What is Email Phishing and Spoofing?
Anyone with an email account is vulnerable to fraud by modern-day con artists using tactics commonly known as "phishing" and "spoofing." This article provides the basics of these online fraud tactics, how to spot them, and ultimately how to avoid becoming a victim.
Email phishing is the act of impersonating a business or other entity for the purpose of tricking the recipient of email into giving up sensitive personal information. Data gleaned from phishing often is used to commit identity theft or to gain access to online accounts.
Spoofing is similar to email phishing in that it uses deception to trick users into providing sensitive information. Email spoofing involves the use of a header appearing to have originated from someone (or somewhere) other than the true source. Similarly, IP spoofing involves the use of a forged IP address to trick the victim's computer into believing it came from a trusted source.
Most email users have received a message asking for verification of personal information at least once. Often, this sort of communcation can look something like this:
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
Almost always, such a request for sensitive data actually is a phishing attempt. Perpetrators of phishing attacks usually seek data such as credit card numbers (along with the expiration date and security code), Social Security numbers, bank account numbers, birth dates, or various passwords. But legitimate businesses, especially financial institutions (including PayPal), do not ask for this type of information via email.
Some phishing attacks use sophisticated software to send legitimate-looking pop-up messages requesting such information. Pop-up and email messages asking the recipient to "click here" will take users to a legitimate-looking Website to fraudulently collect an unsuspecting victim's data.
As its name implies, spoofing is the act of using a faked (or "spoofed") email header or IP address to fool the recipient into thinking it is legitimate. Unsolicited spam email unrelated to phishing often uses spoofing tactics to hide its tracks, but email spoofing often is used in conjunction with phishing.
If you have received an email that appears to be from a friend but is soliciting goods or encouraging you to follow a link, you probably have been the target of spoofing. In such cases, the perpetrator has gained access to someone's address book by nefarious means.
IP spoofing frequently is used to launch denial-of-service attacks, in which a target computer is hit with an overwhelming amount of data and subsequently crashes. By spoofing the IP, the attacker can appear harmless and thus gain easy access.
How to Protect Yourself from Phishing and Spoofing
The best protection is to simply pay attention. If an email or Website just doesn't seem right, or if you receive a message asking for financial or personally identifying data, you should take pause and proceed with caution.
The Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) offer the following tips:
- Do not respond to any email message asking for personal or financial information, and do not click on any links provided in such a message (the importance of this cannot be overstated).
- Keep in mind that phone numbers provided by phishers often use Internet technology to hide the true source of the phone call, and area codes can be misleading.
- Make sure your anti-virus and anti-spyware software, and your firewall, are updated regularly.
- Get in the habit of never sending sensitive data (Social Security number, credit card numbers, etc.) via email.
- Check bank account and credit card statements for unusual transactions.
- Be careful when opening attachments or downloading files attached to emails, even if they appear to be from a friend (since spoofing can hide the true source).
- If you need to update potentially sensitive information online, open a new browser window and type in the Web address manually, using the same process you have used before.
- If the Web address of a known site looks unfamiliar, it may not be the legitimate site.
- If you are conducting bank business or other sensitive transactions online, look for the lock icon and "https" in front of the Web address indicating a secure site.
- Be suspicious of unusually long and random-looking Web addresses.
- If in doubt about an email that appears to be from a legitimate business, call the business yourself instead of replying to the message.
How to Report Instances of Phishing or Spoofing
Unfortunately, you may not know you have been victimized by a phishing or spoofing attack until your information has been used to commit identity theft or other crimes.
However, if you believe you have been scammed by a phishing and/or spoofing attack, file a complaint with the FTC and look for signs of identity theft (see our section on Identity Theft for more information). You also should contact your local law enforcement office and file a complaint with the FBI's Internet Crime Complaint Center.
If you receive messages that appear to be phishing or spoofing attempts (i.e. seeking sensitive data), forward it to firstname.lastname@example.org, as well as the organization being spoofed.