First of all, phishing and spoofing are similar forms of attacks, but not the same. What is the difference between phishing and spoofing emails?
Phishing is a type of social engineering technique that attempts to acquire sensitive information such as passwords, credit cards, social security numbers, etc. Phishing poses as a trustworthy person, so when you get the email it seems like its coming from someone you know. Phishing attacks can be started with a spoofing email. An example of phishing is getting an email from American Express asking you to reset your password, the email may come from what it seems a valid email address, but if look closely, there may be some misspelled words, once you click on the link it takes you a website that looks like American Express but is not, you enter your username and password, and the attackers gain access to your bank account.
Spoofing is impersonating someone or something else to try to trick you into doing something. An example is a CEO sending an email to the CFO asking to wire money immediately to a bank account. Spoofing emails look like they are coming from your domain, example.com, but they are being initiated from a different server.
What to look for?
- Look for misspelled words or domain names
- Make sure the website you are entering sensitive information to is https:// not http://
- Hit “Reply to” and see if the reply to email address is the same as the sender’s email address.
- Usually whoever is requesting information doesn’t request it via Email
- Email comes from unrecognized person
How to prevent and avoid spoofing or phishing?
- Most importantly: Train your users to never enter sensitive information in a website that came from an email
- Block spoofing in your email server: most email servers have the option to block spoofing at entry point.
- Install a good AV product on your devices, there are some products out there like Bitdefender that can actually warn you if you are visiting a phishing site.
- Never click on pop-ups asking you to download an update or a free software
- Safeguard against spam, improving your SPAM filter can actually catch a lot of these emails at entry point.
In conclusion: There are multiple business training programs out there to train your users to look out for spoofed emails and phishing attacks. Most of the times, employees are the weakest link in your network security, so training your users is the best way to prevent phishing attacks.