Spoofed links work by exploiting the trust that recipients place in familiar brands or services. Attackers use various techniques to disguise these links, such as using URL shorteners or creating URLs that closely resemble legitimate ones. When clicked, these links can redirect users to malicious sites designed to harvest personal information.