Spoofing (caller-ID / email)
Faking the display name, phone number, or email address on a message so it appears to come from a trusted source.
Also known as: caller-ID spoofing, email spoofing, number spoofing
Last reviewed: 1 June 2026
Spoofing is the technical manipulation of identifying information — caller ID, email 'From' address, or website domain — to impersonate a legitimate sender. It does not require 'hacking' the impersonated organisation; it exploits how communication infrastructure handles identity claims.
Caller-ID spoofing lets fraudsters display any phone number, including your bank's genuine helpline number. Email spoofing can display a trusted organisation's domain in the 'From' field, though modern email authentication standards (SPF, DKIM, DMARC) make this harder. Website spoofing uses look-alike domains (e.g. 'paypa1.com') combined with copied branding.
Spoofing is usually a support mechanism for other attacks — vishing, phishing, smishing, or BEC — rather than an attack in its own right. The key defence is to never rely on caller ID or sender address as proof of identity; contact organisations independently via numbers from their official website.