Learn

Personal Resource Center
Back

Spoofing Is Everywhere. Here's How to Spot It.

Imagine your phone rings, and the caller ID says it's the local police department. When you answer, an officer identifies himself in a recorded message saying he has an urgent legal matter to tell you about and gives you a number to call back.

That's what happened to several residents of Framingham, Massachusetts and surrounding areas.1 While many people ignored the message or called the Framingham Police Department to report the incident, at least one resident called the number as requested — which did not belong to the police department — and was convinced to pay a scammer $24,000. Similar stories circulate frequently, whether it's someone pretending to be a bank employee collecting supposedly compromised debit cards or texts from someone claiming to be with a political campaign asking for donations.2,3

Tricking victims into believing a message is coming from someone trustworthy is a cornerstone of cybercrime, and the practice has a name: spoofing. It's so common that many people don't even react when they receive a text allegedly from UPS about a delivery issue.4

The FBI groups spoofing with phishing as a type of cybercrime, and the pair were the top complaint to the FBI's Internet Crime Complaint Center in 2023, with 298,878 reports and $18.7 million in total losses.5 But spoofing is a fraud technique that can be used in nearly every type of cybercrime, from student loan relief fraud and elder abuse to man-in-the-middle attacks and ransomware scams. Even AI voice fraud and deepfake video scams are sophisticated variations on spoofing. 

Here's what you should know about how spoofing works and how to recognize it. 


What Is Spoofing, and How Does It Work?

Cybersecurity company Kaspersky defines spoofing as, "when fraudsters pretend to be someone or something else to win a person's trust."6 That's a broad enough definition to include the following types of spoofing aimed at consumers:

  • Email spoofing, or phishing
  • Website spoofing
  • Phone call spoofing, or vishing
  • Text spoofing, or smishing
  • Facial or voice spoofing, or deepfakes
Eyeball with dollar sign icon
Spoofing is a fraud technique that can be used in nearly every type of cybercrime.

Each type of spoofing works differently. For email and website spoofing, the deception may be as simple as misspelling a word by a single letter, so recipients don't notice the address is incorrect. A smishing text may simply state that the sender is a trusted organization when it isn't.

Phone numbers can be spoofed using a spoofing service or by using internet-enabled phone services called Voice Over Internet Protocol (VoIP), which often allows users to choose the number displayed on caller IDs. Phone spoofing on its own isn't illegal. It's perfectly fine, for example, for a doctor to call a patient from her cell phone but spoof the caller ID to show her clinic's number.7 This protects her privacy and truthfully alerts the patient about who is calling. The Truth in Caller ID Act, however, makes it illegal to use phone spoofing to defraud someone.8

Facial or voice spoofing are AI-enabled techniques known as deepfakes. Scammers create deepfake media using tech tools that can replicate a voice or someone's entire video image. While the technology is complex, the tools that leverage it are often easy for criminals to use. Some AI tools are so smart that they can create a deepfake video from a still photo and a few seconds of audio.9 Other tools require several minutes of audio and hours of video. 


How To Identify Spoofing

A look through most people's spam folders will confirm that it's nearly impossible to avoid spoofing attempts altogether. But staying alert to the fact that anyone reaching out to you digitally or on the phone may not be who they say they are can help you avoid being taken in by any potential fraud. 

Here are ways to identify spoofing: 

By phone:10

  • Assume every unknown number on caller ID could be a scammer.
  • Spoofers often ask you to answer a question, push a button, or share information. If this happens with an unknown caller, hang up immediately.
  • Be suspicious of any caller saying they are with the government or another trusted organization. Tell them you will call them back, look up the correct number for the organization, and contact them to confirm the caller's claim.
  • Please note: No reputable financial institution — INCLUDING Synovus — will ever call, email, or text you to ask for personal information.
  • If it appears someone from Synovus calls, it’s best to hang up and call the verified, trusted number at 1-888-SYNOVUS(888-796-6887). To reiterate, fraudsters sometimes spoof or use vishing scams to make phone numbers appear accurate on cell phones or caller ID.

By email or text:11

  • Look carefully at the sender's email address for typos or suspicious spelling.
  • Be wary of poor grammar or spelling in email or text messages, as this could indicate a scam. However, the rise of ChatGPT and other AI tools has made this red flag less common.
  • Any message with a heightened sense of urgency could be a sign of a scam.
  • If a number that shows up on your cell phone screen has 5 or 6 digits, like 50000, it could mean the message was sent via email and not from another cell phone, which is one way that scammers operate.

By video or voice:

  • Ask distressed callers for a code word. Set a family code word that everyone can remember, but outsiders couldn't guess. If someone reaches out by video or phone call claiming to be a family member in distress, ask for the code.9
  • Look for AI glitches and limitations. If a call seems suspect, look for oddities like hair or eyebrows that look strange or light reflecting oddly off of glasses.9 Skin can look too smooth or too wrinkly. The edges of someone's face can look blurry or irregular.12 Ask the person to put their hand in front of their face or turn their head around. These movements can look unrealistic in a deepfake. 
  • Tell them you need to call them back.13 Before sending money or sensitive information to anyone, tell them you'll call them right back. Use your own contact information to reach out and confirm the caller is who they say they are.

Many people receive spoofing attempts all the time, from suspicious text messages to calls from unknown numbers. In many cases, ignoring the message is sufficient. But if you suspect you've accidentally clicked on a link, responded to questions, sent someone money, or otherwise interacted with a spoofing scam, report the incident to the FBI's Internet Crime Complaint Center (IC3).14

You can also follow the steps outlined in our guide, "What to Do if You Are a Victim of Fraud," to protect your credit and financial accounts. 

Important disclosure information

This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.

  1. Norman Miller, "Framingham resident is scammed out of $24,000 as part of phone spoofing scam," The MetroWest Daily News, published August 15, 2024. Accessed December 16, 2024. Back
  2. Alyssa Roberts, "Thousands drained from Henderson residents' bank accounts in debit card," KTNV Las Vegas, May 28, 2024. Accessed December 16, 2024. Back
  3. FBI, "Scammers Exploit 2024 US General Election to Perpetrate Multiple Fraud Schemes," October 29, 2024. Accessed December 16, 2024. Back
  4. Verified.org, "Get an Unexpected Delivery Alert? It May be a UPS Text Scam," published February 10, 2023. Accessed December 16, 2024. Back
  5. Internet Crime Complaint Center, "Federal Bureau of Investigation Internet Crime Report 2023," accessed December 16, 2024. Back
  6. Kaspersky, "What is Spoofing – Definition and Explanation," accessed December 16, 2024. Back
  7. Susan M. Collins-Smith, "Take steps to avoid caller ID spoofing scams," published April 2022. Accessed December 16, 2024. Back
  8. Federal Communication Commission, "Consumer Guide: Caller ID Spoofing," accessed December 16, 2024. Back
  9. Jon Healey, "Real-time deepfakes are a dangerous new threat. How to protect yourself," Los Angeles, published May 11, 2023. Accessed December 16, 2024. Back
  10. Federal Communication Commission, "Caller ID Spoofing," published November 13, 2024. Accessed December 16, 2024. Back
  11. Perception Point, "Email Spoofing: How It Works, Detection and Prevention," accessed December 16, 2024. Back
  12. Vermont Secretary of State, "A.I. Deepfakes and Scams," accessed December 16, 2024. Back
  13. National Council on Aging, "Understanding Deepfakes: What Older Adults Need to Know," published October 30, 2024. Accessed December 16, 2024. Back
  14. Internet Crime Complaint Center, Complaint Form, FBI, accessed December 16, 2024. Back