The CEO Email That Cost a Company $47 Million

In 2015, Ubiquiti Networks disclosed that attackers impersonating company executives via spoofed emails tricked employees into wiring $46.7 million to overseas accounts. The emails looked legitimate. The sender addresses appeared correct. No malware was involved. The entire attack hinged on one technique: the spoof.

Spoofing isn't a niche trick reserved for nation-state hackers. It's the foundational deception behind the majority of social engineering attacks your organization faces every single day. According to the FBI's IC3 annual reports, business email compromise — which relies heavily on spoofing — has generated over $50 billion in reported losses globally since 2013.

This post breaks down exactly how spoof attacks work across email, IP, DNS, and caller ID. More importantly, I'll show you the specific defenses that actually stop them. If you're responsible for protecting people or data, this is the playbook you need.

What Is a Spoof Attack, Exactly?

A spoof attack is any technique where a threat actor disguises their identity or origin to appear as a trusted source. The goal is deception — making a system, a person, or a security tool believe that malicious communication is legitimate.

Spoofing can target:

  • Email addresses — forging the "From" field to impersonate a colleague, vendor, or executive
  • IP addresses — altering packet headers to hide the attacker's true network location
  • DNS records — redirecting domain lookups to malicious servers
  • Caller ID — making phone calls appear to come from a trusted number
  • Websites — cloning legitimate login pages to harvest credentials

In every case, the attacker exploits a gap between what the victim sees and what's actually happening. That gap is where data breaches begin.

Email Spoofing: The Threat Actor's Favorite Weapon

I've investigated dozens of incidents where email spoofing was the initial attack vector. It remains the most common form of spoofing because email protocols were never designed with authentication in mind. SMTP, the protocol that sends email, doesn't verify that the sender is who they claim to be.

Here's what actually happens in an email spoof attack: the attacker sets the "From" header to display a trusted address — say, your CEO's email — while sending the message from a completely different server. Your employee sees the familiar name and address in their inbox and acts on it. Wire transfer requested. Credentials entered on a fake portal. Malware attachment opened.

Why SPF, DKIM, and DMARC Matter

The industry developed three protocols specifically to combat email spoofing:

  • SPF (Sender Policy Framework) — specifies which mail servers are authorized to send email for your domain
  • DKIM (DomainKeys Identified Mail) — attaches a cryptographic signature to outbound messages so recipients can verify the message wasn't altered
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) — ties SPF and DKIM together and tells receiving servers what to do when authentication fails (quarantine or reject)

Here's the problem: according to research from multiple sources, a large percentage of organizations still haven't implemented DMARC with an enforcement policy. They've either set it to "none" (monitoring only) or haven't deployed it at all. That means their domains can be spoofed freely, and inbound spoof emails from other unprotected domains sail right through.

If your organization hasn't configured DMARC with a "reject" policy, you're leaving the front door unlocked. CISA has published detailed guidance on email authentication at BOD 18-01 — originally directed at federal agencies, but the technical recommendations apply to every organization.

The Human Layer Email Authentication Can't Protect

Even with perfect SPF, DKIM, and DMARC, attackers adapt. They register lookalike domains — swapping a lowercase "l" for a "1," or using a different TLD. The email passes authentication because it's genuinely sent from the lookalike domain. Your employee sees "[email protected]" and doesn't notice the extra "n."

This is why security awareness training is not optional. Technical controls catch the known patterns. Trained humans catch the subtle ones. I recommend enrolling your team in cybersecurity awareness training that covers real-world spoofing scenarios, not just abstract theory.

IP Spoofing: Hiding in Plain Sight on the Network

IP spoofing manipulates the source address in network packets. The attacker forges the source IP so the traffic appears to come from a trusted host. This technique powers several dangerous attacks.

DDoS Amplification

In a distributed denial-of-service amplification attack, the threat actor sends requests to publicly accessible servers (DNS resolvers, NTP servers) with the source IP spoofed to the victim's address. The servers send their responses — often much larger than the request — to the victim, overwhelming their infrastructure. The attacker stays hidden because the traffic appears to originate from legitimate services.

Session Hijacking

IP spoofing also enables session hijacking, where attackers inject packets into an existing TCP session by predicting sequence numbers and forging the trusted host's IP. While harder to execute in modern environments, it's still a real threat on networks without proper segmentation.

Defending Against IP Spoofing

  • Ingress filtering (BCP38/RFC 2827) — configure your network edge to drop packets with source addresses that shouldn't originate from your network
  • Egress filtering — prevent your own network from being used to launch spoof-based attacks by blocking outbound packets with non-local source IPs
  • Zero trust architecture — never trust traffic based solely on its source IP. Require authentication at every layer. NIST's Zero Trust Architecture (SP 800-207) lays this out in detail.
  • Encrypted protocols — TLS and IPsec make it significantly harder for spoofed packets to inject themselves into legitimate sessions

DNS Spoofing: Redirecting Trust Itself

DNS spoofing — also called DNS cache poisoning — corrupts a DNS resolver's cache so that domain lookups return an attacker-controlled IP address. Your user types in "bank.com," their device queries the resolver, and the resolver returns an address that points to a credential theft site instead of the real bank.

The Kaminsky vulnerability, disclosed in 2008, exposed how fundamentally vulnerable DNS was to cache poisoning. While patches and DNSSEC adoption have improved the situation, DNS spoofing remains a viable attack, especially against organizations running outdated or misconfigured resolvers.

