Spoofing attacks typically exploit vulnerabilities in the email protocol, which lacks robust mechanisms to verify the sender’s identity. Attackers can easily manipulate the 'From' address field to make it appear as though the email is from a legitimate sender. This can be done using simple tools or more sophisticated methods, such as phishing kits that automate the process.