1 Introduction
Spoofing is the act of impersonating someone or something else on a network. It is the digital equivalent of wearing a disguise: the attacker puts on a mask to make you believe they are someone you trust.
Imagine someone showing up at your door in a postal worker uniform, with a fake badge and a fake package. You trust them because they look like a postal worker. On the Internet, spoofing works the same way: the attacker forges their identity (email address, phone number, IP address, domain name) to gain your confidence.
The four major types of spoofing
Email Spoofing
Forging the sender of an email
Caller ID Spoofing
Faking the displayed phone number
Domain Spoofing
Imitating a legitimate website
ARP Spoofing
Poisoning local network traffic
2 How It Works
Each type of spoofing exploits a different trust mechanism. Let us examine how each one works in detail:
Email Spoofing
The SMTP protocol (which sends emails) was designed in the 1980s without built-in authentication. The "From" field in an email is just a text string that the sender can set to anything. It is as easy as writing someone else's return address on a physical letter.
Without protection
Anyone can send an email claiming to be from your CEO, your bank, or any other address. The recipient's email client displays whatever the attacker put in the From field.
With SPF/DKIM/DMARC
These three protocols verify the sender's identity. When properly configured, spoofed emails are rejected or flagged. However, many organizations still lack full deployment.
Caller ID Spoofing
Using VoIP (Voice over IP) services, attackers can make any phone number appear on your caller ID. They may display your bank's real number, a government agency, or even your own number. This technique is heavily used in vishing (voice phishing) attacks.
Defense: STIR/SHAKEN
The STIR/SHAKEN framework is a set of protocols being deployed by telecoms to authenticate caller ID information. Calls are cryptographically signed so carriers can verify the caller's identity, but adoption is still incomplete.
Domain Spoofing
Attackers create websites that closely imitate legitimate ones. They register look-alike domains using typosquatting, homoglyphs, or subdomain tricks. The fake site is often a pixel-perfect copy of the real one, designed to harvest credentials or distribute malware.
arnazon.com
Typosquatting
apple.com.verify.xyz
Subdomain trick
g00gle.com
Character substitution
ARP Spoofing
ARP (Address Resolution Protocol) maps IP addresses to physical MAC addresses on a local network. In an ARP spoofing attack, the attacker sends fake ARP messages to associate their MAC address with the IP of another device (usually the gateway). This allows them to intercept, modify, or stop network traffic -- a classic man-in-the-middle attack.
Defenses
Dynamic ARP Inspection (DAI) on managed switches, static ARP entries for critical systems, network segmentation with VLANs, and using encrypted protocols (HTTPS, SSH) to protect data even if intercepted.
3 Detailed Analysis
Comparison of spoofing techniques
| Technique | What is forged | Common use | Defense |
|---|---|---|---|
| From address | Phishing, BEC fraud | SPF, DKIM, DMARC | |
| Caller ID | Phone number | Vishing, tech support scam | STIR/SHAKEN |
| Domain | Website identity | Credential harvesting | URL verification, DNSSEC |
| ARP | MAC address | Man-in-the-middle, eavesdropping | DAI, static ARP, VLANs |
| IP | Source IP address | DDoS amplification, evasion | Ingress filtering (BCP38) |
Spoofing in real-world attack chains
Spoofing is rarely used in isolation. It is typically the first step in a larger attack chain:
Business Email Compromise (BEC)
The attacker spoofs the CEO's email to request an urgent wire transfer from the finance department. BEC attacks have cost businesses over $50 billion globally.
Evil Twin Wi-Fi
The attacker creates a Wi-Fi access point with the same name as a legitimate network (like "Airport_Free_WiFi"). Victims connect automatically and all their traffic passes through the attacker's device.
DNS Spoofing (Cache Poisoning)
The attacker corrupts a DNS resolver's cache so that a legitimate domain name resolves to a malicious IP. Users typing the correct URL end up on the attacker's server without any visible warning.
Try it on mlab.sh
Analyze email headers to verify SPF, DKIM, and DMARC authentication results. Detect email spoofing by tracing the real origin of a message through its header chain.
Verify email authenticity4 Red Flags
Here are the warning signs that you may be the target of a spoofing attack:
Display name does not match email
The name shows "IT Support" but the actual email address is [email protected]. Always check the full email address, not just the display name.
Caller asks for sensitive information
A "bank" calling to ask for your PIN, password, or one-time code is always a scam. Legitimate institutions never request these by phone, even if the caller ID looks real.
SSL certificate mismatch
The URL says one thing but the certificate is issued for a different domain. Modern browsers will warn you, but always check if the certificate matches the site you intended to visit.
Unusual network behavior
Frequent ARP table changes, duplicate IP warnings, or unexpected network slowdowns on a LAN can indicate ARP spoofing or a man-in-the-middle attack.
Unexpected authentication failure
If email authentication headers show SPF or DKIM failures for a supposedly legitimate sender, the email is likely spoofed. Always check the Authentication-Results header.
Pressure to bypass security
"Please ignore the security warning and proceed" or "Disable your antivirus to install this update." Any request to lower your defenses is a hallmark of spoofing-based attacks.
Related Modules
Source: mlab Academy — Cybersecurity Awareness Platform
URL: https://academy.mlab.sh//page/spoofing-techniques
Module: Spoofing techniques — Phishing & Social Engineering
Disclaimer: This content is for awareness purposes only.