Advanced phishing

How to recognize and prevent impersonation attacks

by Egress
Published on 12th Apr 2023

Impersonation attacks involve cybercriminals posing as a person or organization (often a trusted individual or brand) to defraud a business of funds, steal credentials or data, or deliver malicious payloads, such as malware.

Impersonation attacks delivered via email can be an effective way for cybercriminals to achieve these aims. The attacks are a form of social engineering, as they use the victim’s potential familiarity with the impersonated individual or brand to manipulate them into interacting. For example, victims may automatically trust that an email is genuine if it appears to come from a sender or brand they recognize, giving cybercriminals the opportunity to exploit that trust. Additionally, people are familiar with relying on email to communicate with or receive updates from brands, so communications don’t appear out of place. It is also easier for cybercriminals to impersonate individuals using the written word than when speaking directly to the victim over the phone, and email allows them to send multiple attacks at once versus a one-to-one phone conversation.

To provide an idea of the scale of this problem, out of the phishing attacks Egress Defend detected in 2022, two-thirds (66%) involved some level of impersonation.

Knowing what to look out for can help employees in your organization to avoid falling victim to impersonation attacks in some instances. However, it is unrealistic to expect people to detect phishing attacks, particularly advanced impersonation attacks, without technology to help them. As these attacks are engineered to get through traditional defenses, using an integrated cloud email security (ICES) solution like Egress Defend is the best way to keep your organization protected against sophisticated impersonation attacks and eliminate the possibility of human error. 

Types of impersonation attacks

There are many different types of impersonation attacks that have been identified, including cybercriminals targeting new employees who are not yet familiar with company procedures and may be less inclined to recognize unusual requests from senior members of the organization or less aware of the processes they need to follow.

The most effective form of impersonation attacks are highly targeted, which makes them a form of spear phishing – for example, a cybercriminal finds out who the head of finance is and impersonates a vendor with a fraudulent invoice (also referred to as business email compromise (BEC)). However, in other instances, cybercriminals use more opportunistic impersonation attacks, or the ‘hit and hope’ approach, by posing as a known person or brand with a more unexpected email – for example, posing as DPD, DHL or other delivery services, and sending people missed delivery notifications even if they are not expecting a delivery.

How do cybercriminals impersonate people and brands?

Attackers will infiltrate their targets’ inbox via two main methods: spoofing or taking over a legitimate email account in another organization.

Email spoofing

There are several ways that attackers can spoof an email, including creating a lookalike email address or ‘masking’ a completely different address behind an impersonated display name. There are tactics that cybercriminals frequently use for email impersonation, as outlined below:

  • Root domain: Companies usually have a consistent root domain that appears on company email addresses. An example is ‘microsoft’ in In this instance, cybercriminals will create a root domain and change one character, for example,
  • Top-level domain: Cybercriminals make use of an alternative top-level domain at the end of a recognized email address such as .edu or .org, when the legitimate domain is registered to .com. For example, cybercriminals will use
  • Subdomain: A less common type of impersonation is subdomain-based impersonation, this is because most business emails do not have subdomains, except large enterprises, which can make a phishing attack more obvious to the target. This involves the cybercriminal adding a subdomain to a known company email address, for example
  • Display name: A display name on an email can be different to the username attached to an account, and on some popular email platforms and mobile devices, only the display name is shown. For example, the display name could be a well-known brand such as ‘Shein’ but the email address it’s sent from is unrelated (such as a freemail address or a different compromised corporate address)
  • Username: One of the least sophisticated forms of impersonation is username impersonation. The cybercriminal will create an email address with a name that looks like a person or brands’ email address. For example, a legitimate email address for a freelance photographer could be and the cybercriminal creates  

Account takeover

Phishing emails that have been sent from compromised legitimate accounts are more difficult to detect. In an account takeover (ATO) attack, cybercriminals steal login credentials and access an employee’s account, typically their mailbox. Although different tactics can be used to steal these credentials, our research has shown that 85% of ATO attacks start with a phishing email. The cybercriminal then uses the legitimate account to impersonate the employee and trick victims. 

Who do cybercriminals impersonate?

