Print this article

What is spoofing?

A man staring at a computer screen in shock

Of the many ways to mislead internet users into disclosing confidential information, none seems to work better than forging emails and web pages to look as if they are from legitimate sources. This is called ‘spoofing’, and the practice has grown rapidly over the past few years.

Mike Barwise | 9th September 2010

‘Spoofing’ is falsifying the origin of an internet communication in order to mislead the recipient. It's widely used to create bogus emails or web pages in order to steal money, passwords or banking credentials.

Beware of ‘spam’ emails

Email spoofing is the most commonly encountered. The apparent sender address of almost all spam email is bogus. This is because the 'From’ line in an email is not actually used to send it - it's just a piece of text. A specially-written email program can make it say anything at all, so you can't rely on it to find out where an email has really come from.

In the past, most spam email contained attachments that could infect your computer with malicious code (‘malware’) when the attachment was opened or previewed. But nowadays, it's more common for spam to contain a link to a malicious website.

Unless you click on the link, you're quite safe. So just opening the email is now less dangerous than it was, and once it's open you can usually see if it's bogus pretty easily - misspelled words, bad grammar and naive phraseology are very common.

But very convincing spoofed messages, supposedly from banks, frequently ask for your card number, PIN and password. These emails can include the bank's logo, and at least one has quoted the bank's real helpline phone number and a warning about phishing emails. But you shouldn't get caught out if you remember that real banks never send emails like this.

Close inspection is the key

Most commonly, website spoofing relies on minor differences in website addresses going unnoticed, particularly in search engine results.

The attackers register a web address which is very similar to a well-known, trusted one, but with some small, easily-overlooked difference. Replacing a lower case 'l' with the digit '1' is a classic ploy. Or they register a website name that is the same as a legitimate site, except for its ending - for example, '' where the legitimate site name is '' - and use that variant to host the malicious site.

In either case, when you follow the link, you don't land on the trusted site you expect, but on a completely different (usually malicious) one. It may be designed very convincingly to replicate the legitimate site you intended to visit, even to the extent of offering a secure connection for buying. But the secure connection will be to the attacker's website and any card details entered will be stolen.

Remain extra vigilant

The best way to protect yourself is to pay close attention to the web address and check that it's correct. In search engine results, for example, the clickable link (which doesn't necessarily directly show the web address) is usually followed by a brief description and a text representation of the web address on a line of its own.

If you right click with the mouse on the clickable link, you can view the actual web address directly. It should exactly match the visible address at the end of the search result (at least up to the first forward slash), and both should be what you expect. Vigilance is your greatest protection.

Mike Barwise

Mike Barwise

Mike Barwise is a veteran information security consultant. He has participated in the definition of standards, legislation and policy on computer and internet security, and has lectured on policy development and consultancy practice.