An impersonation attack is an attempt to gain unauthorized access to information systems by masquerading as authorized users.
According to Security Magazine, there’s been a staggering 131% increase in Whaling and Executive Impersonations between Q1 2020 and Q1 2021, with 55% of cybersecurity pros saying that an executive at their company has been spoofed. These attacks cost enterprises $1.8 billion in losses last year alone.
The problem is so pervasive that 1 out of every 3,226 emails received (once every 24 days) by an executive is an impersonation attempt.
In this article, we lay out everything you need to know about an impersonation attack, their types, how to detect them, and how to defend your organization against them.
What is an Impersonation Attack?
An Impersonation Attack is a form of Social Engineering where an attacker pretends to be someone else or impersonates a legitimate user (or group of users), to gain access to information they are not authorized to have.
In this type of attack, the attacker will often use social engineering techniques to gain information about the system and/or target, like posing as a member of the IT department and asking for login credentials.
Impersonation attacks can be in person, over the phone, or online. And can be catastrophic if not detected.
How is an Impersonation Attack carried out?
Impersonation is when a malicious actor pretends to be a legitimate user or service to gain access to protected information. Impersonation attacks are easy to carry out and can be very damaging, depending on the type of data the attacker is trying to obtain.
All an attacker needs to do is gather enough information about a legitimate user or service to trick others into thinking that they are who they say they are. The attacker will then try to get their target (or targets) to reveal sensitive information that would otherwise be protected by security measures.
In many cases, attackers will use email or other forms of communication to attempt impersonation attacks. They will send emails pretending to be someone else (known as spoofing), which can include phishing emails containing links that download malware onto the system of an unsuspecting user.
Another method used by attackers is known as whaling; this involves stealing the identity of a manager or owner and sending out emails directing employees to transfer funds or provide other sensitive information. Because the email appears to have originated from someone in an authoritative position, many employees would follow the instructions without question.
How are Impersonation Attacks planned?
In order to create a plan for an impersonation attack, hackers first need to gather information on their target. They will often use publicly available information, such as social media profiles and the publicly available information on the company’s website. The hackers can use this information to create a realistic persona and begin to interact with employees of the target company.
The hacker will contact the employees using methods that are in line with what is expected of this persona. The hacker may email, text message, or call employees using a fake business email address or phone number that matches the company’s actual email or phone number to the highest possible extent — the difference is there, but it’s almost invisible to the naked eye.
This gives the employee a sense that they are interacting with a known person in their organization.
|Here’s an example of email impersonation: |
As you can see above, the differences between the two emails are subtle and easy to miss, especially if you’re getting hundreds of emails per day.
Once the hacker has gained the trust of the employee, they will send them an email that appears to be from an authentic company source. These emails often contain links to websites that ask for personal information or require action from the employee (e.g., download files). These websites and files are infected with malware that allows hackers to access data, steal personal information, or introduce other cyberattacks on the company’s network.
Forged sender addresses like these get rejected through a strict DMARC policy, which you can leverage for your emails to stay protected against impersonation attacks.
Some Common Impersonation Attack Tactics
There are several ways attackers might try to impersonate you or someone you know. Here are some common tactics:
1. Free Email Account Attack
The attacker uses a free email service to send messages from an email address similar to the one used by the target. This tactic can be used to convince people to visit a malicious website or download malware or provide information such as passwords or credit card numbers.
2. Cousin Domain Attack
In the Cousin Domain Attack, the attacker creates a website that looks nearly identical to your bank’s website—but ends with .com instead of .org or .net, for example. They then send emails from this fake site: when people click on links in those emails they will be taken to the fake site instead of their real bank’s site.
3. Forged Envelope Sender Attack
The attacker will create an email with a sender address that appears to come from a known company, such as “[email protected]” Because this address looks legitimate, it bypasses most mail servers’ filters. The attacker then targets victims with their message, luring them into clicking on links or opening attachments that allow malware to infect their computers.
