The CEO Who Wired $47 Million to a Criminal

In 2016, Austrian aerospace manufacturer FACC lost €42 million (roughly $47 million) after threat actors spoofed the CEO's email and instructed a finance employee to wire funds for a fake acquisition. The employee believed the request was legitimate. The money vanished across international accounts within hours. The CEO was fired. The CFO was fired. The company's stock plummeted.

That's what spoofing does. It doesn't break through firewalls. It impersonates someone you trust and walks right through the front door.

If you manage an organization of any size, spoofing is one of the most dangerous attack vectors your employees face in 2026. This post breaks down exactly how spoofing works, the forms it takes, why it keeps succeeding, and what you can do about it starting today.

What Is Spoofing in Cybersecurity?

Spoofing is the act of disguising a communication or identity to appear as a trusted source. A threat actor forges the "from" field in an email, clones a website URL, manipulates caller ID, or falsifies an IP address — all to trick a victim into taking an action they wouldn't otherwise take.

The goal varies: credential theft, wire fraud, malware delivery, or simply gaining a foothold inside your network. But the mechanism is always the same — exploiting trust through impersonation.

Spoofing vs. Phishing: What's the Difference?

People often confuse these terms. Here's the short version: phishing is the attack strategy. Spoofing is the disguise. A phishing email that appears to come from your bank uses email spoofing as a technique. Not all spoofing involves phishing, and not all phishing involves spoofing — but they're deeply intertwined.

The Six Types of Spoofing You Need to Know

1. Email Spoofing

This is the most common form. Attackers forge the "From" header so a message appears to come from a colleague, vendor, or executive. SMTP, the protocol that sends email, has no built-in authentication. Without proper defenses like SPF, DKIM, and DMARC, your domain is trivially easy to impersonate.

The FBI's Internet Crime Complaint Center (IC3) reported that business email compromise — which relies heavily on email spoofing — caused $2.9 billion in losses in 2023 alone. You can review the full data at the FBI IC3 2023 Internet Crime Report.

2. Caller ID Spoofing

Threat actors manipulate the phone number displayed on your caller ID. Your employee sees a call from the IT help desk's internal number — except it's actually coming from a VoIP line in another country. This technique powers vishing (voice phishing) attacks, which surged during the shift to remote work.

3. Website (URL) Spoofing

Attackers clone a legitimate login page — your bank, your company's VPN portal, Microsoft 365 — and host it at a nearly identical URL. Think "micros0ft-login.com" instead of "microsoft.com." Victims enter their credentials, and those credentials go straight to the attacker.

4. IP Spoofing

Here, the attacker forges the source IP address in network packets. This technique is commonly used in DDoS attacks to obscure the attacker's origin and overwhelm defenses. It can also be used to bypass IP-based access control lists.

5. DNS Spoofing (Cache Poisoning)

The attacker corrupts a DNS resolver's cache, redirecting legitimate domain lookups to malicious IP addresses. Your employee types in the correct URL and still ends up on the attacker's server. This is especially dangerous because it defeats the "just check the URL" advice most people rely on.

6. ARP Spoofing

On local networks, attackers send fake ARP (Address Resolution Protocol) messages, linking their MAC address to a legitimate IP address. This lets them intercept, modify, or stop data in transit — a classic man-in-the-middle attack on your LAN.

Why Spoofing Keeps Working in 2026

I've assessed security programs at dozens of organizations over the years. Spoofing keeps succeeding for three reasons that haven't changed.

Reason 1: Trust is the default. Employees are trained to be helpful, responsive, and fast. When an email arrives from the CEO asking for an urgent wire transfer, the instinct is to comply, not interrogate. Social engineering exploits this deeply human tendency.

Reason 2: Technical defenses are incomplete. According to a 2024 analysis, less than half of domains globally have properly configured DMARC policies set to enforcement (quarantine or reject). That means attackers can still send emails pretending to be your domain, and many recipients' mail servers won't stop them.

Reason 3: Security awareness training is outdated or missing. Most employees have never seen a spoofed email dissected in a training session. They don't know what to look for. They've never been through a realistic phishing simulation. That gap is where attackers live.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. A significant percentage of those breaches started with compromised credentials — often harvested through spoofed emails and cloned login pages.

Ransomware gangs increasingly use spoofing as their initial access vector. A spoofed email delivers a malicious attachment. The attachment drops a loader. The loader pulls down ransomware. Within hours, your entire file server is encrypted. I've seen this exact chain play out at companies that believed their antivirus alone would protect them.

The real cost isn't just the ransom. It's the downtime, the forensics, the legal exposure, the customer notification, and the long-term reputational damage.

How to Defend Against Spoofing Attacks

Lock Down Email Authentication

Implement SPF, DKIM, and DMARC on every domain you own — including parked domains. Set your DMARC policy to "reject" once you've verified legitimate senders. CISA has published clear guidance on email authentication at BOD 18-01, and it applies to every organization, not just federal agencies.

Deploy Multi-Factor Authentication Everywhere

Even when spoofing succeeds at harvesting a password, multi-factor authentication stops the attacker from using it. MFA is your strongest single control against credential theft. Prioritize phishing-resistant MFA methods like FIDO2 security keys over SMS-based codes.

Adopt a Zero Trust Architecture

Zero trust assumes no user, device, or network is inherently trusted. Every access request is verified. This directly counters spoofing's core mechanism — exploiting assumed trust. NIST's Zero Trust Architecture publication (SP 800-207) is the best starting point for planning.

Run Realistic Phishing Simulations

Your employees need practice recognizing spoofed emails before a real one lands in their inbox. Simulations that mimic actual threat actor tactics — domain lookalikes, urgency cues, executive impersonation — build reflexes that classroom training alone can't. Our phishing awareness training for organizations is designed around exactly this principle.

Train Continuously, Not Annually

One-and-done security awareness training doesn't change behavior. The organizations I've seen build real resilience against spoofing and social engineering are the ones that train monthly with short, scenario-based lessons. If your team needs a solid foundation, our cybersecurity awareness training program covers spoofing, credential theft, ransomware, and more in practical, digestible modules.

Verify Out-of-Band

Establish a policy: any request involving money, credentials, or sensitive data must be verified through a separate communication channel. If the CEO emails asking for a wire transfer, call the CEO's known phone number. This simple step would have prevented the FACC disaster.

How Do You Know If You've Been Spoofed?

Watch for these warning signs:

  • Employees report receiving replies to emails they never sent.
  • Your domain appears in bounce-back messages for emails you didn't originate.
  • Customers or partners say they received suspicious messages from your organization.
  • Your DMARC aggregate reports show unauthorized senders using your domain.
  • Login attempts spike from unusual geographic locations after a suspected credential harvesting campaign.

If you spot any of these, investigate immediately. Check your DMARC reports, reset affected credentials, and notify impacted parties.

Spoofing Isn't Going Away — But Your Vulnerability Can

Threat actors don't need zero-day exploits when they can simply pretend to be someone you trust. Spoofing succeeds because it targets people and processes, not just technology. The organizations that beat it combine technical controls (DMARC, MFA, zero trust) with trained, skeptical employees who know what a spoofed email looks like.

You don't need a massive budget. You need configured email authentication, enforced multi-factor authentication, and a workforce that's been through real-world phishing simulations. Start with those three and you'll eliminate the vast majority of spoofing risk your organization faces today.

The attackers are impersonating your CEO, your vendors, and your IT team right now. The question is whether your people will recognize it — or wire the money.