inconsistencies and check for the following red flags:
- Spelling/grammatical errors.
- Suspicious links.
- A sense of urgency.
Text/SMS Spoofing
What it is: Manipulating sender information to make text messages seem trustworthy.
How it works: The text may employ tactics like changing the lowercase “L” in “Google” to a capital “I” — so you believe the message is actually from Google. You’re then more likely to click the link, which typically leads to a spoofed website or malware.
How to avoid it: Never share sensitive information via text, and:
- Closely examine sender details.
- Look for misspellings and other errors.
- Be skeptical of urgent requests.
- Watch out for suspicious URLs, often asking you to verify or unlock your account — and never click embedded links.
Website Spoofing
What it is: Creating fake websites that mimic the sites of legitimate companies and trusted partners
How it works: Targets are typically routed to the false website from a link embedded in an email or text and then tricked into providing sensitive information, such as login credentials or financial details.
How to avoid it: Never click embedded links in suspicious emails/text messages, and:
- Use a secure web browser.
- Always check the address bar for the closed lock icon and avoid unsecured websites.
- Scrutinize the site for poor content, errors, or logos/colors that appear slightly “off”.
- Use a network firewall.
Trust your instincts - and stay vigilant
One of the biggest weapons against spoofing is maintaining a healthy dose of suspicion.
Always approach unexpected communications with skepticism before taking any action.
When in doubt, reach out to the actual vendor or organization separately via a known phone number or email address to confirm the communication's validity.
And remember: Legitimate organizations, like KeyBank, will never ask for sensitive information unsolicited. Always verify such requests through known channels, like your financial institution.
Of course, to protect your business effectively, this information must be shared across your organization. While eradicating cybercriminals might be an elusive goal, the collaborative efforts of businesses and employees to keep a close eye on incoming communications can leave bad actors with an empty stage.
To learn more about current fraud trends and KeyBank’s commitment to cybersecurity, visit key.com/cybersecurity or contact your Payments Advisor or Relationship Manager.