The Difference Between Phishing & Spoofing
By John Lister
Spoofing and phishing are both techniques used by scammers to mislead e-mail recipients. Both involve posing as a different sender to trick the recipient into carrying out an action. Spoofing is a technical measure used to change the apparent sender details on an e-mail, while phishing is an attempt to make the recipient hand over sensitive information such as log-in details. The two techniques may be used either separately or simultaneously: in simple terms, spoofing refers to what a scammer does, while phishing refers to what a scammer is trying to achieve.
Spoofing: Wide Definition
The term spoofing usually refers to a category of scam in which the sender poses as somebody else. It can cover a wide range of tactics to make an e-mail look legitimate, including using logos from the organization which the scammer is pretending to represent, as well as assuming e-mail addresses that closely resemble those of other organizations, to trick recipients who don't read closely to detail. Examples include using a similar domain name with a different ending (such as .com instead of .org) or replacing the letter "l" with the similar looking digit "1." Spoofing has a variety of purposes including trying to trick the recipient into handing over personal details (phishing) or into opening an attached file that houses a virus.
Spoofing: Narrow Definition
A narrower category of spoofing refers to the specific tactic of using a technical measure so that the recipient's e-mail program shows the real sender address of the organization that the scammer pretends to represent. It works because many e-mail systems do not include a check to make sure the stated sender details on an e-mail are genuine. In some cases you can uncover spoofing by using the "show headers" feature in your e-mail application which may show the true origin. In other cases the e-mail may have been routed through an unsecure e-mail server, removing any trace of where it really came from.
Phishing is a particular type of scam that involves posing as somebody else in an e-mail. The distinction from spoofing is not how the person creates the deception, but rather the intended outcome. Phishing is designed to trick the recipient into handing over personal details such as passwords either by directly replying to the e-mail or by following a link to a website which resembles that of the real organization.
Always check e-mails carefully and check for mistakes in e-mail and website addresses. Before following a link, hover your mouse over it and check that the destination address matches the website address of the organization or person from which the e-mail claims to come. If you are suspicious, do not follow the link but instead visit the home page of the organization's website and search for the appropriate page. Check the policies of any online banks or other important services you use: many organizations, particularly financial websites, have a policy of never asking for sensitive information via e-mail, so you will know any such message is a scam.
A professional writer since 1998 with a Bachelor of Arts in journalism, John Lister ran the press department for the Plain English Campaign until 2005. He then worked as a freelance writer with credits including national newspapers, magazines and online work. He specializes in technology and communications.