An impersonation attack is an attempt to gain unauthorized access to information systems by masquerading as authorized users. These identity-based attacks specifically target and compromise the digital identities of individuals or organizations, exploiting vulnerabilities related to identity and access management to steal information like usernames, passwords, or personal data, commit fraud, or conduct other malicious activities.
According to Security Magazine, there’s been a staggering 131% increase in Whaling and Executive Impersonations between Q1 2020 and Q1 2021, with 55% of cybersecurity pros saying that an executive at their company has been spoofed. Furthermore, the 2023 “Trends in Securing Digital Identities” report by the Identity Defined Security Alliance (IDSA) revealed that a staggering 90% of organizations encountered at least one breach linked to digital identities within the past year. These attacks cost enterprises $1.8 billion in losses last year alone, and failure to protect customer data can lead to severe regulatory fines and costly litigation, as seen in cases like Equifax’s $575 million settlement following a breach.
The problem is so pervasive that 1 out of every 3,226 emails received (once every 24 days) by an executive is an impersonation attempt.
In this article, we lay out everything you need to know about an impersonation attack, their types, how to detect them, and how to defend your organization against them.
Key Takeaways
- Impersonation attacks, a key form of identity-based cyber threats, use social engineering to mimic trusted entities for unauthorized access or fraud.
- Affecting 90% of organizations recently, these attacks pose significant financial, reputational, and legal risks, demanding urgent attention.
- Tactics range from email spoofing and fake domains (phishing) to exploiting reused passwords (credential stuffing) and intercepting communications (MitM).
- Vigilance against suspicious signs (urgency, odd requests, flawed emails) and robust user training are vital first lines of defense.
- A multi-layered technical defense, including strong authentication (MFA), email verification (DMARC), regular patching, and potentially a Zero Trust model, is essential for protection.
What is an Impersonation Attack?
An Impersonation Attack is a form of Social Engineering where an attacker pretends to be someone else or impersonates a legitimate user (or group of users), to gain access to information they are not authorized to have, steal identity-related data, commit fraud, or conduct other malicious activities.
In this type of attack, the attacker will often use social engineering techniques, manipulating human psychology and trust, to gain information about the system and/or target, like posing as a member of the IT department and asking for login credentials. These attacks are continually evolving in sophistication, employing advanced techniques and targeted intelligence gathering.
Impersonation attacks can be in person, over the phone, or online. And can be catastrophic if not detected.
Protect Against Impersonation Attacks with PowerDMARC!
How is an Impersonation Attack carried out?
Impersonation is when a malicious actor pretends to be a legitimate user or service to gain access to protected information. Impersonation attacks are easy to carry out and can be very damaging, depending on the type of data the attacker is trying to obtain, potentially leading to significant financial loss or reputational damage.
All an attacker needs to do is gather enough information about a legitimate user or service to trick others into thinking that they are who they say they are. The attacker will then try to get their target (or targets) to reveal sensitive information that would otherwise be protected by security measures.
In many cases, attackers will use email or other forms of communication to attempt impersonation attacks. They will send emails pretending to be someone else (known as spoofing), which can include phishing emails containing links that download malware onto the system of an unsuspecting user.
Another method used by attackers is known as whaling; this involves stealing the identity of a manager or owner and sending out emails directing employees to transfer funds or provide other sensitive information. Because the email appears to have originated from someone in an authoritative position, many employees would follow the instructions without question.
How are Impersonation Attacks planned?
In order to create a plan for an impersonation attack, hackers first need to gather information on their target. They will often use publicly available information, such as social media profiles and the publicly available information on the company’s website. The hackers can use this information to create a realistic persona and begin to interact with employees of the target company.
The hacker will contact the employees using methods that are in line with what is expected of this persona. The hacker may email, text message, or call employees using a fake business email address or phone number that matches the company’s actual email or phone number to the highest possible extent — the difference is there, but it’s almost invisible to the naked eye.
