Phishing vs Spoofing

One of things I've noticed amongst the public is the confusion between the terms phishing and spoofing.  The two are not synonymous.  Phishing attacks generally use spoofing as a strategy but spoofing attacks are not necessarily phishing.

Spoofing is impersonating someone else in order to trick your target into doing something that they might not ordinarily do.  An example is a very clever BBB spoof I saw this morning.  In the message, the spoofer claims to be from the BBB and the target (with full name and email details inserted into the message) has a complaint made against them.  The target is to click on the link in the message in order to find out more details about the complaint.  Of course, the link is really a link to an executable or a page with malware within it.  The message contains the BBB logo and looks legitimate with all the standard disclaimers.

By contrast, a phishing attack is an attack wherein the sender tries to trick the target into giving up sensitive information resulting in financial gain for the sender.  An example is a message where a spammer impersonates eBay and tries to trick the end-user into giving up account details, financial data or passwords to their account.

Note the difference: phishers need to spoof a trustworthy organization in order to harvest information(since the odds of giving out that information to a stranger are much lower than giving them out to someone you think you can trust), but spoofers are not necessarily trying to acquire financial information.  Spoofers may just be trying to get you to download malicious software.

Now we know the difference; phishing is a subset of spoofing, but it is not spoofing in and of itself.

Comments (1)

  1. Norman Diamond says:

    Here’s a third variety, also a subset of spoofing.

    After an auction completes on Yahoo, a con artist sends e-mail to the second-highest, third-highest, etc.  The con artist pretends to be the seller, tells those people that the winner refused to pay, and asks if the other bidders want to buy the product at the prices they bid.  Of course anyone who falls for it will think they’re sending money to the bank account of the seller but they’ll really be sending money to the bank account of the con artist.

    I reported this to Yahoo.  Theoretically Yahoo could sue the con artist if they can find the person.

    I reported this to the ISP which serves the con artist.  The spoof mail came from that ISP, the e-mail address is hosted by that ISP, and any replies from victims would go to that ISP.

    In my e-mail to the ISP’s administrators, the subject line was the e-mail address of the con artist, the contents written by me included the e-mail address of the con artist twice along with an explanation, and the quotation of the spoof mail included the e-mail address of the con artist.

    The ISP retorted that they couldn’t take any action because I didn’t give the e-mail address of a valid MSN/Hotmail account.

    Talk about bulletproof spoof hosting.

Skip to main content