Spoofing is the process of disguising a communication to make it appear as if the communication came from a trusted source. The target of a spoofing attack can be a person or computer system. In a person-to-person case, the most common spoofing attacks include email phishing and caller ID attacks. For computer systems, spoofing attacks target elements such as Address Resolution Protocol (ARP) services, domain name system (DNS) servers, and internet protocol (IP) addresses.
The success of a spoofing attack generally depends on its ability to exploit a trusted relationship between the target and some other person or organization. Personalizing the message for a specific target is often an effective method of convincing the target that it comes from a trusted source. The victim’s lack of knowledge about the ease of faking internet communications is often a significant factor in spoofing attacks.
The consequences of a successful spoofing attack include the compromise of sensitive information or credentials, which the attacker can use in a future attack. These attacks often use malware that leverages information the target provided during the initial spoofing attack. The ability to exploit trusted relationships or bypass access controls also allow spoofing attacks to compromise computing systems through methods such as a denial-of-service (DoS) or man-in-the-middle (MITM) attacks. A DoS attack deprives a system of its resources by making repeated requests for services in an attempt to overwhelm the system. An MIT in attack is so named because attackers place a process under their control between two legitimate entities on the system.
The effect of a successful spoofing attack in business terms can include a ransomware attack, in which the attacker promises to restore service in exchange for some type of payment. It can cause a business’s website to spread malware to other systems. Another kind of spoofing attack within a business context is a business email compromise (BEC), which consists of the attacker posing as a manager to trick an employee into transferring funds to an account that the attacker owns.