An impersonation attack is a type of targeted phishing attack where a malicious actor pretends to be someone else or other entities to steal sensitive data from unsuspecting employees using social engineering tactics. Hackers attempt to trick the victim into transferring money, giving up sensitive information, or providing business login credentials to leverage cyberattacks and gain unauthorized access to systems and networks.
An example of a successful impersonation attack is when criminals use a fake email (through spoofing or hacking) of a high-level executive or important business entity. This is called a business email compromise (BEC), in which the threat actor tricks the target into making a financial transfer or giving up important information.
Depending on the usage of the email address and the rank of the executive, 1 out of every 3,226 emails (roughly once a month) received by a high-ranking employee is actually an impersonation attempt.
This article will outline the different types of impersonation attacks, how to detect them, and how to recognize them to avoid putting your organization at risk.
Most Common Types of Impersonation Attacks
Cybercriminals might try to impersonate someone in different ways using phishing tactics, so it's important that all employees and staff are taught about the most common types of impersonation attacks and the tactics that are used.
1. Email Impersonation Attacks
One of the most common methods of an impersonation attack is when a hacker pretends to be a coworker, manager, or high-level executive using a fake or stolen email account. In contrast to mass email phishing attacks that end up in the spam folder, impersonation attacks (or spear phishing attacks) are highly sophisticated and targeted attacks.
Email impersonation attacks often contain malicious links or images that can take the user to a compromised or malicious website that contains malware. Other attacks will use social engineering attacks to trick the employee into revealing important data or transferring funds directly to the attacker.
Types of Email Impersonation Attacks
Email-based phishing attacks can be distinguished by how they're executed:
- Business email compromise (BEC) — An attack impersonates a business email account
- CEO fraud — A type of impersonation attack that impersonates a high-ranking executive of a company and targets one of their own employees
- Whaling — A type of attack that targets high-value individuals
Attackers sometimes use information gained from open-source intelligence (OSINT), carefully crafting the email content around that information to legitimize the communications. Ultimately, email impersonation can be done by anyone with a secure domain that closely resembles a legitimate company or organization.
How to Recognize Email Impersonation:
- Unusual requests for sensitive or classified information
- Urgent problems that require your immediate attention
- Fraudulent or misspelled email addresses
2. Cousin Domain
A cousin domain impersonation attack is when an attacker creates a false company website or email nearly identical to official organization websites using the wrong domain codes.
Usually, websites will use domain codes like .org, .net, or .com, but a cousin domain attack will use the wrong domain code to falsify their emails. The attackers can go as far as completely copying the website design of the legitimate website.
How to Recognize Cousin Domain Impersonation:
- If anything in the email seems suspicious or asks for personal information, ask a manager to verify the sender immediately. In most cases, there may be documented email history with the correct email domain that will expose the false one.
3. Forged Header/Envelope Impersonation
Also called email spoofing, forged envelopes and headers are emails with fake headers or sender addresses that appear as legitimate emails. However, the sender is typically a scammer with a fake email that's hidden behind a false header or envelope using a recognized name or title, successfully bypassing spam filters.
Forged headers can trick people into believing that a legitimate source sent a message if they only read the header and not the email address. In this attack, the "sender" field in an email header or envelope is modified by changing the "From:" or "Return-Path:" title fields, making it appear that a legitimate business or a friend is sending the email.
How to Recognize Forged Header/Envelope Impersonation:
- Always check the email address to see if it matches the correct email domain of the sender's organization exactly. If there are any variations, it is most likely a fake email using a falsified heading that the attacker assumes the email receiver will recognize. This will typically be the name or title of a friend or coworker, a high-level manager, or a business account.
4. Account Takeover (ATO)
Account takeover (ATO), also known as a compromised email account attack, is an attack in which cybercriminals log into an account with stolen credentials like usernames and passwords, often bought on the dark web gained through data breaches, data leaks, or brute-force attacks.
If an account doesn't have multi-factor authentication, the hacker can successfully log into the email account and even use it for other account takeovers and identity theft. Many people also use the same password for multiple sites, making it easier for cybercriminals to access multiple sites and accounts from that user.
Using a compromised or stolen account, attackers can send phishing emails to other contacts and accounts in their email list, making it near impossible for victims to recognize.
How to Recognize Account Takeover Impersonation:
- The easiest way to detect ATO impersonation is by recognizing unusual requests, suspiciously urgent demands, or offers of free gifts or services. Typically, these indicators are out of character for the sender and should be verified directly with a separate communication such as internal messaging, calling, or texting.
