[BreachExchange] The Difference Between Phishing & Spoofing

Audrey McNeil audrey at riskbasedsecurity.com
Wed May 9 18:55:06 EDT 2018


Phishing and spoofing are terms that are often used interchangeably. They
are not the same, and as a business owner, it’s important for you to know
what’s at stake should your laptop, PC or entire network become the target
of either type of attack.

Differences Between Phishing and Spoofing

The misconception that phishing and spoofing are synonymous, based on
nothing more than aesthetic similarities, pervades the Internet. Phishing
and spoofing are clearly different beneath the surface. One downloads
malware to your computer or network, and the other tricks you into giving
up sensitive financial information to a cyber crook. Phishing is a method
of retrieval, while spoofing is a means of delivery.

What Is Spoofing?

Cyber criminals create pixel-perfect counterfeits of corporate emails to
trick business owners into taking ill-advised actions. No one would
deliberately download a Trojan packed with malware, but he might
unwittingly do it if he thought his commercial accounts were prone to
identity theft. Herein lies the premise of spoofing; an official-looking
email from an important service provider instructs you to take
precautionary actions to protect your finances or reputation. Corporate
logos and other distinctive graphics are easy for hackers to hijack and
embed in emails. These professional graphic elements convince end-users
that an impending threat can be suppressed by following the sender’s
instructions, which usually entails clicking on a link in the message. In
most cases the link executes a malicious file that damages your operating
system and critical applications while it propagates throughout your
network, placing your clients and vendors at risk.

How Is Phishing Different?

In practical terms, phishing is a form of spoofing in that it deceives with
legitimate-looking messages. Unlike spoofing, a phishing scam usually
provides a link to a bogus website where the end-user is required to enter
sensitive account information. The site may ask you to provide your social
security number, tax ID or bank account information. Releasing this
information could result in damage to your assets and an indelible mark on
your credit rating. Hackers are adept at HTML design and Web programming,
so the untrained eye can be easily fooled. Fortunately, for the time being
at least, there are a few telltale signs that give these scams away
including suspicious URLs and unsolicited attachments.


If you receive a suspicious email, hover over the sender’s address and take
careful note of the domain name. Smart hackers purchase a domain name that
is a subtle variation of a legitimate URL, so look for minor misspellings.
Sloppy hackers give themselves away with a URL that is complete
gobbledygook. Be wary of attached files; financial institutions will
rarely, if ever, send these to their customers. If the message has a
".exe," ".scr," "zip" or ".bat" file attached, consider that a red flag and
don't open it or follow any instructions. Call your service provider if you
suspect an unscrupulous email. Your provider will welcome the information
because it gives your financial institution a chance to to protect the
assets and identities of its customers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180509/decabb3f/attachment.html>

More information about the BreachExchange mailing list