When Fraud Originates Outside the Official Channel: Spoofing and Digital Impersonation
In the last two years, there has been sustained growth in spoofing and brand impersonation campaigns that no longer seek to directly compromise organizational infrastructure, but rather to manipulate the end user into interacting with fraudulent environments that mimic legitimate channels.
These campaigns use cloned domains, fake sponsored ads, counterfeit applications, and deceptive messaging to replicate the visual identity and narrative of recognized brands.
A recent case was publicly reported by Avianca, which identified fraud attempts based on fake offers and unofficial applications. This type of incident reflects a structural trend: fraud is no longer executed within the corporate channel, but before the user even reaches it.
Off-Channel Attack Model
Spoofing operates under an out-of-channel scheme, comprised of three phases:
- Attraction to a fraudulent environment: The user is redirected to a cloned domain, fake ad, or counterfeit app that replicates the identity of a legitimate brand.
- Voluntary submission of information: The user enters credentials, personal data, or financial information, believing they are interacting with an official channel.
- Execution on a real channel: The data obtained is subsequently used to access or conduct transactions from authentic platforms.
From a technical perspective, the resulting operation can meet all formal authentication criteria, making it difficult to detect when only the final event is evaluated.
Limitations of Traditional Controls
Traditional controls focus on:
- Static Authentication
- Deterministic Rules
- Point-in-Time Event Validation
These mechanisms do not analyze the full context of the interaction, the environment from which the operation is executed, or the user's previous behavior, leaving a critical gap against deceptive attacks.
How Modern Anti-Fraud Platforms Address Spoofing
Modern fraud prevention architectures incorporate correlation of multiple signals:
- Behavioral Analysis
- Sequence of actions, response times, and interaction patterns.
- Device Integrity Assessment
- Detection of emulation, automation, malware, virtual cameras, or environmental manipulation.
- Session and Network Context
- IP reputation, geographical inconsistencies, and relationship with active campaigns.
Risk-Based Decision Models
Application of proportional controls based on the probability of fraud, avoiding binary schemes. This approach allows you to identify when an interaction ceases to be trustworthy, even if it appears transactionally valid.
A structural shift in digital fraud
Spoofing demonstrates a profound change in the threat model:
Manipulation occurs before the transaction, during the user's interaction with untrusted external channels. Protecting the transaction no longer only involves securing the login or the transaction itself, but also extending visibility to the session, the environment, and the behavior from the first contact.
How SmartID responds to this new scenario
SmartID incorporates a comprehensive protection approach based on:
Dynamic evaluation of user behavior Contextual analysis of the session, network, and device Risk models and adaptive rules Correlation of technical and operational signals
This allows for the detection of untrustworthy interactions even when the transaction appears legitimate.
ATC: Active Threat Control as a Critical Layer
ATC (Active Threat Control) extends this capability to the mobile device level, enabling:
Identification of remote control, screen sharing, and accessibility abuse Detection of manipulated, automated, or emulated environments Blocking interactions when the device is under third-party control Reducing assisted fraud and accelerating operational response
ATC acts as a real-time preventative layer, protecting the user before fraud materializes.