This gives the employee a sense that they are interacting with a known person in their organization.
Here’s an example of email impersonation: As you can see above, the differences between the two emails are subtle and easy to miss, especially if you’re getting hundreds of emails per day. |
Once the hacker has gained the trust of the employee, they will send them an email that appears to be from an authentic company source. These emails often contain links to websites that ask for personal information or require action from the employee (e.g., download files). These websites and files are infected with malware that allows hackers to access data, steal personal information, or introduce other cyberattacks on the company’s network.
Forged sender addresses like these get rejected through a strict DMARC policy, which you can leverage for your emails to stay protected against impersonation attacks.
Some Common Impersonation Attack Tactics
There are several ways attackers might try to impersonate you or someone you know. Here are some common tactics:
1. Free Email Account Attack
The attacker uses a free email service to send messages from an email address similar to the one used by the target. This tactic can be used to convince people to visit a malicious website or download malware or provide information such as passwords or credit card numbers.
2. Cousin Domain Attack
In the Cousin Domain Attack, the attacker creates a website that looks nearly identical to your bank’s website—but ends with .com instead of .org or .net, for example. They then send emails from this fake site: when people click on links in those emails they will be taken to the fake site instead of their real bank’s site.
3. Forged Envelope Sender Attack
The attacker will create an email with a sender address that appears to come from a known company, such as “[email protected].” Because this address looks legitimate, it bypasses most mail servers’ filters. The attacker then targets victims with their message, luring them into clicking on links or opening attachments that allow malware to infect their computers.
4. Forged Header Sender Attack
A header sender attack is a type of email spoofing that can be used to trick people into believing a message was sent by someone other than its true source. In this type of attack, the “sender” field in an email header is modified to include an address other than the actual one that sent the message. This can be done by changing either the “From:” or “Return-Path:” fields, or both. The goal of these attacks is to make it appear as if an email has been sent by someone else—such as a business associate or friend—to trick recipients into opening messages from someone they know.
5. Compromised Email Account Attack
In this attack, an attacker gains access to a legitimate email account and then uses that account to send emails and messages to other people in the organization. The attacker may claim to be an employee with special knowledge or authority, or he may impersonate another person who does have special knowledge or authority.
6. CEO Fraud Attack
In this attack, attackers impersonate the CEO of a company and try to convince employees or customers that they need access to sensitive information. The attacker will often use social engineering techniques like phishing emails or phone calls that make it appear as if they are calling from inside your company’s IT department. They will often use language specific to your industry or business to sound more legitimate and trustworthy while asking for sensitive information like passwords or credit card numbers.
7. Man-in-the-Middle (MITM) Attack
This type of attack involves the attacker intercepting your communications with a legitimate service and then relaying them to the legitimate service as if they were from you. In this way, the attacker can eavesdrop on your communication, modify it, or prevent it from happening altogether.
8. Credential Stuffing
This attack exploits the common practice of reusing passwords across multiple online services. Attackers obtain lists of stolen usernames and passwords from previous data breaches (often available on the dark web) and systematically try these credentials on other websites or systems. If a user has reused their password, the attacker gains unauthorized access. The 2013 Target data breach, which compromised data for over 41 million consumers and resulted in an $18.5M settlement, was facilitated by attackers using stolen credentials to access a connected vendor system.
How To Recognize an Impersonation Attack?
A sense of urgency: The attacker may urge the receiver to act immediately (such as initiating an immediate wire tranfer, else their account will be permanently blocked) by using an urgent tone in their emails. This pressurizes victims into taking action without thinking.
Confidentiality: The attacker may indicate that the information they’re asking for should be kept private, implying that its disclosure could lead to serious consequences.
Request to share sensitive information: The attacker may ask you for information that only your bank would know, such as your account number or password. They may also ask you to share your corporate credentials that is private information only you have access to. This would in turn allow them to access your company’s databases and leak sensitive information.
