What is an impersonation attack?

Egress | 29th Jul 2021

Phishing is quickly becoming an undetectable threat for businesses relying on traditional anti-phishing technology. Impersonation attacks are a prime example of a modern phishing scam: they’re targeted, sophisticated and rely on social engineering rather than malicious attachments or links. 

How do impersonation attacks work?

An impersonation attack happens when cybercriminals pose as a trusted contact to manipulate employees into transferring money or sharing sensitive information. Impersonation scams where someone is tricked into making a financial transfer, or leaking sensitive data, are known as business email compromise. 

The scam begins with the cybercriminal searching through social media profiles to collect information on their target. LinkedIn is particularly useful in this sense, as attackers can easily identify new joiners and chains of command. New employees are usually less familiar with normal company processes and they may be eager to please, making them the perfect targets for impersonation attacks. 

Next, the attackers choose who to impersonate:

  • An influential person within the organization: Attackers often impersonate a CEO or senior executive to convince lower-level employees to follow their instructions without hesitation.
  • A well-known brand: Cybercriminals took advantage of the pandemic to impersonate popular brands like Zoom and Microsoft in 2020. 
  • A third-party vendor: Attackers sometimes pretend to be suppliers to trick employees into paying fraudulent “overdue” invoices.

Impersonation tactics

Cybercriminals will use email spoofing or account takeover to trick their targets into believing their scam:

Email spoofing

Email spoofing is an easy impersonation tactic for fraudsters. They simply create a fake email address that looks very similar to the one they’re impersonating. For example, they might change a single character in the URL and alter the display name to make it appear legitimate.

Account takeover

Account takeover is more difficult to spot. Attackers use spear phishing to get their hands on login credentials and hack into the CEO’s account, for example. They then use the legitimate account to masquerade as the CEO and gain access to sensitive information by emailing employees.  

How to detect impersonation attacks

Unlike old-fashioned phishing attacks, impersonation attacks can be tricky to spot — especially if you have no knowledge of this kind of scam. However, there are certain things you can watch out for to stay one step ahead of cybercriminals.

Unfamiliar email address

The display name and the email address are two different things. A cybercriminal can easily change the display name to a co-worker’s name. However, it’s much harder for them to change the actual email address they used. 

For example, If the real address is “tony@123business.com”, criminals could change this slightly to “tonyy@123business.com” to trick you. To reveal the actual address URL, hover over the display name or if you’re using mobile, press and hold the display name. 

But remember this is only effective against email spoofing attempts. Account takeover is not as easy to spot, so make sure to keep your eyes peeled for other tell-tale signs too. 

Attempts to bypass standard procedure

Most organizations have standard procedures in place when dealing with personal data and wire transfers. If you receive an email from a colleague that doesn’t align with company practices, proceed cautiously — especially if they claim you need to follow their instructions due to an emergency.

Unusual content

Fraudsters have come a long way from traditional phishing emails riddled with spelling errors. But consider how they write, not just what they’re writing. 

As many phishing scams originate from outside the US, in non-English speaking countries, you may notice unusual grammatical choices. You may also find that the tone of voice isn’t quite right. If you’ve exchanged emails with the “sender” previously, you’ll know what’s too familiar or too formal in relation to their tone of voice. Trust your instinct, and don’t respond if you have any doubts over the legitimacy of an email.

Urgent language

Cybercriminals use urgency and veiled threats to coax recipients into making snap decisions. A sender will use phrases like “ASAP,” “urgent,” and “confidential” to prevent you from discussing the issue with peers and encourage you to act on the spot. 

Veiled threats are also common in these kinds of attacks. For example, in the following email:

“Dear Mr. Smith,

Our latest invoice for $459.78 has not been paid. If this is not settled within 24 hours, we will have no option but to cancel our future shipments to your organization. Our bank details are: XXXX XXXX XXXX
Thank you in advance,

Mr. King”

The supplier uses both urgent language and a veiled threat to convince recipients to follow their instructions immediately. Be wary of these tactics when going through your inbox.

How to prevent impersonation attacks

Secure your email

Anti-phishing technology is the most effective way to prevent impersonation attacks. Although traditional spam filters may not be enough to detect a sophisticated attack, there are tools out there that can, like Egress Defend. 

Egress Defend uses machine learning to analyze the content and context of an email. The cutting-edge software alerts recipients to context-driven impersonation attacks in real-time. Impersonation attacks are only successful when humans take the bait. Egress Defend prevents this from happening by taking human error out of the equation.

Educate your team

Sharing advice and instructing your team to be vigilant can also help your business to stay protected. 

Criminals often try to impersonate members of the c-suite and other executives within a company, as new recruits and lower-level employees are more likely to listen to these senior figures. Inform c-suite members of the risk of impersonation and provide helpful tips on how they can use social media sensibly to prevent impersonation attempts.

Ensure all new employees are given training so that they understand how to detect an impersonation attack and what they should do if their accounts are compromised.

Verify the information

If you’re still not sure whether or not an email is a scam, don’t assume. Seek verification. For example, if you receive an email from a supplier about a late payment that needs to be settled, it can be tempting to fulfill the request — especially if there’s a veiled threat in the message. But making bold assumptions about the credibility of a request can lead to dire business consequences.

Take a step back from the situation and call the sender to verify if the information is correct and if the email is legitimate.

Learn more about phishing threats

With modern tactics to bypass traditional controls, cyberattacks are becoming harder and harder to detect. 

Explore our phishing hub for advice on how you can keep you and your organization protected against these cyberattacks.