Just like comedians might take on the appearance of a well-known figure for a skit, criminals are masquerading as a trusted source for a scam. Spoofing involves making a communication from an unknown or untrustworthy source appear to be from a known and vetted source. The intent is to compromise your security – whether by accessing personal information, spreading malware or bypassing network controls, among other tactics – and give scammers a big pay day.
Spoofing can be difficult to spot. Part of being on the defense is knowing which types of attacks are on the upswing and which steps you can take to thwart them.
Caller ID spoofing
While you may expect spoofing attacks via email, they may come from phone calls that appear to be from a trusted entity, such as your bank. Fraudsters have taken to cloaking their phone numbers with 1-800 numbers from the back of bank or ATM cards; on your caller ID, the number looks legitimate.
The “representative” may note that your card has been used fraudulently and must be replaced. As a result, you may be requested to confirm or provide information, such as your account number, Social Security number or even your PIN. Such details can be used to drain your accounts. Be wary of anyone who calls you and requests personal information; always hang up, and then call the customer service line on your card and statements to check the status of your accounts.
Business email spoofing (BES)
Also known as business email compromise (BEC) attacks, BES attacks can happen if scammers gain access to a corporate email address. Scammers pose as a real employee or an executive to execute any of several schemes to defraud the company or its employees or customers.
One scheme involves posing as an employee and asking the payroll department to change the bank account information for direct payroll deposits. The email might include a bank account and routing number, and for the biggest pay-off, may come from an executive-level employee.
Another scenario which often involves impersonating an executive is sending an email directing an urgent wire transfer. Sometimes, such requests may come through when the executive is known to be traveling, making it difficult to get in touch and confirm details without fear of missing the deadline.
Additionally, fraudsters are posing as executives to email requests for W-2 forms along with reports including employee details like Social Security numbers, addresses and earnings. All this information enables criminals to file fraudulent tax returns.
Finally, hackers who have gained access to a company network may bide their time to intercept emails with invoices. They nab the communications and alter bank account details before sending them along from a spoofed address, which appears legitimate. When the invoice is paid, the scammer’s account gets the sum.
Sidestepping spoofing
Whether you get a suspicious email in your personal account or at work, or find yourself on the receiving end of a puzzling phone call, there are some steps you can take to avoid being a victim.
First, never reveal personal information to an unsolicited caller or emailer. Such information includes any financial account information or verification codes, passwords, Social Security number or other identifying details.
Second, don’t be rushed or pressured. If you have a suspicious email or phone call, do not click on a link or call a number provided. Instead, call the published customer service line or type in the known website address to verify your account status and activity.
Third, if you suspect a spoofed email at work, verify the instructions by placing a phone call to the executive who made the request. While it may feel odd to question someone in a position of authority, it could mean saving your company thousands of dollars or more.
Finally, report criminal activity. The FBI maintains the Internet Crime Complaint Center (IC3), where victims or third parties can file complaints. The Internal Revenue Service wants to know about tax-related phishing and spoofing emails, and those can be forwarded to phishing@irs.gov. And if employers are impacted by a W-2 scam, details can be forwarded to dataloss@irs.gov.
