Phishing vs Spoofing

One of things I've noticed amongst the public is the confusion between the terms phishing and spoofing.  The two are not synonymous.  Phishing attacks generally use spoofing as a strategy but spoofing attacks are not necessarily phishing.

Spoofing is impersonating someone else in order to trick your target into doing something that they might not ordinarily do.  An example is a very clever BBB spoof I saw this morning.  In the message, the spoofer claims to be from the BBB and the target (with full name and email details inserted into the message) has a complaint made against them.  The target is to click on the link in the message in order to find out more details about the complaint.  Of course, the link is really a link to an executable or a page with malware within it.  The message contains the BBB logo and looks legitimate with all the standard disclaimers.

By contrast, a phishing attack is an attack wherein the sender tries to trick the target into giving up sensitive information resulting in financial gain for the sender.  An example is a message where a spammer impersonates eBay and tries to trick the end-user into giving up account details, financial data or passwords to their account.

Note the difference: phishers need to spoof a trustworthy organization in order to harvest information(since the odds of giving out that information to a stranger are much lower than giving them out to someone you think you can trust), but spoofers are not necessarily trying to acquire financial information.  Spoofers may just be trying to get you to download malicious software.

Now we know the difference; phishing is a subset of spoofing, but it is not spoofing in and of itself.