Multimodal biometric systems are commonly believed to be more robust to spoofing attacks than unimodal systems, as they combine information coming from different biometric traits. Recent work has shown that multimodal systems can be misled by an impostor even by spoofing only one biometric trait. This result was obtained under a `worst-case` scenario, by assuming that the distribution of fake scores is identical to that of genuine scores (i.e. the attacker is assumed to be able to perfectly replicate a genuine biometric trait). This assumption also allows one to evaluate the robustness of score fusion rules against spoofing attacks, and to design robust fusion rules, without the need of actually fabricating spoofing attacks. However, whether and to what extent the `worst-case` scenario is representative of real spoofing attacks is still an open issue. In this study, we address this issue by an experimental investigation carried out on several data sets including real spoofing attacks, related to a multimodal verification system based on face and fingerprint biometrics. On the one hand, our results confirm that multimodal systems are vulnerable to attacks against a single biometric trait. On the other hand, they show that the `worst-case` scenario can be too pessimistic. This can lead to two conservative choices, if the `worst-case` assumption is used for designing a robust multimodal system. Therefore developing methods for evaluating the robustness of multimodal systems against spoofing attacks, and for designing robust ones, remain a very relevant open issue.