A spoofing attack is a fraud technique that can take many forms, but all involve impersonation. Email spoofing forges a sender's address to make it look like a message is from a trusted source. Caller ID spoofing is used to show a legitimate number on a phone's display, rather than the number from which the call really originates. Website spoofing, often used as part of a phishing scam, creates a copy of a legitimate site to harvest user credentials. Biometric spoofing attempts to fool a facial recognition or fingerprint matching algorithm using photos, masks, or prosthetics. Email, caller ID, and website spoofing are all key tools in social engineering attacks, while biometric spoofing is more commonly used to bypass systems used by banks and fintechs, particularly for account onboarding.
Use case/ examples for spoofing attack
Liveness detection: Implementing active and passive liveness detection during biometric verification to ensure that selfies or videos submitted as part of the verification process are live and captured in real time rather than being photos, masks, or deepfakes.
Presentation attack detection: Analyzing biometric samples for indicators of spoofing attempts, including screen reflections, paper texture, mask edges, or other inconsistencies that can help to distinguish live users from fraudulent presentations.
Communication verification: Establishing protocols that verify the authenticity of communications purporting to come from trusted sources, including callback procedures and multi-channel confirmation for sensitive requests (e.g., displaying a notification in-app that lets the user know whether a financial institution is, or is not, on the phone with them currently).
