What is spoofing?

Spoofing or identity theft is a set of techniques used by attackers to impersonate a trusted person or company and trick victims into obtaining information.

Main types of spoofing

At the moment, the type of attack most commonly used by cybercriminals is phishing, which involves obtaining sensitive information from victims in order to commit criminal acts. In the case of banks and financial institutions, the number of phishing attacks has increased exponentially. The goal of these types of attacks is to obtain electronic banking credentials, details of debit/credit cards or other payment methods (e.g.: Bizum) in order to commit financial scams or fraud by obtaining money from victims via electronic transactions (transfers, online purchases, etc.), or even obtain personal information (name, ID, date and place of birth, etc.) to commit other types of crimes.

Before explaining what the main types of fraud or identity theft (spoofing) involve, it is worth remembering that banks or financial institutions will never approach their customers via SMS, telephone, email, etc., to ask them to provide online banking credentials (username and password, code sent to a mobile phone), or any other information such as the card number, expiry date and the three-digit check digits required to make purchases online.

In the banking world, the main types of spoofing used are SMS Spoofing and ID Spoofing, also known as phone spoofing.

What is SMS Spoofing?

SMS Spoofing or identity theft by SMS is a technique used in a type of phishing known as smishing.

This technique involves sending an SMS to the victim pretending to be their bank with a view to obtaining the information required to commit the scam or fraud or any other criminal act. The SMS itself is modified via applications or techniques (swapping the phone number that originally sent the SMS with another number, adding the name of the bank in the FROM field of the SMS, etc.) so it looks like it is from the bank and enters the thread of actual messages the person has received from the bank in the past.

These fake SMS messages will contain a link to a fake website (website or domain spoofing), which will look similar to the bank's actual website. It is also common for the user to receive instructions to call a telephone number where they will be asked for the username and password for their online banking, the code that the bank sends to the user's mobile phone to log in or the card number, expiry date and CVV/CVC (three digits on the back of the card).

Remember that Banco Santander will never request information via a link to a website in an SMS, nor will it ask its customers to call any number to provide said information.

Definition of Caller ID Spoofing

ID Spoofing or identity theft via phone calls is a technique used in a type of phishing known as vishing.

The method behind ID Spoofing is the same as SMS Spoofing; it involves changing the caller ID or telephone number to trick the victim and pretending to be the bank in order to obtain personal information.

To avoid this type of attack, follow the same recommendations as for SMS Spoofing:

  • Be suspicious of any unexpected calls by the bank.
  • Do not provide any sensitive information such as online banking credentials, card details or details of any other payment methods, or any information that would allow anyone to impersonate you (name, ID, date and place of birth, etc.).

What is email spoofing?

Email spoofing is used in email phishing and involves forging an email so it looks like it has been sent by our bank. To detect this type of scam, analyse the message you have received:

  • In the FROM field, the sender's email address, you will see that the domain, which you will find on the right of the @ symbol (<mailbox>@domain) will be different from the bank's actual domain (e.g., for Banco Santander the correct domain is Bancosantander.es).
  • This type of email will ask you for sensitive information.
  • It will contain links to fraudulent websites, which will look like your bank's website, to infect the computer with some type of malware (virus, worm, Trojan, etc.) or it will ask you to open a website that is similar to your bank's website (domain or website spoofing) and it will ask the victim to enter the information the attacker needs.

In order to avoid falling victim to email spoofing, it is recommended that you provide no sensitive information by email and that you do not click on any links contained in an unexpected email from "the bank". As a general rule, with regard to links, we recommend that you go directly to the bank's website using an Internet browser or a search engine such as Google and access online banking, etc. via the bank's actual website and not through links or email links.

Website or domain spoofing: what you need to know

As discussed above for other types of spoofing, this type of identity theft is used by attackers alongside other types of spoofing, such as SMS or email spoofing, in order to create malicious or fraudulent websites imitating the bank's website. This type of identity theft seeks to obtain online banking credentials or any other type of information that can be used to commit scams or fraud or to impersonate victims so that a criminal activity can be carried out in their name.

As with email spoofing, if we look at the URL (web address) in the address bar of the Internet browser, we will see that the domain of the website is similar, but does not exactly match the domain of the bank concerned. For example, a Banco Santander website will contain the domain Bancosantander.es (<web page name>.bancosantander.es/<other information or subpages>, such as https://www.bancosantander.es/empresas).

How to avoid these types of attacks

  • Always access the bank's website by typing the URL in the browser or use a search engine such as Google.
  • Do not click on any links that you receive via an unexpected email or SMS to avoid malware infections.
  • Do not enter information on any website that has been opened using a link received through an unexpected SMS or email.

What should you do if you have provided sensitive information as a result of phishing?

If Banco Santander customers see any transactions they do not recognise in their accounts or if they have provided any information over the phone, via email, SMS or a suspicious link or web link, they can contact the bank immediately through the communication channels made available to customers to report what happened:


You might be interested in