The CEO Email That Wasn't From the CEO

In early 2025, a mid-sized logistics company wired $3.1 million to a bank account in Hong Kong. The CFO had received an email — apparently from the CEO — requesting an urgent wire transfer for a confidential acquisition. The email address looked right. The signature block was perfect. The tone matched previous messages. But it was a spoof. A threat actor had forged the sender address, impersonated the CEO, and walked away with seven figures before anyone noticed.

I've seen variations of this story dozens of times. A spoof attack is any technique where an attacker disguises their identity — faking an email address, IP address, phone number, or even an entire website — to trick people or systems into trusting them. It's one of the oldest plays in the social engineering playbook, and in 2026, it's more dangerous than ever because the tools to pull it off have never been easier to access.

This post breaks down exactly how spoof attacks work across email, DNS, caller ID, and web domains. More importantly, it gives you the specific, actionable steps to detect and stop them in your organization.

What Does It Mean to Spoof? A Quick Answer

To spoof means to forge or falsify identifying information — like an email header, IP address, phone number, or website domain — so that a communication appears to come from a trusted source when it actually comes from an attacker. The goal is to bypass both human judgment and technical security controls. Spoofing is almost always the first step in a larger attack: credential theft, ransomware deployment, wire fraud, or data breach.

Email Spoofing: Still the #1 Attack Vector

According to the Verizon 2025 Data Breach Investigations Report, phishing and pretexting — both heavily reliant on spoofing — remained the top initial access vectors for confirmed breaches. Email spoofing is the engine that powers the majority of these attacks.

Here's how it works: the Simple Mail Transfer Protocol (SMTP) doesn't natively verify sender addresses. An attacker can set the "From" field to anything they want — your CEO's address, your bank's support team, your HR department. Without proper authentication records, the receiving mail server has no reliable way to reject the message.

Why SPF, DKIM, and DMARC Still Aren't Everywhere

Three protocols exist specifically to combat email spoofing: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). Together, they verify that an email actually originated from an authorized server for that domain.

Yet adoption remains inconsistent. A 2024 analysis by Agari found that fewer than 30% of domains had a DMARC policy set to "reject" — the only setting that actually blocks spoofed messages. The rest were set to "none" (monitoring only) or "quarantine," which still leaves gaps. If your organization hasn't set DMARC to reject, you're essentially leaving the front door ajar for anyone who wants to spoof your domain.

What a Spoofed Email Actually Looks Like

The sophistication varies. Low-effort spoof attempts use lookalike domains — swapping an "l" for a "1" or using a subdomain like ceo.yourcompany.net. High-effort attacks forge the actual "From" header so the displayed sender address is indistinguishable from the real one.

I tell teams to check the full email headers. Look at the "Return-Path" and "Received" fields. If the return path doesn't match the displayed sender domain, or the received chain includes unfamiliar servers, you're looking at a spoof. Most email clients bury this information, which is exactly why attackers rely on it.

DNS Spoofing: Poisoning the Internet's Phonebook

DNS spoofing — also called DNS cache poisoning — targets the system that translates domain names into IP addresses. An attacker corrupts the DNS resolver's cache so that when a user types in a legitimate URL, they're silently redirected to a malicious server.

This is particularly dangerous because the victim's browser still shows the expected domain name. The URL bar looks correct. The user has no visual cue that something is wrong. From there, the attacker harvests login credentials, delivers malware, or intercepts sensitive data in transit.

The Real-World Impact of DNS Manipulation

In 2019, the "Sea Turtle" DNS hijacking campaign — documented extensively by Cisco Talos — compromised national-level DNS infrastructure in multiple countries to redirect traffic from government agencies and energy companies. The attackers used the intercepted credentials for espionage operations. CISA issued Emergency Directive 19-01 specifically in response, ordering all federal agencies to audit their DNS records.

Your defense: DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, preventing unauthorized modifications. If your organization hasn't implemented DNSSEC, you're trusting that every resolver between your users and your servers is operating honestly. That's a dangerous assumption.

Caller ID Spoofing: The Phone Isn't Safe Either

Caller ID spoofing costs Americans billions annually. The FBI's Internet Crime Complaint Center (IC3) consistently reports phone-based social engineering among the top reported fraud types. Attackers use VoIP services to display any phone number they choose on the recipient's caller ID — your bank, the IRS, your company's IT help desk.

I've investigated incidents where an attacker called an employee, spoofing the company's IT support number, and convinced them to read back their multi-factor authentication code. The employee saw the familiar number, assumed it was legitimate, and handed over the keys. That single call led to a compromised email account, which led to a data breach affecting thousands of customer records.

STIR/SHAKEN Isn't a Silver Bullet

The STIR/SHAKEN framework — mandated by the FCC for major U.S. carriers — digitally signs calls to verify the calling number hasn't been spoofed. It's a step forward. But it only works when both the originating and terminating carriers support it, and VoIP calls originating overseas often bypass the framework entirely.

Your best defense against caller ID spoofing is procedural: never authenticate anyone based solely on a phone number. Establish callback verification procedures. If someone calls claiming to be IT support, hang up and call the known support number independently.

