Spoofing is a tactic where the malicious actor uses an email address or other credentials resembling a genuine entity to make the recipient believe that it is from a trusted source. They use spoofing to extract money or induce targets to download malware or share sensitive information. Unlike BEC, the threat actor does not particularly compromise the email account of the organization’s business executive to send malicious messages. Instead, it could be anyone that the target trusts as genuine.
Different types of spoofing include phone call spoofing, email spoofing, DNS spoofing, IP spoofing, DDoS spoofing, ARP spoofing, etc. The attack against American health insurance provider Humana in 2018 is a classic example of DDoS spoofing. The perpetrators managed to steal the medical, financial, and claims records of nearly 500 people.