A CFO Wired $25 Million Because of a Spoofed Video Call
In early 2024, a finance worker at a multinational firm in Hong Kong transferred $25.6 million after joining a video conference call where every other participant — including the company's CFO — was a deepfake. The threat actors had used spoofing at its most sophisticated: they recreated voices, faces, and mannerisms convincingly enough to bypass human judgment entirely. This wasn't science fiction. It was a police report.
Spoofing is the act of disguising a communication or identity so it appears to come from a trusted source. It's the backbone of social engineering, the enabler of credential theft, and the gateway to data breaches that cost organizations millions. And in 2026, the techniques have gotten disturbingly good.
If you think spoofing is just a forged email header, you're about a decade behind. This post breaks down every major spoofing variant threat actors use right now, the real damage they cause, and the specific defenses that actually work. I've spent years watching organizations get burned by attacks that were preventable. Here's what I've learned.
What Is Spoofing in Cybersecurity?
Spoofing is when a threat actor impersonates a legitimate entity — a person, device, email address, IP address, website, or even a phone number — to gain unauthorized access, steal data, or trick someone into taking a harmful action. It exploits trust. Your employee trusts an email that looks like it came from the CEO. Your firewall trusts a packet that appears to originate from an internal IP. Your DNS server trusts a response that was actually injected by an attacker.
The 2025 Verizon Data Breach Investigations Report confirmed what many of us already knew: the human element remains a factor in the vast majority of breaches, and pretexting — a form of spoofing-enabled social engineering — continues to grow as an initial attack vector. Spoofing isn't a single technique. It's a category of deception that spans nearly every layer of the technology stack.
The Six Spoofing Variants That Hit Organizations Hardest
1. Email Spoofing
This is the most common form I encounter during incident response. An attacker forges the "From" field in an email so it appears to come from a trusted sender — your CEO, your vendor, your bank. The goal is usually credential theft, wire fraud, or malware delivery.
Email spoofing fuels business email compromise (BEC), which the FBI's Internet Crime Complaint Center (IC3) has consistently ranked as one of the costliest cybercrimes. Their 2023 IC3 Annual Report documented over $2.9 billion in adjusted losses from BEC alone. Most of those attacks started with a spoofed email.
The fix isn't complicated. SPF, DKIM, and DMARC are email authentication protocols that, when properly configured, tell receiving mail servers how to verify whether a message actually came from your domain. Yet in my experience, a staggering number of organizations either haven't implemented DMARC or have it set to "none" — which means it monitors but doesn't block anything. That's like installing a security camera but never looking at the footage.
2. Caller ID Spoofing
Your phone rings. The caller ID shows your bank's name and number. You answer. It's a scammer running a vishing (voice phishing) attack, pressuring you to "verify" account details. Caller ID spoofing is trivially easy with VoIP services, and it's devastatingly effective against employees who handle financial transactions or customer data.
The FCC has pushed the STIR/SHAKEN framework to combat this, requiring carriers to authenticate caller ID information. But it's not a silver bullet. Spoofed calls still get through, especially from international origins. Your defense here is training — making sure employees know that caller ID is not proof of identity.
3. IP Spoofing
An attacker modifies packet headers so traffic appears to come from a trusted IP address. This is used in distributed denial-of-service (DDoS) attacks — where spoofed source IPs make it nearly impossible to filter malicious traffic — and in man-in-the-middle attacks that intercept data between two parties.
IP spoofing is harder to pull off against modern networks with ingress filtering (BCP38), but it still happens. If your network perimeter doesn't validate source addresses, you're exposed.
4. DNS Spoofing (Cache Poisoning)
DNS spoofing corrupts the Domain Name System cache so that a legitimate domain name resolves to a malicious IP address. Your employee types in the correct URL for your company's banking portal. DNS spoofing sends them to a pixel-perfect replica controlled by the attacker. They enter credentials. Game over.
DNSSEC (Domain Name System Security Extensions) was designed to prevent this by cryptographically signing DNS records. CISA has long recommended DNSSEC adoption, yet deployment remains inconsistent across the private sector.
5. Website Spoofing
Attackers clone a legitimate website — login page, branding, SSL certificate and all — to harvest credentials. These spoofed sites are often delivered via phishing emails or malicious ads. They look real. They feel real. The URL might be off by a single character (typosquatting), and most users won't notice.
This technique is a core component of phishing simulation exercises for a reason: it works against even security-savvy employees when they're distracted or rushing.
6. ARP Spoofing
On a local network, Address Resolution Protocol (ARP) spoofing lets an attacker link their MAC address to a legitimate IP address. This redirects traffic intended for another host through the attacker's machine. It's a favorite for internal threat actors or attackers who've already gained a foothold inside your network.
ARP spoofing is a reminder that zero trust architecture isn't just a buzzword — it's a necessity. You can't assume internal traffic is safe.
Why Spoofing Keeps Working: The Trust Gap
Every spoofing attack exploits the same fundamental vulnerability: trust. Email was designed for an era when everyone on the network was a colleague at a university. DNS wasn't built with adversaries in mind. Phone systems assumed the caller ID was truthful. These protocols were built on trust, and threat actors exploit that trust every single day.
