Display Name Spoofing
Setting a trusted person's name as the email display name while using an attacker-controlled From: address. The display name field is free text with no authentication β any name can be set regardless of the actual sending address. Most email clients display the name prominently and hide the real address. Not stopped by DMARC, since the sending domain is entirely different from the legitimate organization's domain. Defense: always verify the actual email address domain.
Exact Domain Spoofing
Registering or forging an identical domain to send email appearing to come from a legitimate organization's exact domain (e.g., sending as ceo@company.com from an unauthorized server). Exploits missing or non-enforcing DMARC configurations. SPF and DKIM will fail, but without DMARC at quarantine or reject policy, emails are still delivered. Defeated by DMARC policy=reject combined with valid SPF and DKIM records.
Cousin Domain (Lookalike Domain)
A domain that appears visually similar to a legitimate domain β such as pharma-corp-billing.com vs pharma-corp.com β registered by an attacker for impersonation. Techniques include adding hyphens or keywords (pharma-corp-ap.com), double characters (pharma--corp.com), number substitutions (c0mpany.com), or using Unicode homoglyphs. DMARC on the real domain provides zero protection. Defense: register common typo/variant domains proactively and monitor for new registrations containing the company name.
IDN Homograph Attack
Using Unicode characters that visually resemble ASCII characters to create deceptive domain names. For example, substituting the Cyrillic letter "Π°" (U+0430) for the Latin "a" (U+0061) β they are visually identical in most fonts but are technically different characters and resolve to different domains. Used to create convincing lookalike domains in email attacks and phishing sites. Browsers display punycode warnings in some configurations; most email clients do not. Defense: IDNA-aware domain monitoring and user education.
ARP Spoofing
Sending forged ARP (Address Resolution Protocol) replies to associate the attacker's MAC address with a legitimate IP address on the local network β typically the default gateway. All hosts that accept the forged ARP redirect their outbound traffic through the attacker's machine, enabling man-in-the-middle interception, traffic modification, or denial of service. ARP has no authentication. Operates only within the same Layer 2 broadcast domain β cannot be performed remotely across the internet. Defense: Dynamic ARP Inspection (DAI) on managed switches.
IP Spoofing
Forging the source IP address in network packet headers to impersonate another host. Cannot support two-way communication because responses are sent to the spoofed IP, not the attacker. Used primarily in DDoS amplification and reflection attacks (attacker spoofs victim's IP as source; DNS/NTP reflection servers flood the victim with large responses), one-way flooding, and attacker origin obfuscation. Defense: BCP38 ingress filtering at network edges β drop packets claiming internal source IPs arriving from external interfaces.
DNS Spoofing (DNS Cache Poisoning)
Injecting false DNS records into a resolver's cache so that domain name lookups return attacker-controlled IP addresses. All users of the poisoned resolver are redirected even when they type correct URLs. The Kaminsky attack (2008) demonstrated reliable cache poisoning via transaction ID and port prediction. Defense: DNSSEC (cryptographic signing of DNS records allowing resolvers to verify authenticity of responses) and source port randomization in resolvers.
Caller ID Spoofing
Falsifying the originating phone number displayed to call recipients. Trivially accomplished using VoIP infrastructure β the SIP From: header can be set to any number. Used in vishing attacks to impersonate banks, government agencies, IT helpdesks, executives, or internal extensions. Defense: callback verification policy β never trust caller ID; always hang up and call back using a number independently sourced from official records, not from the call or any number the caller provides.
STIR/SHAKEN
Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs. An FCC-mandated framework requiring US telephone carriers to digitally sign and verify caller ID information. Carriers assign attestation levels: A (Full β carrier verified subscriber owns that number), B (Partial β carrier knows customer but not the specific number), C (Gateway β call entered the network at a known point, no subscriber verification). Reduces domestic robocall spoofing but does not prevent spoofing by overseas or non-participating SIP providers.
Deepfake
AI-generated synthetic media β audio, video, or both β that realistically impersonates a real person. Voice deepfakes can be trained from as little as 3β5 seconds of audio using commercially available tools; public figures provide abundant training material from interviews, earnings calls, and conference appearances. Used in executive impersonation fraud, BEC wire transfer scams, and disinformation campaigns. First documented financial fraud case: 2019 UK energy CEO voice deepfake (β¬220K). Defense: out-of-band verification protocols, pre-agreed codewords, process controls independent of voice/face recognition.
Account Takeover (ATO)
Gaining unauthorized access to a legitimate user's account through credential theft, enabling technically perfect impersonation of that user. Once achieved, all emails pass SPF/DKIM/DMARC, the sender name and address are correct, and conversation history is accessible. There is no technical artifact of impersonation. Methods include credential stuffing, password spraying, SIM swapping, and credential phishing. Only process controls (verify unusual requests independently) and behavioral analytics detect ATO after the fact.
Credential Stuffing
Using automated tools to test username/password pairs harvested from prior data breaches against other services, exploiting the fact that many users reuse passwords across sites. The attacker uses the exact same credential pair (username + its known password from a breach) β not guessing. Scalable, requires no technical skill, and is enabled by the massive availability of breached credential databases. Defense: unique passwords per service (password manager), MFA on all accounts, breach monitoring, login rate limiting and anomaly detection.
Password Spraying
Trying a single common password (e.g., "Spring2024!", "Welcome1!") against many accounts, then moving to the next password β deliberately staying under per-account lockout thresholds. "Slow and broad" versus brute force's "fast and narrow." Evades lockout policies by never exceeding the per-account attempt threshold. Effective against organizations with weak password policies and no MFA. Defense: strong password requirements preventing predictable patterns, MFA, monitoring for distributed low-frequency login failures across many different accounts.
SIM Swapping
Social engineering a mobile carrier into transferring a victim's phone number to an attacker-controlled SIM card. Once complete, the attacker receives all SMS messages sent to that number β including SMS MFA codes and password reset links β for every account tied to that phone number. Simultaneously bypasses SMS-based MFA and enables cascading password resets. The victim's phone loses service; they may not immediately realize an attack is in progress. Defense: authenticator app TOTP (generated locally, unaffected by SIM swap); carrier port freeze; FIDO2 hardware tokens.
Badge Cloning
Copying RFID/NFC credentials from a proximity card to a blank programmable card for unauthorized physical access. Standard 125 kHz HID proximity cards broadcast a static ID number with no encryption β any RFID reader within ~30cm can silently capture and copy the credential without the owner's knowledge. Tools include Proxmark3 and Flipper Zero, available commercially for under $50. The clone opens the same doors as the original; both cards remain functional. Defense: upgrade to AES-encrypted challenge-response credentials (MIFARE DESFire EV3, HID SEOS); RFID-shielded badge holders; anti-passback rules.
Dynamic ARP Inspection (DAI)
A switch security feature that validates ARP packets against a trusted DHCP snooping binding table before forwarding them to other hosts. The DHCP snooping binding table records legitimate IP-to-MAC address mappings observed from actual DHCP transactions. ARP replies claiming IP-to-MAC mappings not present in the trusted table are dropped at the switch port before they can poison other hosts' ARP caches. Requires DHCP snooping to be enabled first to build the trusted database. Deployed on untrusted access ports facing workstations; uplink/trunk ports are typically marked trusted and exempt from DAI validation.