Protect Yourself and Report the Latest Frauds, Scams, Spams, Fakes, Identify Theft Hacks and Hoaxes
There are affiliate links on this page.
Read our disclosure policy to learn more.
Translate this page to any language by choosing a language in the box below.
Spoofing, particularly "Email spoofing" is a relatively new term used to describe fraudulent emails in which the sender's address and other parts of the email header are altered to appear as though the email originated from a different source. For example, you might receive an email that appears to have been sent from a well-known company (like MicroSoft), a government agency or even Consumer Fraud Reporting. In reality, none of those organizations would be likely to send any unsolicited email (that which you didn't sign up for and expect to receive). In short, spoofing is a counterfeit email with stolen email addresses used without the real address owner's knowledge or permission.
Spoofing is a technique commonly used by spammers and scammers using phishing to hide the real origin of an email message. By changing certain properties of the email, such as the "From", "Return-Path" and "Reply-To" fields (which are found in the message header), these criminals can make the email appear to be from someone other than the actual sender. And unfortunately, there is nothing that can be done about it at present, no more than there anything to stop someone from writing a false return address on a postal letter and dropping it in a mailbox.
It is often associated with website spoofing which mimic an actual, well-known website but are run by another party either with fraudulent intentions or as a means of criticism of the organization's activities. The result is that, although the email appears to come from the email indicated in the "From" field (found in the email headers) it actually comes from another email address, probably the same one indicated in the "Reply To" field; if the initial email is replied to, the delivery will be sent to the "Reply To" email, that is, to the spammer's email.
Typically, scammers use phishing and spoofing to get personal information from you in order to steal your identity and then your money, passwords to accounts or benefits. Pretending to be from a legitimate retailer, bank, or government agency, the sender asks to "confirm" your personal information for some made-up reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem.
The most common use is to send an email appearing to be from a bank asking you to go to its site (with the link provided) to reenter your most personal information. The link takes you to a bogus website! Another tactic phishers use is to say they're from the fraud departments of well-known companies and ask to verify your information because they suspect you may be a victim of identity theft! In one case, a phisher claimed to be from a state lottery commission and requested people's banking information to deposit their "winnings" in their accounts.
If you're not a programmer, your only familiarity with email may be as a user of an "email client", like Microsoft Outlook. These programs hide the inner workings from you, so when you send an email, it automatically puts your real return address in the "sender" field. But any programmer familiar with internet protocols can easily manipulate these "email headers" and construct an email manually. That allows them to insert whatever address they want in the sender field, such as JoeBlow@FBI.gov and it will look as real as any email to the recipient. This technique is now commonly used by mass-mailing worms as a means of concealing the true origin of the propagation.
Unfortunately, it is easy to spoof email because SMTP (the Simple Mail Transfer Protocol, which is the most commonly used technology behind all email) lacks authentication. A common misconception is that the "IP address" can also be spoofed, to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, etc. That is (generally) not true. It will work in emails for which no reply is needed or wanted - but then there will inevitably be links in the email for you to buy their products, and those links must be real (although, they may be on hijacked computers, with the owners unaware of the activity.)
There are many ways:
Newer versions of these worms randomize all or part of the email address. A worm can use various methods to achieve this, including:
These random word generators are why you often see emails in your inbox with gibberish sentences followed by an ad or link for Viagra, Cialis, or other medications and products.
Gartner Group reports that, from May, 2005, over 1.8m consumers have been conned by phishing attacks into revealing sensitive information. The majority of that was in 2004 to present. Spoofing emails have increased by 4000 % in the past 6 months. The average consumer victim loses $1200 when his bank account is taken over. The United States Treasury even has a warning about Spoofing scams.
In short,
There are a number of examples of Spoofing emails to look at on this page.
If you need advice about an Internet or online solicitation, or you want to report a possible scam, use the Online Reporting Form or call the NFIC hotline at 1-800-876-7060.
To report to the organization impersonated in the email you received, write directly to the company or organization. Here are the real websites, email addresses and phone numbers of some of the more common targets of spoofing / phishing:
Company name and link to their website |
Email address to report spoofing and phishing |
Phone |
|
||
1-800-267-6884 |
||
|
||
1-949-622-0525 |
||
|
||
|
||
|
||
|
||
|
||
1-800-927-0395 |
||
|
||
1-866-904-7500 |
||
|
||
|
||
1-800-227-3782 |
||
|
||
|
||
1-800-788-7000 |
||
1-866-867-5568 |
And please let us know about any suspicious calls or emails you receive. We look for patterns so that we can alert the authorities and victims to new scams, before it is too late!
For a comprehensive list of national and international agencies to report scams, see this page.