Modified email addresses: For example, if you receive an email from someone pretending to be from “Amazon” asking you to log in and update your account information, but the email address is actually “[email protected],” then this could be an impersonation attack.
Poorly written emails: Phishing emails are written poorly, often with spelling and grammar mistakes, as they are typically mass-generated.
Presence of malicious links or attachments: Malicious links and attachments are a common way to conduct an impersonation attack. These kinds of attacks can be identified by the presence of:
- Links that open in a new tab instead of in the current tab.
- Attachments with strange titles or file extensions (like “attachment” or “.zip”).
- Attachments that contain an executable file (like .exe).
Staying Protected from Impersonation
Preventing identity-based attacks like impersonation requires a multi-layered approach combining user awareness and technical controls.
1. Cybersecurity Training: Companies need to be aware that cybersecurity training is essential. The training should include:
- How attackers can impersonate users and gain access to systems
- How to recognize signs that someone is trying to impersonate you so you can take action before any damage is done
- Understanding the importance of preventative controls
2. Strong Authentication: Implement robust authentication methods.
- Multi-Factor Authentication (MFA): Enable MFA wherever possible. This requires users to provide two or more verification factors (e.g., password plus OTP, biometric, or security question answer), significantly hindering unauthorized access even if credentials are stolen.
- Strong Password Practices: Encourage users to create complex, unique passwords for different accounts. Promote the use of reputable password managers to generate and store strong passwords securely. Avoid easily guessable patterns.
3. Email Security: Protect your primary communication channel.
- Domain Protection: The company’s email domain should be protected against impersonation. Use a domain specific to your business (e.g., “@yourbusinessnamehere.com”) rather than generic providers like “@gmail.com”.
- DMARC Implementation: Implement email authentication protocols like DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC allows domain owners to specify how receiving mail servers should handle emails that fail SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) checks, helping to block spoofed emails. Enforcing a strict DMARC policy (p=reject or p=quarantine) prevents unauthorized use of your domain in phishing and impersonation attacks.
- Email Filtering: Utilize advanced email security solutions that can detect suspicious links, attachments, and sender anomalies.
4. System and Software Security: Maintain a secure IT environment.
- Regular Updates and Patch Management: Keep operating systems, applications, and security software up-to-date with the latest security patches to fix known vulnerabilities exploited by attackers.
- Security Solutions: Install and maintain reputable antivirus/anti-malware software and consider implementing Intrusion Detection Systems (IDS) to monitor for suspicious network activity.
- Phase Out Legacy Systems: Replace outdated systems that may have unpatched vulnerabilities or weak security controls, as these are often targeted by attackers.
5. Data Protection: Safeguard sensitive information.
- Data Encryption: Encrypt sensitive data both when it’s stored (at rest) and when it’s being transmitted (in transit) to protect it even if intercepted.
6. Adopt a Zero Trust Model: Implement a Zero Trust security approach, which assumes no user or device is inherently trustworthy. Access is granted based on continuous verification and the principle of least privilege, minimizing the potential impact of a compromised identity.
By implementing these preventive measures and fostering a cybersecurity-aware culture, organizations can significantly reduce their vulnerability to impersonation and other identity-based attacks. Staying vigilant, adapting to emerging threats, and continuously educating employees are crucial components of a robust defense strategy.
Do you want 24/7 protection against impersonation? PowerDMARC is an email authentication solution provider – providing services aimed at enabling enterprises to secure their email communications. We help you manage your domain’s reputation by ensuring that only emails from authorized senders will be delivered through secured gateways, while also protecting it from being spoofed by cybercriminals and phishers.
- MSP Case Study: How PowerDMARC Became a Game-Changer for HispaColex Tech Consulting - May 26, 2025
- DMARC MSP Case Study: ImpactQuill Enhances Email Security and Visibility for Clients with PowerDMARC - May 23, 2025
- DMARC MSP Case Study: 1-MSP Elevates Client Security & Brand Identity with PowerDMARC - May 19, 2025