Technology alone doesn't close the trust gap. I've seen organizations with robust email authentication still get compromised because an employee received a spoofed text message and clicked a link. The attack surface is wider than any single control can cover.
That's why security awareness training isn't optional — it's a critical layer of defense. Your employees need to understand that any communication channel can be spoofed, and that verification must happen out-of-band. Got an email from the CEO asking for a wire transfer? Call the CEO on a known number. Got a call from IT asking for your password? Hang up and call the help desk directly.
If your organization hasn't invested in structured cybersecurity awareness training, you're leaving your biggest attack surface — your people — completely undefended.
The $4.88M Lesson: Real Costs of Spoofing-Enabled Breaches
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing and social engineering — both heavily reliant on spoofing — were consistently among the top initial attack vectors.
Ransomware gangs use spoofed emails as their primary delivery mechanism. One employee clicks a link in a spoofed message, malware executes, and within hours the entire domain is encrypted. I've watched it happen to organizations with solid perimeter defenses that simply didn't train their people to recognize a spoofed email.
The costs go beyond the ransom. Downtime, legal fees, regulatory fines, reputational damage, and customer churn pile up fast. And for small and mid-size businesses, a single spoofing-enabled breach can be an extinction-level event.
How to Defend Against Spoofing: A Practical Playbook
Lock Down Email Authentication
Implement SPF, DKIM, and DMARC on every domain you own — including parked domains. Set DMARC to "reject" once you've validated your legitimate mail flows. Monitor DMARC reports to catch unauthorized senders. This single step eliminates the vast majority of email spoofing attempts against your domain.
Deploy Multi-Factor Authentication Everywhere
Even if a spoofing attack harvests an employee's password, multi-factor authentication (MFA) stops the attacker from using it. Phishing-resistant MFA — FIDO2 security keys or passkeys — is the gold standard. SMS-based MFA is better than nothing, but it's vulnerable to SIM swapping, which is itself a form of spoofing.
Adopt Zero Trust Architecture
Stop trusting network location as a proxy for identity. Every access request should be authenticated, authorized, and encrypted regardless of where it originates. NIST SP 800-207 provides the framework. Zero trust is the antidote to IP spoofing, ARP spoofing, and lateral movement by threat actors who've already breached your perimeter.
Implement DNS Security
Enable DNSSEC on your domains. Use DNS filtering to block known malicious domains. Consider encrypted DNS (DoH or DoT) to prevent DNS interception on the wire. These aren't exotic technologies — they're table stakes in 2026.
Run Phishing Simulations Regularly
You can't train people to recognize spoofed emails by showing them a PowerPoint once a year. Regular phishing simulations build muscle memory. They show employees what spoofed messages actually look like in their inbox — not in a classroom. Organizations that run consistent simulations see measurable drops in click rates.
If you're looking for a structured program, phishing awareness training designed for organizations gives your team hands-on experience with the exact techniques attackers use.
Verify Out-of-Band
Establish a policy: any request involving money, credentials, or sensitive data must be verified through a separate channel. Email says to wire funds? Call the requester. Text says to reset a password? Walk to the IT desk. This one habit defeats the majority of spoofing-driven social engineering attacks.
What About AI-Powered Spoofing?
The Hong Kong deepfake incident I mentioned at the top wasn't an isolated case. Generative AI has made voice cloning and video spoofing accessible to low-skill attackers. A three-second audio clip is enough to clone a voice convincingly. Deepfake video is still imperfect, but it's improving fast.
In my experience, organizations are not prepared for this. Traditional security awareness training doesn't cover AI-generated spoofing. Your 2026 training program needs to explicitly address the reality that voices and faces can be fabricated. Employees need to internalize a simple principle: if a request is unusual, verify it through a trusted channel regardless of how convincing the communication appears.
Spoofing Detection: Signs You're Being Targeted
Watch for these indicators across your environment:
- DMARC failure reports showing unauthorized use of your domain
- Employees reporting suspicious calls from numbers that match legitimate contacts
- Unexpected DNS resolution changes flagged by monitoring tools
- Login attempts from impossible locations — a user authenticating from two countries within minutes
- Lookalike domains registered with slight misspellings of your brand
Proactive monitoring for brand impersonation — including typosquatted domains — is something every organization should be doing. Services exist to scan for newly registered domains that mimic yours. If you find one, report it and get it taken down before it's used in an attack.
Spoofing Is Evolving. Your Defenses Need to Keep Up.
The threat actors using spoofing in 2026 aren't the same ones who were sending poorly formatted Nigerian prince emails in 2010. They're running targeted campaigns with AI-generated content, pixel-perfect cloned websites, and deepfaked executive voices. They study your organization's communication patterns before they strike.
Your defense has to be equally layered. Technical controls like DMARC, MFA, DNSSEC, and zero trust architecture form the foundation. But the human layer — trained, skeptical, empowered employees — is what catches the attacks that slip through. Every spoofing attack ultimately targets a decision point: should I click, should I transfer, should I trust? The right training ensures the right answer.
Don't wait for the $4.88 million lesson. Start building that defense today.