What is spoofing?
Spoofing is a fraud technique in which criminals impersonate trusted platforms or communication channels.
The goal of spoofing is typically to:
Steal login credentials
Gain account access
Initiate unauthorized payments or trigger other fraudulent actions
Add users, cards, or devices to an account
How spoofed websites work
Fraudsters often create look-alike websites that aim to trick users into thinking they are genuine. They often differ from genuine website in small details, such as:
A misspelled domain name
A different, but real-sounding domain (e.g. “-secure”, “-login”)
Different top-level domains (.net, .co, .info instead of .com)
These sites are sometimes promoted through paid search ads, which can cause them to appear at the top of search results.
Once credentials are entered, attackers may immediately attempt further actions on the real platform.
Why you may receive unexpected SMS messages
After credentials are compromised, fraudsters often try to expand access. This can trigger SMS or security notifications related to:
New user creation
Card or payment method registration
If you receive such messages without initiating an action yourself , this is a strong indicator of attempted fraud and should be treated as a security incident.
A common scenario: clicking the wrong website
One of the most frequent spoofing attacks begins with a simple action: searching for a platform online. This may work as follows:
A user types the company name into a search engine and clicks on the first result without verifying the website address.
The page looks legitimate: branding, layout, and login flow closely resemble the real platform.
The user enters their credentials, unknowingly providing them to fraudsters.
Shortly after, attackers may attempt to access the real account and perform sensitive actions, such as adding a new user or registering a new card.
Other common spoofing scenarios
Spoofing can also occur through:
Email spoofing (phishing): Messages that appear to come from a trusted sender but contain malicious links
SMS spoofing: Text messages imitating banks or service providers
Caller ID spoofing: Phone calls that appear to come from legitimate support numbers
Website links in messages: Links that look official but lead to fraudulent pages
In all cases, the objective is the same: to create trust and urgency.
How to protect yourself: practical steps
You can significantly reduce the risk of spoofing by following these best practices:
1. Save the official website to your favorites
Always access the platform using a saved bookmark, rather than searching for it each time.
2. Use passkeys for logins
Passkeys replace passwords with device-based authentication (e.g. fingerprint or face recognition). They are resistant to spoofing and will only work on the legitimate website. This helps prevent credential theft through spoofed pages.
3. Check for a secure connection
A secure connection can be identified by the padlock icon in the address bar and the “https://” prefix in the URL.
NOTE: A secure connection does not guarantee legitimacy, but websites without one are a clear warning sign.
4. Carefully check the website URL
Before entering any login details:
Verify the spelling of the domain name
Watch for extra words, hyphens, or unusual endings
Ensure the address matches the official website exactly
5. Be cautious with search results and ads
Search engines may display sponsored links that look legitimate. Being listed first does NOT guarantee authenticity.
6. Do not click suspicious links
Avoid clicking links from:
Unexpected emails or SMS messages
Messages that create urgency or pressure
Communications asking you to bypass normal procedures
7. Treat unexpected security messages as a warning sign
If you receive an SMS or notification about an action you did not initiate:
Do not approve it
Log in using your trusted bookmark
Contact support immediately
8. Take your time
Fraud relies on urgency. Slowing down and double-checking details is often enough to prevent an attack.
In summary
Spoofing attacks are designed to look convincing, but they often rely on small moments of inattention. By using trusted access methods, carefully checking website addresses, and treating unexpected messages with caution, you can greatly reduce the risk of fraud.
When in doubt, pause, verify, and use official channels.

