Skip to main content
Find a Lawyer
Please enter a legal issue and/or a location
Begin typing to search, use arrow keys to navigate, use enter to select

What Is Email Phishing and Spoofing?

Email phishing and spoofing are types of online scams. Both types involve a scammer pretending to be a different person or have a different purpose than they claim. In reality, the scammer is trying to get information from you.

Anyone with an email account is vulnerable to fraud. Con artists use phishing and spoofing tactics through email. This article provides the basics of these online fraud tactics, how to spot them, and how to avoid becoming a victim.

What Is the Difference Between Phishing and Spoofing?

Phishing hides the scammer's true intent. Spoofing hides the scammer's true identity. They can work in tandem. Spoofing and email phishing both use deception to trick users, usually so they reveal sensitive information.

Email phishing is the act of impersonating a business or other entity to trick the email recipient into giving up sensitive personal information. Data gleaned from phishing can be used to commit identity theft or to gain access to online accounts.

Email spoofing involves a header or images appearing to be from someone (or somewhere) other than the actual source. Similarly, IP spoofing consists of using a forged IP address to trick the victim's computer into believing it came from a trusted source.

Email Phishing Scams Seek Information

You've likely seen a phishing message before. It asks you to provide or verify your personal information. Yet, the email looks suspicious upon closer inspection. You might not recognize the sender's email address, or it appears to be a random string of letters and numbers.

Often, this sort of communication can look something like this:

"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."

Such a request for sensitive data is almost always a phishing attempt.

In a phishing attack, the scammer usually seeks data such as:

  • Credit card numbers (along with the expiration date and security code)
  • Social Security numbers
  • Bank account numbers
  • Birth dates
  • Passwords

Legitimate businesses, especially financial institutions like PayPal, do not ask for this type of information via email.

There are many types of phishing. Some phishing attacks use sophisticated software to send pop-up messages requesting such information. Others use text messaging or voice calls, as explained in more detail below.

Pop-up and email messages often ask the recipient to "click here." They will take users to a legitimate-looking website to collect an unsuspecting victim's data fraudulently.

How Spoofing Scams Work

Spoofing is the act of using a faked (or spoofed) email header or IP address. The scammer tries to hide their tracks to fool the recipient into thinking it is legitimate. Websites and social media profiles can also be spoofed.

Not all unsolicited spam email spoofs involve phishing. However, email spoofing is a common method to enable phishing.

Spoofers often set up fake websites with domain names and designs similar to real businesses and government agencies. A cybercriminal can even spoof a friend you've known for years. Or, they might build an entirely new fake persona, which is common in catfishing scams.

If the message asks you to buy goods or follow a link, check that the sender is who they claim to be. The perpetrator might have accessed someone's address book through hacking or social engineering.

IP spoofing frequently is used to launch denial-of-service attacks. These cybersecurity attacks hit a target computer with an overwhelming amount of data, causing it to crash. The attacker can appear harmless by spoofing the IP and gain easy access.

Is Email Phishing Illegal?

Yes, sending a phishing email is criminal fraud. The scammer may also use the information they gathered from phishing to commit identity theft, which is also a crime.

Anti-Phishing Laws

Roughly half of states have specific laws against phishing, such as:

Such state laws define phishing. They also explain the legal actions that victims or the state attorney general can take against the scammer.

Federal identity theft laws are not specific to online phishing. Yet, they can apply after the scammer uses your information.

The Identity Theft and Assumption Deterrence Act makes using someone else's information without lawful authority a crime. Getting that information through fraud, such as phishing, doesn't give a scammer lawful authority to use it. The Identity Theft Enforcement and Restitution Act also gives rights to phishing victims after a scammer steals their identity.

Is Email and Website Spoofing Illegal?

Yes, spoofing can be illegal even when it doesn't connect to a phishing scheme. Legitimate businesses can't spoof other people or companies. Doing so would generally violate deceptive marketing laws.

Laws Against Spoofing Tactics

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act creates federal anti-spoofing rules. The act prohibits using fake email header information, including the sender's name and address.

Many states also have laws that can be applied to spoofing. For example, Georgia prohibits using “any individual name, trade name, registered trademark, logo, legal or official seal, or copyrighted symbol to falsely identify the person, organization, or representative transmitting such data"(GA Code § 16-9-93.1).

What Is Vishing?

Vishing scams are a form of phishing in which scammers use voice messages or robocalls to target you. Scammers may send these messages by calling you directly or using a voice over internet protocol (VoIP) service. They can even create a fake caller ID to trick you into believing the call is legitimate.