DNSSEC: The Fix That's Still Underdeployed

DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that the response they received is authentic. If the signature doesn't match, the response is rejected. It's the definitive technical defense against DNS spoofing.

Yet adoption remains incomplete. If your organization manages its own DNS infrastructure, enabling DNSSEC validation on your resolvers should be a priority. If you use a third-party DNS provider, verify that they support and have enabled DNSSEC.

Caller ID Spoofing: The Voice Channel You Forgot About

Caller ID spoofing is the technique behind those "IRS" calls demanding immediate payment, the "bank fraud department" calls asking you to verify your account number, and the "IT helpdesk" calls requesting your multi-factor authentication code.

The FCC has taken action against caller ID spoofing under the Truth in Caller ID Act, but enforcement hasn't kept pace with the volume of attacks. STIR/SHAKEN — the framework for authenticating caller ID on VoIP and cellular networks — is rolling out across carriers, but coverage isn't universal yet.

For organizations, caller ID spoofing is a social engineering goldmine. An attacker calls your helpdesk, spoofing an executive's phone number, and requests a password reset. If your helpdesk staff verifies identity based solely on caller ID, you've just handed credentials to a threat actor.

What Actually Stops Caller ID Spoofing

  • Never use caller ID as a single authentication factor for any sensitive action
  • Implement callback verification procedures — hang up and call the person back at a known number
  • Train your staff through phishing and social engineering awareness programs that include vishing (voice phishing) scenarios
  • Require multi-factor authentication for all account changes, regardless of the request channel

Website Spoofing: The Credential Harvester

Website spoofing is the visual component of most phishing campaigns. The attacker clones a login page — Microsoft 365, Google Workspace, your banking portal — and hosts it on a domain that looks close enough to the real thing. Combined with a spoofed email containing a link, this creates a seamless credential theft pipeline.

Modern spoofed sites are nearly pixel-perfect. They even include valid TLS certificates, so users see the padlock icon and assume the site is safe. The padlock means the connection is encrypted — it says nothing about whether you're communicating with a legitimate server.

Defenses That Work Against Spoofed Websites

  • Phishing simulation programs — regularly test your employees with realistic scenarios so they develop the habit of checking URLs carefully
  • Password managers — they autofill credentials only on the exact matching domain, so they won't populate a spoofed login page
  • Hardware security keys (FIDO2/WebAuthn) — these bind authentication to the legitimate domain cryptographically, making credential theft via spoofed sites virtually impossible
  • DNS filtering — block known malicious domains at the resolver level before the user's browser ever connects

How Do You Detect a Spoof Attack?

This is the question I get asked most often, and the answer depends on the type of spoof. Here's a quick reference:

  • Email spoof: Check the full email headers. Look at the "Return-Path," "Received" fields, and SPF/DKIM/DMARC authentication results. If the "From" address doesn't match the authenticated domain, it's a spoof.
  • IP spoof: Monitor for traffic anomalies — packets with source addresses that don't match expected ranges, or asymmetric traffic patterns where you see responses but no corresponding requests.
  • DNS spoof: DNSSEC validation failures, unexpected changes in DNS resolution results, or users reporting that familiar sites look different.
  • Caller ID spoof: The caller pressures you to act immediately, requests sensitive information, or the scenario feels engineered to bypass normal procedures.
  • Website spoof: The URL doesn't exactly match the legitimate domain. Even one character off is a red flag. The site may also have subtle rendering differences or unusual certificate details.

Building a Spoof-Resistant Organization

No single control stops spoofing. You need layers — technical controls, process controls, and trained people working together.

Technical Controls

  • Deploy SPF, DKIM, and DMARC with enforcement (reject policy) on all organizational domains
  • Enable DNSSEC on your resolvers
  • Implement ingress and egress filtering on network boundaries
  • Require multi-factor authentication everywhere — preferably hardware keys
  • Use DNS filtering to block known malicious and newly registered domains

Process Controls

  • Require out-of-band verification for any financial transaction or sensitive account change requested via email or phone
  • Establish callback procedures that use pre-verified contact information, not the number or reply address provided in the request
  • Document and enforce escalation paths for suspicious communications

People Controls

  • Run regular phishing simulations that include spoofed emails, spoofed login pages, and vishing calls
  • Train employees to inspect email headers, verify URLs, and question urgency
  • Build a culture where reporting suspicious messages is rewarded, not punished

If you're starting from scratch or looking to strengthen your program, cybersecurity awareness training combined with a dedicated phishing simulation program gives you both the education and the practical testing your team needs.

Spoofing Isn't Going Away — Your Defenses Shouldn't Stand Still

Every major data breach investigation I've seen in the last decade traces back to some form of spoofing. The email that started the ransomware chain. The spoofed login page that captured domain admin credentials. The vishing call that bypassed the helpdesk.

Threat actors will keep spoofing because it works. The protocols underlying email, DNS, phone networks, and IP were built on trust. Attackers exploit that trust. Your job is to replace blind trust with verification at every layer — technical and human.

Start with the controls that give you the biggest impact: DMARC enforcement, multi-factor authentication with hardware keys, and consistent security awareness training. Then expand from there. The organizations that treat spoof defense as a continuous program — not a one-time project — are the ones that stay out of the headlines.