Website Spoofing: The Pixel-Perfect Trap

A spoofed website is a clone of a legitimate site — same logos, same layout, same login form — hosted on a lookalike domain. Threat actors register domains like "micrrosoft-login.com" or "paypa1-secure.net," replicate the target site, and drive traffic through phishing emails, malicious ads, or search engine poisoning.

The objective is almost always credential theft. The user enters their username and password, which goes straight to the attacker. In many cases, the spoofed site then redirects the victim to the real login page, so they think they just mistyped their password. They never realize their credentials were stolen.

How to Spot a Spoofed Website

  • Check the domain carefully. Character substitutions (rn looks like m, 0 looks like O) are the most common trick.
  • Look for HTTPS — but don't trust it blindly. Attackers can and do obtain SSL certificates for spoofed domains. The padlock icon means the connection is encrypted, not that the site is legitimate.
  • Hover before clicking. In any email, hover over the link to see the actual destination URL before clicking.
  • Use a password manager. Password managers match credentials to specific domains. If the domain doesn't match, the manager won't autofill. This is one of the most underrated defenses against website spoofing.

IP Spoofing: Hiding in Plain Sight on the Network

IP spoofing involves forging the source IP address in a packet header so the traffic appears to come from a trusted host. It's commonly used in DDoS attacks — the attacker sends millions of requests with spoofed source IPs, making it nearly impossible to filter malicious traffic from legitimate traffic.

It also enables man-in-the-middle attacks on local networks. An attacker on the same subnet can spoof ARP responses to position themselves between two communicating hosts, intercepting everything in transit. This is why zero trust architecture — which verifies every request regardless of network location — has become essential. Never assume that traffic originating inside your network is automatically trustworthy.

The $4.88M Lesson: Why Spoof Detection Needs Human and Technical Layers

IBM's 2024 Cost of a Data Breach Report put the global average breach cost at $4.88 million. The majority of those breaches began with a human clicking, trusting, or complying with something spoofed. Technical controls alone don't solve this. You need both layers.

Technical Controls You Should Have in Place Now

  • DMARC at "reject" for all domains you own — including parked and inactive domains.
  • DNSSEC enabled for your authoritative DNS zones.
  • Multi-factor authentication on every account. MFA doesn't stop spoofing, but it limits the damage when credentials are stolen via spoofed sites.
  • Email gateway filtering with header analysis to flag messages where the display name matches an internal executive but the domain doesn't.
  • Network-level ingress/egress filtering per CISA's recommended practices to drop packets with spoofed source IPs at the perimeter.

Human Controls That Actually Work

Technical controls catch the known patterns. Humans catch the novel ones — if they're trained. But not the annual checkbox compliance training that everyone sleeps through. I'm talking about continuous, scenario-based security awareness training that puts employees in realistic situations.

Phishing simulations are the single most effective way to build spoof recognition instincts. When an employee experiences a simulated spoof attack, gets caught, and receives immediate coaching, retention skyrockets compared to passive training. Our phishing awareness training for organizations is built exactly this way — realistic scenarios, immediate feedback, measurable improvement.

For a broader foundation in threat recognition — covering social engineering, ransomware, credential theft, and more — our cybersecurity awareness training program gives your team the knowledge to identify and report spoof attempts before they become incidents.

Building a Spoof-Resistant Culture in 2026

The organizations I've seen handle spoofing best don't just deploy tools — they build a culture where questioning is expected. The CFO who calls back to verify a wire transfer request isn't being paranoid; they're being professional. The help desk tech who refuses to reset a password based on a phone call from a spoofed number isn't being difficult; they're following protocol.

Here's what that looks like in practice:

  • Out-of-band verification for all financial transactions. If you get an email requesting a wire transfer or payment change, verify by phone using a known number — not the one in the email.
  • Executive impersonation alerts. Configure your email gateway to flag external messages where the display name matches a C-suite executive.
  • Mandatory reporting without blame. Employees who report suspected spoof attempts — even false positives — should be recognized, not reprimanded. Every unreported suspicious email is a missed early warning.
  • Regular tabletop exercises. Walk your finance, HR, and IT teams through realistic spoof scenarios quarterly. Make it specific to your industry and your organization's actual communication patterns.

Spoofing Isn't Going Away — Your Response Has to Evolve

Attackers spoof because it works. The technology to forge identities is cheap and accessible. AI-generated voice cloning now allows attackers to spoof not just a phone number but the actual voice of a known executive. Deepfake video calls have been used in at least one documented $25 million fraud case in Hong Kong in early 2024.

The fundamental principle hasn't changed: never trust identity claims at face value. Verify through independent channels. Layer your technical controls. Train your people relentlessly. And assume that every communication channel — email, phone, web, even video — can be spoofed.

Your organization's resilience depends on treating spoof detection as a continuous discipline, not a one-time project. Start with the technical baseline: SPF, DKIM, DMARC, DNSSEC, MFA. Then invest in the human layer through ongoing training and realistic simulations. The threat actors aren't slowing down. Neither should you.