A vishing scammer might pretend to be a customer service agent, an account manager, or a government agency worker. They may claim they're calling you about a problem with your Microsoft or Apple account. These tech companies are popular, so many people might believe the caller.

Never give your account information or login credentials over the phone — unless you initiated the call and know you used a legitimate phone number. The Internal Revenue Service (IRS) and Social Security Administration (SSA) will not ask you to give your Social Security number on a call.

Voice Messages and Calls Can Be Spoofed

Spoofing is no longer text-based. When you answer the phone, you may recognize the voice on the other end of the line — but that voice could be a spoof.

Recently, the FCC has warned consumers about a new vishing risk due to artificial intelligence (AI) developments. Fraudsters may be able to recreate or mimic other people's voices through AI technology. For example, President Joe Biden's voice was spoofed in early 2024 during the New Hampshire primary election. Such voice recreations are known as deepfakes.

What Is Smishing?

Smishing scams are like email phishing, but scammers target you through text messaging (SMS).

One typical example of a smishing scam is a fake shipping notification. The scammer sends a text that looks like an automated notification. The message claims that an item was unable to be delivered and typically includes a link prompting you to fix the problem. Since many people shop online and expect deliveries regularly, the victim might not think twice about opening the link.

What Is Spear Phishing?

A spear-phishing attack targets a specific recipient or group. It could target a group of workers at a particular company or a single individual.

The level of personalization in many of these messages makes detecting the underlying scam difficult. For example, an email might list your name and mention a detail about you. Because the sender already seems to know something about you, you might be more likely to assume they rightfully obtained that information.

Unfortunately, the sender may have stolen or found publicly available information about you. Spear phishing is an attempt to get the rest of the details they need — likely to steal your identity.

How To Protect Yourself from Phishing and Spoofing

The best protection is to pay attention. Perhaps an email or website just doesn't seem right. You may receive a message asking for financial or personally identifying data. You should pause, check for red flags, and only proceed with caution.

The Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) offer tips for consumers to avoid these scams. These agencies monitor phishing attacks.

Here are a few ways you can detect and avoid falling for a phishing or spoofing scam:

  • Do not respond to any email message asking for personal or financial information, and do not click on any links provided in such a message.
  • Remember that phone numbers provided by phishers often use internet technology to hide the true source of the phone call, and area codes can be misleading.
  • Update your antivirus and anti-spyware software regularly.
  • Never send sensitive data (Social Security numbers, credit card numbers, etc.) via email.
  • Check bank account and credit card statements for unusual transactions.
  • Be careful when opening attachments or downloading files attached to emails. They may be malware or spyware, even if they appear to be from a friend (since spoofing can hide the true source).
  • If you need to update potentially sensitive information online, open a new browser window and manually type in the web address using a process you have used before.
  • If the web address of a known site looks unfamiliar, it may not be the legitimate site.
  • If you are conducting bank business or other sensitive transactions online, look for the lock icon and "https" in front of the web address, indicating a secure site.
  • Be suspicious of unusually long and random-looking web addresses.
  • If in doubt about an email that appears to be from a legitimate business, call the company yourself instead of replying to the message.

Relying on your email service's spam filters to catch phishing and spoofing emails isn't safe. Suspicious emails become harder to catch as thieves evolve new scam strategies.

How To Report Phishing or Spoofing

If you believe you have been scammed by a phishing or spoofing attack, file a complaint with the FTC. The online form can help you send a report to a federal database. It can also give you a plan for what to do next based on the type of fraud you encountered.

Watch for signs of identity theft. You also should contact your local law enforcement office and file a complaint with the FBI's Internet Crime Complaint Center.

Unfortunately, you may not know about a phishing or spoofing attack until it's too late. The attacker may have used your information to commit identity theft or other crimes.

Seek Legal Advice for Scams

Identity theft and other crimes can inflict widespread harm to your life and finances. Many attorneys work with victims to recover their losses and hold thieves accountable.

Online scam cases can be complex, especially due to scammers' anonymity. Contact a local consumer protection lawyer to discuss your specific legal options.

Was this helpful?

You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help

Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.

Or contact an attorney near you:

Next Steps

Contact a qualified consumer attorney to assist with the hazards and stress accompanying identity theft and online scams.

Begin typing to search, use arrow keys to navigate, use enter to select

Help Me Find a Do-It-Yourself Solution

Copied to clipboard

Find a Lawyer

More Options