Ah, the art of disguise. Ever since the Big Bad Wolf and Little Red Riding Hood (and probably earlier), one of the oldest tricks in the book is for a miscreant to pretend to be someone else—a phone or appliance repairman, a contractor, someone from the government, or even a police officer—in order to gain access to a residence or business and either steal things then and there or check out what’s there for later breaking and entering.

The world of cybercrime has an equivalent trick, and the thief doesn’t even have to dress up to pull it off. It’s called spoofing.

What is Spoofing?

A spoofing attack is typically carried out by email. In this attack, the hacker sends an email that appears to come from someone you or your business should trust: a long-time customer or vendor, contractor, service provider, government agency, or some other trusted entity. Sometimes, the email is disguised to look like it came from a high-ranking officer of your company; this tends to work better in large, multinational companies. Often, the email includes an attachment, and the text of the email claims that the attachment is an important document—an invoice, a contract, some other legal document, or even instructions for claiming a prize or monetary windfall of some kind. In other cases, the email contains a link to a payment site or a malicious software download.

The attachment, usually a file in compressed (.ZIP) format, may in fact contain an official-looking but bogus document, but that’s not the important part—the file will also (or perhaps only) contain an executable program that installs malware on your computer: spyware, a bot, a virus, or even ransomware. Once you’ve opened that Pandora’s box, your life becomes a whole lot more…interesting, and not in a good way.

Spoofing is a classic case of social engineering: It uses subterfuge to gain your trust and let the hacker’s foot in the door. The most effective ones require some research on the part of the hacker to learn what entities are most likely to be trusted partners, and then carefully craft the email accordingly.

More Prevalent Than You Think

As a cybercrime tactic, spoofing has been around for a long time, and it doesn’t get much attention in the popular press anymore, but it happens much more than you might think. The reason spoofing is still popular among hackers is that although it requires more legwork, the response rate can be high, and the haul can be quite lucrative—one multinational corporation reported the loss of over $40 million in a spoofing email scam. Spam filters and antivirus software have a hard time recognizing spoofing emails because they tend to be more targeted than typical spam, and the attachments are carefully formatted so as not to arouse suspicion from antivirus tools.

Protecting Yourself

Like all cyberattacks that rely on social engineering, the last line of defense against spoofing is the end users—and end users aren’t always as vigilant as they should be. Even if they are, a hacker who has done his job well can craft a spoofing message that passes every smell test. For that reason, cybersecurity isn’t just about prevention; it’s also about having good response practices in place for breaches that do happen. We cover all of this in our free cybersecurity checklist. If you haven’t already, download it today to see what you need to think about in protecting yourself and your business against spoofing and other types of cybercrime.