Threats & Attacks

Req 4d — Spoofing & Phishing

4d.

Describe what spoofing and phishing are, and how to recognize a message or website that might be trying to trick you. Explain what steps you should take to protect yourself and others if you come across one.

You get an email from your bank: “We detected suspicious activity on your account. Click here to verify your identity immediately.” The email looks real — it has the bank’s logo, the right colors, even a professional tone. But the link leads to a fake website designed to steal your password. This is phishing, and it is the most common cyberattack in the world.

What Is Spoofing?

Spoofing is pretending to be someone or something you are not. It is the umbrella technique behind many cyberattacks. Attackers “spoof” trusted identities to trick you into lowering your guard.

Common types of spoofing:

Email spoofing — sending an email that appears to come from a trusted address (your school, your bank, a friend)
Caller ID spoofing — making a phone call that shows a fake number on your caller ID
Website spoofing — creating a fake website that looks identical to a real one
IP spoofing — disguising the origin of network traffic to bypass security systems

What Is Phishing?

Phishing is a specific attack that uses spoofing to trick you into giving up sensitive information — passwords, credit card numbers, Social Security numbers, or login credentials. The name comes from “fishing” — the attacker casts bait and waits for someone to bite.

Types of Phishing

Email phishing — mass emails sent to thousands of people, hoping some will click
Spear phishing — targeted emails crafted for a specific person using personal details (“Hi Marcus, here is the camping trip schedule you asked about”)
Smishing — phishing via SMS text messages (“Your package could not be delivered. Click to reschedule.”)
Vishing — phishing via voice calls (“This is the IRS. You owe back taxes. Press 1 to pay immediately.”)

How to Spot a Phishing Attempt

Phishing messages are getting more sophisticated every year, but they still leave clues.

Phishing Red Flags

Check for these warning signs in any suspicious message

Urgency and threats: “Your account will be suspended in 24 hours” or “Act now or lose access.” Legitimate companies rarely threaten you via email.
Generic greetings: “Dear Customer” or “Dear User” instead of your actual name.
Suspicious sender address: The display name might say “Apple Support” but the actual email is something like support@apple-verify-id.com. Check the full email address.
Misspellings and bad grammar: Professional companies proofread their emails. Multiple errors are a red flag.
Unexpected attachments: Do not open attachments you did not expect, especially .exe, .zip, or .doc files.
Mismatched links: Hover over a link (without clicking) to see where it actually goes. If the display text says “www.paypal.com” but the URL goes somewhere else, it is a phish.
Requests for sensitive information: Legitimate companies will never ask for your password, full Social Security number, or credit card number via email.

Be Prepared!

The 'Verify Your Account' Email

You receive an email that looks like it is from a service you actually use — maybe Instagram or your email provider. It says your account has been compromised and you need to click a link to verify your identity.

Do not click the link. Even if the email looks perfect, do not use any links in it.
Go directly to the source. Open a new browser window and type the website address yourself (e.g., instagram.com). Log in normally. If there is really a problem with your account, you will see a notification there.
Check the sender. Look at the actual email address, not just the display name. Phishing emails often come from addresses that are close to real ones but slightly off (support@instagran.com).
Report it. Most email providers have a “Report phishing” button. Use it. This helps train spam filters and protects other people.
Tell someone. If you are unsure whether an email is real, ask a parent, teacher, or IT staff member before doing anything.

Recognizing Fake Websites

Phishing emails often lead to fake websites that look nearly identical to the real thing. Here is how to spot them:

Check the URL carefully. Look for subtle misspellings: “paypa1.com” (with a number 1 instead of the letter l), “arnazon.com” instead of “amazon.com.”
Look for HTTPS. While HTTPS alone does not guarantee a site is legitimate (attackers can get certificates too), the absence of HTTPS on a login page is a definite red flag.
Look for visual inconsistencies. Blurry logos, broken formatting, or links that do not work can indicate a hastily created fake site.
Test non-critical links. On a real company website, the “About Us,” “Contact,” and “Privacy Policy” links all work. On a phishing site, they often lead nowhere.

Be Internet Alert — Google Interactive resources from Google for recognizing phishing, scams, and other online deceptions.

Dear Valued Customer, 3

We have detected suspicous activity on your account. Your account will be permanantly suspended within 24 hours unless you verify your identity immediatley. 4

Please click the link below to confirm your account information:

https://www.securebank.com/verify Actually goes to: http://s3cure-bank-alerts.com/steal-info 5

Failure to respond will result in permanent account closure.

Sincerely,
The SecureBank Security Team
This email was sent from a no-reply address. Do not respond directly. 6

Suspicious sender address — display name says "SecureBank" but actual email is from a different domain
Urgency and threats — pressures you to act immediately without thinking
Generic greeting — "Dear Valued Customer" instead of your real name
Spelling errors — "suspicous," "permanantly," "immediatley" — legitimate companies proofread
Mismatched link — displayed URL looks real but actually goes to a malicious site
No way to reply — prevents you from contacting the real organization to verify