Chat With Us
We are here for you!
Talk to a fellow human.
I almost never say spoof when discussing IT security because it undervalues the malice and potential injury of the activity. The trouble with spoof is that it is most commonly used in the context of literature, media, or storytelling. A spoof is a send-up of a known art work. We watch spoofs of popular media figures, movies, and TV shows on the likes of Saturday Night Live. When I was a kid my friends and I used to enjoy MAD Magazine’s spoofs of popular movies.
Although it doesn’t have to be lighthearted and harmless in its nature, pragmatically speaking it usually is. A Modest Proposal spoofs Jonathan Swift’s contemporary political debate by (insincerely) arguing in favor of eating Irish children, but mostly we’re dealing with the made-for-laughs spoofs of sketch comedy and Mel Brooks movies. Whether or not you enjoyed Spaceballs, it’s hard to paint it as anything malicious or dangerous.
The word means something entirely different when used from an IT perspective. In that context, a spoof is an attack that depends on successfully impersonating a trusted person, entity, or process to malicious end. Spoofing is criminal activity. It’s counterfeiting. It’s fraud.
But because the other context is the first we learn and the one we hear most often, these connotations of lightness, friendliness, and harmlessness travel with the word. Describing a phishing site as a spoof site may be technically correct, but it creates the wrong emotional context.
So as a result I almost never say it. In the context of a technically precise description of attack activity, I may choose the word. But when describing social engineering attacks, phishing sites, and the impact of these crimes on individuals, I prefer the raw words that communicate the harm that comes with. I prefer crime. I prefer counterfeit. I prefer theft. I prefer fraud.