Can You Spot the Spoofing?

by Ignacio Martinez

In a previous post, I talked about email phishing — a scheme used by hackers to try to gain access to your sensitive information, by imitating or impersonating a legitimate organization.  With phishing, the bad actor convinces you to key in your sensitive information which they then collect for misuse.  

There is also a separate scheme known as spoofing, where the hackers create a nearly pixel-perfect message that tries to convince you to click on a button or download an attachment that actually contains a malicious payload.

While one scheme tries to “pull” information and the other attempts to deliver malicious software, both can be deployed and delivered in similar looking email messages. Although the messages can look convincing, there are ways to spot them. Today I want to take a look at some quick ways to see if a suspect message is legitimate or not.

Smartsheet will never email you to request sensitive data, such as passwords, credit card details, and social security numbers. However, malicious actors may use a very convincing email leading you to what appears to be a a Smartsheet login page or authentication page to entice you to either enter your credentials or to download malicious software to your system.

Our security team works continuously to evolve our automated detection and prevention processes, and we act immediately when alerted to suspected phishing or spoofing attacks to shut them down. Unfortunately, bad actors are continuously evolving their tactics, so we want to make sure that you have some tools to detect phishing or spoofing and avoid becoming a victim of such an attack.

Can You Spot the Difference?

Can you spot the differences between the images of the two web pages below? Take a minute to look before scrolling down to my observations.


Okay, what differences did you see between the two images above? You may have noticed that the header language was different: “Log in with your receiving email to view documents” rather than “Welcome back. Log in here.” You may also have noticed that the buttons are slightly different: “Office365 Account” vs. “Work Account” and “Gmail Account” vs. “Google”. So which one is the real Smartsheet?

How to Spot the Difference

If you have a sharp eye, you may have noticed the key to distinguishing between the authentic page and the forgery — the web page URL. While both URLs begin with “https://” indicating that they’re secure, encrypted links, only one points to

I encourage you to pay attention to website URLs. Malicious websites and landing pages may appear identical to a legitimate site, but the URL may have a variant spelling or a different domain. The difference in domain may be as simple as a .net address versus a .com address, so it’s important to pay close attention to those distinctions.

What to Do If You Spot Something Phishy

Here are the steps to take if you suspect that you’re receiving malicious communication that appears to be coming from Smartsheet:

  • Do not ever key in or divulge personal or financial information

  • Do not delete the email — instead, report it to our security team

  • If you were redirected to a suspicious landing page, you can include that as well

  • To report a suspected phishing scam, forward the email in question as an attachment to

Smartsheet has a strict, zero tolerance policy against phishing scams, and we take reports of phishing activity very seriously. To learn more about our approach to protecting your data, you can read the Smartsheet privacy policy here.