4. Forged Header Sender Attack
A header sender attack is a type of email spoofing that can be used to trick people into believing a message was sent by someone other than its true source. In this type of attack, the “sender” field in an email header is modified to include an address other than the actual one that sent the message. This can be done by changing either the “From:” or “Return-Path:” fields, or both. The goal of these attacks is to make it appear as if an email has been sent by someone else—such as a business associate or friend—to trick recipients into opening messages from someone they know.
5. Compromised Email Account Attack
In this attack, an attacker gains access to a legitimate email account and then uses that account to send emails and messages to other people in the organization. The attacker may claim to be an employee with special knowledge or authority, or he may impersonate another person who does have special knowledge or authority.
6. CEO Fraud Attack
In this attack, attackers impersonate the CEO of a company and try to convince employees or customers that they need access to sensitive information. The attacker will often use social engineering techniques like phishing emails or phone calls that make it appear as if they are calling from inside your company’s IT department. They will often use language specific to your industry or business to sound more legitimate and trustworthy while asking for sensitive information like passwords or credit card numbers.
7. Man-in-the-Middle (MITM) Attack
This type of attack involves the attacker intercepting your communications with a legitimate service and then relaying them to the legitimate service as if they were from you. In this way, the attacker can eavesdrop on your communication, modify it, or prevent it from happening altogether.
How To Recognize an Impersonation Attack?
A sense of urgency:The attacker may urge the receiver to act immediately (such as initiating an immediate wire tranfer, else their account will be permanently blocked) by using an urgent tone in their emails. This pressurizes victims into taking action without thinking.
Confidentiality: The attacker may indicate that the information they’re asking for should be kept private, implying that its disclosure could lead to serious consequences.
Request to share sensitive information: The attacker may ask you for information that only your bank would know, such as your account number or password. They may also ask you to share your corporate credentials that is private information only you have access to. This would in turn allow them to access your company’s databases and leak sensitive information.
Modified email addresses: For example, if you receive an email from someone pretending to be from “Amazon” asking you to log in and update your account information, but the email address is actually “[email protected],” then this could be an impersonation attack.
Poorly written emails: Phishing emails are written poorly, often with spelling and grammar mistakes, as they are typically mass-generated.
Presence of malicious links or attachments: Malicious links and attachments are a common way to conduct an impersonation attack. These kinds of attacks can be identified by the presence of:
- Links that open in a new tab instead of in the current tab.
- Attachments with strange titles or file extensions (like “attachment” or “.zip”).
- Attachments that contain an executable file (like .exe).
Staying Protected from Impersonation
1. Companies need to be aware that cybersecurity training is essential to protect themselves from this type of attack. The training should include:
- How attackers can impersonate users and gain access to systems
- How to recognize signs that someone is trying to impersonate you so you can take action before any damage is done
- How preventative controls like two-factor authentication can help prevent unauthorized access attempts by someone trying to impersonate you
2. The company’s email domain should also be protected against impersonation attacks. This means having strict policies in place for registering new domains and accounts within your organization, as well as keeping track of who has access to each one so they can be removed if necessary.
3. When you create an email account for your business, make sure that it uses a domain that’s specific to your business. Don’t use “@gmail” or “@yahoo” because those domains are too generic and could be used by anyone who wants to impersonate you. Instead, use something like “@yourbusinessnamehere.com” where your company name is in place of “yourbusinessnamehere.” That way, if someone tries to impersonate you by sending an email from another email address, no one will believe them because they know what domain name goes with your business.
4. Companies must consider implementing email security solutions such as a DMARC analyzer that block impersonated domains from delivering emails with suspicious attachments or links (like phishing emails) through authentication.
Do you want 24/7 protection against impersonation? PowerDMARC is an email authentication solution provider – providing services aimed at enabling enterprises to secure their email communications. We help you manage your domain’s reputation by ensuring that only emails from authorized senders will be delivered through secured gateways, while also protecting it from being spoofed by cybercriminals and phishers.