Spoofing

Spoofing is a cybercrime where someone disguises themselves as a trusted contact or brand in order to gain a victim’s trust so they can gain access to sensitive personal information. Spoofing comes in all forms - fake websites, fake emails and phony phone calls. Spoofing can also be more technical, where hackers set up fake IP Addresses, APRs (Address Resolution Protocols) and DNS (Domain Name System) servers.

Like other forms of cybercrimes, spoofing takes many forms. Some of the most common types of spoofing are: 

• Email spoofing:
  Email spoofing is a common, effective and dangerous form of spoofing. This type of spoofing happens when cybercriminals use spam and phishing attacks, to trick users into thinking that an email(s) came from a person or entity they either know or can trust. In spoofing attacks, the sender forges email headers so that client software displays the fraudulent sender address, which most users take at face value. Learn more about Phishing.

• Website spoofing:
  Website spoofing happens when cybercriminals create the exact (and false) replica of a trusted website, with the intention of misleading visitors to a phishing site, which in turn is used to collect personal and sensitive information, used for financial and other types of fraud.  Legitimate logos, fonts, colors and functionality are used to make the spoofed site look realistic.

• URL spoofing:
  The process of creating fake or false URLs which pose as legitimate websites is commonly known as URL spoofing. The spoofed URL is almost identical to the actual (real) URL, and is used to take the user to a fake/spoofed website which is a landmine for cybercrime such as financial fraud, social security fraud and more. 

• Caller ID spoofing:
  With illegal call spoofing, the caller fraudulently changes the number that appears on Caller ID in order to trick the called party into answering the call.

  • If "Verified Caller" or a checkmark appears next to an incoming call, the number presented on the Caller ID was authenticated by the  originating carrier and the call has not been spoofed. 

  • However, a checkmark or “Verified caller” doesn’t tell you the caller’s intention. Be wary of unknown callers.

• Text message spoofing:
  SMS spoofing is a technique that allows us to change the sender information on a text sent via the short message service (SMS) system. SMS text messages are used by cell phones, personal digital assistants, and similar devices and are typically just known as text messages. Text message spoofing is used to send fake text messages to users that often try to get the user to click a link within the text message, which then leads them to phishing and smishing attacks.  Learn more about smishing and spam text messages.

• GPS spoofing:
  Global navigation satellite systems (GNSS) have been around for years all over the world. Global Positioning Systems (GPS) is a part of the GNSS family. GPS spoofing happens when a cybercriminal uses a radio transmitter to send a false GPS signal to a GPS receiving antenna. Such attacks succeed because most GPS systems are programmed to receive and act upon the strongest GPS signal. So, in the case of GPS spoofing, the stronger fake signal overrides the weaker but legitimate satellite signal.  

• Man-in-the-middle attacks:
  A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.

• IP spoofing:
  Internet Protocol (IP) spoofing is both malicious and insidious. IP spoofing takes place when the threat actor (or cybercriminal) hides the true source of IP packets to make it difficult to know where they came from. The attacker creates packets, changing the source IP address to impersonate a different computer system, disguise the sender's identity or both.

• ARP spoofing:
  ARP (Address Resolution Protocol) spoofing is when an attacker sends a fake message onto a local area network with the goal of associating the attacker’s MAC address with the IP address of another host. This causes any traffic meant for that IP address to be sent to the attacker instead.

• DNS spoofing:
  DNS spoofing is a form of computer security hacking where a bad actor “poisons” entries on a DNS server to redirect its victim to a malicious website under the hacker’s control. This would allow them, for example, to cause your computer to visit their site when you attempt to visit verizon.com.  Public Wi-Fi environments are more vulnerable to DNS spoofing – and users need to exercise extreme caution before connecting to these networks.

• MAC spoofing:
  Media Access Control (MAC) spoofing is an attack where fraudsters or paid hackers scan networks for valid and original MAC addresses. Once found, they are able to by-pass access control measures and copy all of the data without being identified. This can provide important details about applications in use and end-host IP addresses.

Protecting yourself against spoofing attacks is important. Here are some do's and don'ts: 

Do these things:

• Look for caller verification.  See if there’s a checkmark (on iPhone) or “Verified caller” status on incoming calls (on smartphones and Fios Digital Voice). This means the number hasn’t been spoofed.
   
  • Verified caller/checkmark indicates the caller ID is accurate, but doesn’t indicate a caller’s intentions. Always be wary of unknown callers.
     
  • Turn on the Neighborhood Filter in the Call Filter app if you are receiving a lot of spoofed calls from phone numbers similar to your own.
     
• Make sure your spam filter is on. This will prevent most spoofed emails from coming into your inbox.
   
• Watch out for warning signs.  If the potential spoof attack contains signs of poor grammar or unusual sentence structure, it may be an illegitimate request. Also, be sure to double-check the URL address of a website or the email sender address.
   
• Confirm the information. If an email or call seems suspicious, send a message or make a call to the sender to confirm whether the  information you received is legitimate or not. If in doubt, do nothing. Do not click, download, respond or call back till you have been able to verify the authenticity of something that looks suspicious. 
   
• Always hover before clicking. If a URL looks suspicious, hover your mouse over the link so that you’ll know exactly where the page is going to take you before you click on it. On a mobile device, press and hold down on any link and the full URL will appear.
   
• Set up two-factor authentication. Setting up two-factor authentication is a great way to add another layer to your passcodes. However, it’s not completely foolproof, so ensure you’re considering other security precautions as well.
   
• Invest in cybersecurity software. Installing cybersecurity software is the biggest defense when it comes to protecting yourself from scammers online. If you run into trouble, download malware removal or antivirus software to protect your computer from any malicious threats or viruses.   

Don’t do these things:

• Don’t click unfamiliar links or downloads.  If a link or download file doesn’t look legitimate, refrain from clicking on them. If they’re from an attacker, they’ll usually contain malware or other viruses that can infect your computer.
   
• Be wary of emails or calls from unrecognized senders.  Never give out personal and private information such as financial details, credit card information or your social security number, unless you are sure the request comes from a trusted and legitimate source. If the sender is unrecognizable, don’t answer the call or email. This can help prevent any communication with a potential scammer. 
   
• Don’t use the same password twice.  Create a unique, strong password for each account/service. Change passwords often, in case one gets stolen. Equally important — don’t use the same password for different accounts/services.

If you think you’ve been spoofed, you can file a complaint with the FCC’s Consumer Complaint Center. You can also report fraud to the Federal Trade Commission. In addition, you can also contact your local police department if you’ve lost money due to spoofing.

Verizon will never contact you unsolicited. If you get a call or message claiming to be from Verizon, but from another number or email address, contact us directly so you know you’re talking to Verizon.

If you come across a Verizon website you believe is spoofed, please contact us.