5. Man-in-the-Middle (MITM) Attack
A man-in-the-middle attack is an impersonation attack where a cybercriminal intercepts communications between people, applications, and services. MITM attacks intercept messages between two parties via HTTPS connections, SSL/TLS connections, or unsafe Wi-Fi network connections and relay a forged message attempting to steal important data.
A cyber attacker who successfully executes a MITM impersonation attack can eavesdrop, exploit, modify, prevent communications, and steal sensitive info and login credentials. MITM attacks are also typically hard to detect, as there are no misspellings in the header or email address.
To avoid being exploited by a MITM attack, users should:
- Avoiding using unprotected, public Wi-Fi networks (like hotels, airplanes, and coffee shops)
- Avoid using unsecured, non-HTTPS websites (usually notified via a tab pop-up above the browser)
- Logging out of a chat app after a public session
How to Recognize MITM Impersonation:
- Again, any unusual requests should be immediately flagged and sent to the network administrator for investigation. Unless a request can be verified directly in person, no actions should be taken until there is a final confirmation using a separate form of communication.
- IT security teams should employ active traffic and network monitoring to quickly detect unauthorized access from a MITM attack.
6. Smishing and Vishing
Phishing attacks that are carried out via SMS text messages are also known as "smishing" or SMS phishing. Smishing texts usually include malicious links that contain viruses, spyware, or adware that could infect a target's cell phone. The attacker might also pretend to be from a personal or professional contact that could misdirect the victim into believing the text's legitimacy.
Vishing, also known as voice phishing, is used by attackers claiming to be from important parties, such as government agencies or other businesses. The attacker may personally make the phone call or use an automated system to conduct the fake calls. The best course of action is to ignore unknown numbers or refuse to agree to any requests over the phone.
These types of impersonation are tough to stop because it exploits flaws in how caller ID and phone number verification work.
How to Detect, Prevent, and Stay Protected Against Impersonation Attacks
Organizations, individuals, and businesses can stay protected from impersonation attacks and phishing scams through early detection and cybersecurity education. Although AI software can recognize and filter out impersonation attempts, it's important to maintain cyber education and training for best results and prevention practices.
Security Awareness Training
Organizations and companies should conduct regular training and education programs for employees about all cyber threats, including impersonation attacks. Security awareness training should also include best security practices, such as creating secure passwords, recognizing scam attempts, or how to browse the internet safely.
Using Custom Email Domains
Businesses should consider creating custom email domains with their business name instead of using common email service providers like Gmail or Yahoo. This allows organizations to manage the accounts and data directly, offering more oversight and control over email data while also managing user permissions. Custom domains also typically have more business-oriented security measures than consumer email providers.
Implementing Email Security Solutions and Software
Email security tools like anti-malware and anti-spam software can help businesses protect employees from fraudulent emails and block users from opening potentially dangerous emails, links, and attachments.
- DKIM (domain keys identified mail)
- SPF (sender policy framework)
- DMARC (domain-based message authentication)
These protocols can identify and block potential phishing and spoofed sender email addresses.
AI-Driven and Automated Software
Many organizations often use automated software and proactive threat intelligence to scan emails and detect potential impersonation attacks before they reach the user's inbox. The software usually does this via cross-referencing and comparing the email contents with registered phishing scripts.
Reporting Impersonation Attacks
All employees should immediately report impersonation attacks to an IT department if they feel they or their colleagues have been a target of attacks. All organizations should have basic security protocols regarding reporting processes and immediate action steps to identify and eliminate impersonation attack risks quickly.
Organizations and users can also report large-scale impersonation attacks to cybercrime organizations like the Anti-Phishing Working Group, Federal Trade Commission, or the CISA (Cybersecurity and Infrastructure Security Agency).
Implementing Dual-Control Transactions
Dual-control transaction systems work against fraudulent transactions by dividing the outgoing payment process into two parts: the initiator and the validator.
The initiator is responsible for requesting the payment via wire transfer or ACH while the approver or validator verifies and approves the payment process. The approver may also independently verify the authenticity of the invoice.
This dual system is more secure than granting one employee complete control of the payment process, ensuring that the entire transaction is validated and confirmed through due process.
Taking Down False Domains and Infrastructure
One of the hardest steps against impersonation attacks is actively locating, reporting, and taking down fraudulent email domains from which the attacks are originating.
However, this process can be time-consuming and challenging because it requires businesses or individuals to report fraudulent websites, emails, or social media accounts to the service providers that host the domain or the impersonated account.