Spoofing is when a scammer hides their real identity to look like a trusted source, by faking phone numbers, email addresses, or websites so messages or calls seem legitimate when they are not.
Spoofing is a scam tactic where a scammer falsifies identifying information—such as a phone number, email address, or website—to make a message or call appear to come from a trusted source. Spoofing is commonly used to make scams look legitimate before a victim has a chance to verify what’s real.
Spoofing refers to falsifying the “from” information in a communication. The scammer isn’t just lying about who they are, they’re manipulating technical identifiers so the message looks legitimate at a system level, even going as far as being able to spoof a known contact like your mom or boss.
In some cases, scammers also use automation or AI tools to make spoofed calls or messages sound more natural and convincing. While AI does not cause spoofing itself, it can help scammers generate realistic language or scripts that reinforce the appearance of legitimacy once a spoofed call, email, or message reaches a person.
Spoofing most often appears through everyday communication tools people already rely on, such as phone calls, emails, text messages, and websites. A call may display a bank’s real phone number, an email may show a familiar sender name, or a website may closely resemble a legitimate login page.
What makes spoofing especially effective is that it doesn’t usually act alone. Spoofing is a supporting tactic that enables other scams to succeed by making fraudulent messages appear technically legitimate before a person has time to verify them.
By falsifying identifying information at a system level, spoofing can:
Complaint data tracked by the FBI’s Internet Crime Complaint Center (IC3) shows that scams involving spoofed phone numbers, email addresses, or websites make up a significant portion of reported cyber-enabled fraud. The widespread use of spoofing is one reason many modern scams appear legitimate at first glance—even when the underlying request is fraudulent.
Spoofing can occur across multiple communication channels, including:
Scammers falsify the phone number shown on your screen so a call appears local, familiar, or official. This is commonly used in bank, government, and tech support scams.
Attackers manipulate email headers or sender fields so messages appear to come from real companies or individuals. This is frequently used in phishing attacks.
Fake websites are designed to closely resemble legitimate ones, often copying logos, layouts, and URLs to capture login credentials or payment information.
A variation of caller ID spoofing where the number appears similar to your own area code or exchange to increase the chance you’ll answer.
A communication may be spoofed if:
The key takeaway: appearance alone is not proof of legitimacy.
What is spoofing?
Spoofing is when scammers falsify identifying information—like phone numbers, email addresses, or websites—to appear as a trusted source.
Is spoofing illegal?
Often yes, especially when it’s used to commit fraud or deceive people into giving money or information.
Can caller ID or email displays be trusted?
No. Caller ID and email sender information can be spoofed, meaning a call or message can appear to come from a real organization or even a known contact. This is why it’s important to verify unexpected requests independently, even when the name or number looks familiar.
What’s the difference between spoofing and impersonation?
Spoofing involves falsifying technical information—such as a phone number, email address, or sender details—so a call or message appears to come from a trusted source. Impersonation involves someone claiming to be a trusted person or organization in order to deceive you.
Many scams use both together: spoofing makes a call or message look legitimate, while impersonation is how the scammer convinces you to act.