Cybercriminals will impersonate people and brands, including trusted suppliers, such as:

  • An influential person within the organization: Attackers frequently impersonate a CEO or senior executive to convince other executives or lower-level employees to follow their instructions without hesitation
  • A well-known brand: Cybercriminals have previously impersonated global brands such as Netflix, Shein, and Silicon Valley Bank
  • A third-party vendor: Attackers sometimes pretend to be suppliers to trick employees into paying fraudulent ‘overdue’ invoices, also referred to as BEC


How to recognize an impersonation attack

Modern spear phishing attacks are highly targeted, making them harder to detect by people and traditional technologies. While there are signs that make it possible for people to detect some impersonation attacks (listed below), it is unrealistic to expect them to detect every one. Consequently, organizations need to implement an ICES solution, such as Defend.

Incorrect email address

As noted, cybercriminals use email spoofing and display name impersonation to trick victims. Hovering over the sender’s name can reveal a the ‘masked’ email address, while using a search engine can often reveal whether a domain is used by the company. However, it’s worth noting that these steps won’t work for emails sent from compromised accounts.

Unusual requests

Organizations will have procedures in place to ensure the confidentiality of their data. If employees receive an email request that doesn’t align with normal company processes, they must seek verification through an alternative channel before sending data or transferring money. It could be an attacker hoping to catch employees off guard.

Unusual language, grammar, and spelling

The language each person uses in an email generally does not significantly change over time. This is another way to spot an impersonation attack, generic greetings and errors in spelling or grammar are common in these attacks.

Urgent tone

Attackers want their victims to act without thinking. With added pressure and urgent language, employees are more likely to act on instinct without analyzing the context of the situation. This is particularly true if the orders come from senior executives in the company. 

Emphasis on confidentiality

Attackers will use words like ‘private’, ‘confidential’, and ‘secret’ in their emails to prevent employees from discussing the email with colleagues. Knowing how important confidentiality is for organizations, this tactic is usually successful.

Attackers aim to capture recipients when in a high stress, type 1 thinking environment. Using these words whilst the victim is in this mindset will trigger cognitive narrowing, getting the recipient to focus on completing the task they have been presented with as quickly as possible.

How to avoid an impersonation attack

To stay fully protected against impersonation attacks, organizations must enhance their email defenses.

The limitations of traditional email security technologies

The signature-based and reputation-based detection capabilities found in Microsoft’s cloud native email security and secure email gateways (SEGs) can be bypassed by impersonation attacks. When an attack lacks a malicious payload (malware attachment or phishing hyperlink), signature-based detection has nothing to detect. Similarly, if the payload is not known in the definitions’ libraries, it will also get through detection.

The use of compromised legitimate accounts ensures a high delivery rate, as the domain will pass hygiene checks. Similarly, cybercriminals can use freemail accounts or take technical steps to ensure spoofed domains will also pass.

Deploy an integrated cloud email security (ICES) solution

ICES solutions like Egress Defend offer the best defense against sophisticated impersonation attacks. 

Defend uses AI to analyze the content and context of every inbound email and uses technical measures and linguistic models to detect impersonation attacks, including those that do not contain a malicious payload. The solution also provides real-time dynamic banners within the inbox, offering in-the-moment education that augments security awareness and training programs.

Set up standard operating procedures

In addition to an ICES solution, a set of standard operating procedures related to email can reduce the risk of a successful phishing attack. Having a clear and streamlined workflow can ensure tasks are completed in a compliant manner. When employees ensure a consistent and repeatable approach, they are more likely to notice or alert someone else when an unusual request occurs as part of a phishing attack.

An example of a standard operating procedure would be making it mandatory for employees to verify all email requests internally before providing sensitive information or making a wire transfer, which can aide in preventing spear phishing attacks specifically, BEC. Without this rule, employees may not feel confident disclosing certain email requests — especially if they claim to be private or urgent.

Learn more about phishing threats

Impersonation attacks are just one-way cybercriminals can infiltrate your inbox. Learn more about other cyberattacks in our phishing hub, and explore helpful advice to keep your organization protected.