A 61% increase in phishing and spoofing attacks on US businesses between 2021 and 2022 highlights the need for better defenses. But businesses largely feel helpless, since fraudsters use highly advanced malware techniques to bypass security systems and make off with the money.
In the fight against spoofing and phishing, it’s important to know the difference and how to prevent each type of attack. So, spoofing vs phishing: what are the differences? And how can you fight back effectively? At Trustpair, we back businesses by monitoring third-party risks and blocking suspicious spoofing and phishing payments in real time. Contact an expert to learn more!
Spoofing and phishing, a definition
While many use the terms spoofing and phishing interchangeably, there are a few minor differences that separate the two ways that your company could be compromised.
Spoofing is a form of identity theft. It works when the fraudster targets a corporation by:
- Launching a digital attack through the copy of a legitimate users’ details.
- Creating an account with as many of the same details as they can (for example, by choosing a similar domain name and manipulating the screen appearance to make their different email address look like the legitimate user’s account).
- Attempting to breach the security protocols and get into the system of their target, where they can later explore, extract sensitive information, and transfer money.
Spoofing can be facilitated in a number of different ways, including through:
- Email: choosing a similar email domain name and manipulating the name to appear as a legitimate user
- IP: by disguising their IP address to appear on site and bypass the security system
- DNS: by redirecting users from the real website to a fake, malware-ridden one
- Caller ID: by manipulating the caller name to a trusted source like the bank
One famous case of spoofing saw the impersonation of the US Department of Justice in January 2022. While the legitimate domain for the organization is [name]@gol.gov , the hackers accessed a very similar domain, [name]@dol-gov.
The cybercriminals then contacted known partners of the DoJ, sending out emails from the spoofed account with very similar branding to ensure everything looked official. Inside the emails were links that, once clicked on, redirected the victims to a fake “log in” page for Office365.
Then, the victims typed in their credentials and even got fake error messages to ensure they were forced to add their account name and password again. This prevented any mistyping mistakes and ensured that the hackers had the right details to access the accounts, and their correspondent sensitive information for themselves.
Phishing attacks (such as spear phishing) still begin with a digital attack. But the style in which it happens is slightly different, through the cybercriminal:
- Impersonates a legitimate party (such as a CEO, supplier or third party), sometimes changing the real details to avoid suspicion (“I’m the new admin assistant at [your supplier]”).
- Fraudulently contacts a specific individual target at their victim’s company pretending to be with this third party.
- Applies high-pressure and social engineering tactics to get the targeted party to transfer funds or confidential information without the fraudster gaining internal system access themself.
Similar to spoofing, phishing can be facilitated through a number of different channels, like:
- CEO fraud: impersonating the CEO to ask for an urgent payment to a supplier (learn more on this type of fraud here)
- Invoice fraud: impersonating a vendor to ask for a change in payment details
- Third-party fraud: impersonating a trusted source (like the bank) to get sensitive information and use this in later scams, or selling it on the dark web
A recent high-profile case of phishing involved the Puerto Rican government. In a business email compromise attack, a financial director mistakenly transferred over $2.6 million to fraudsters who’d asked for a change of payment details. These criminals had hacked into a real third-party system to request the new payment – making the scam look totally legitimate.
While typical phishing losses are never recovered, the FBI was able to freeze the funds in this instance to prevent the success of the attack.
Spoofing vs phishing: the differences
Here are the major differences between phishing and spoofing:
|The fraudsters manipulate the appearance of their account so that it closely resembles that of a legitimate source
|The contact details are from the real source (hacked) or claim to be a new individual at a known legitimate source
|The cybercriminals redirect the victim to a fake page to gain their credentials
|The attacker uses social engineering tactics to apply pressure and get the victim to take action (either by initiating a payment or sharing personal information)
|Once credentials are gained, the scammers log into sensitive accounts themselves to gain access to information or money
|The scammers don’t usually log in themselves, instead they make off with the money or data remotely
When these types of attacks threaten an organization, they aren’t usually a one-off. Instead, fraudsters can use multiple techniques to consistently weaken your systems or try to catch out your employees. So, it’s useful to be aware of both types of threats as you protect your business from cybercrime.
Learn all there is to know about payment fraud in our latest report!
How can you protect your business against spoofing & phishing?
The masterminds behind spoofing and phishing attacks are clever enough to bypass complex security systems. However, there are some efficient detective and preventative measures that businesses can take:
- Upgrading your business’ spam filter for emails.
- Encouraging staff to hover over links before clicking to reveal if they are redirected to malicious sites, or delete any suspicious emails.
- Check spelling and grammar to reveal any suspicious word patterns that sound out of the ordinary for your usual contact.
Fraud awareness training will also help your employees stay aware of the threat. Internal control measures, like payment approval policies, should snare further phishing attempts too.
Finally, it’s important to apply automated fraud prevention barriers to your systems in the case that suspicious behavior is not caught manually.
Do this by creating an iron cage around your payment systems with a platform like Trustpair. We use automated pattern recognition to detect suspicious third-party behavior and block payments from leaving your account. This way, even if your staff is duped into paying a fake invoice, your company is protected.
Spoofing vs phishing: the difference is in the details. Spoofing leads to attackers using copycat domains and brands to fool you into adding your own credentials, which they then use to access your accounts. Phishing criminals set up fake scenarios to gain trust, getting you to directly transfer money or information to them. Trustpair prevents the effects of spoofing and phishing by blocking payments to suspicious accounts.