Impersonation Attack

Email Impersonation Attacks: A Growing Cyber Threat

Email impersonation is a cybersecurity attack where malicious actors pretend to be trusted individuals or organizations in email communications to deceive recipients. Unlike simple spam, impersonation attacks are highly targeted and sophisticated, designed to appear legitimate to trick recipients into taking actions that benefit the attacker—such as transferring funds, revealing sensitive information, or granting system access.

These attacks succeed by exploiting human trust rather than technical vulnerabilities, making them particularly dangerous in business environments where employees regularly handle sensitive information and financial transactions based on email instructions

How Do Email Impersonation Attacks Work?

Cybercriminals use various tactics to make their emails appear legitimate, such as:

1. Research Phase: Attackers gather information about the target organization, including employee names, roles, relationships, communication styles, and upcoming events or projects. This intelligence comes from public sources like company websites, social media, news announcements, and sometimes through preliminary phishing attempts.
2. Identity Selection: The attacker chooses which identity to impersonate—typically someone with authority who can make legitimate requests for information or money transfers, such as:
   • C-suite executives (CEO, CFO, CTO)
   • Department heads
   • External partners or vendors
   • IT support personnel
3. Email Crafting: The attacker creates an email that mimics legitimate communication from the impersonated identity, paying attention to:
   • Similar or lookalike domain names
   • Proper formatting and signature blocks
   • Appropriate tone and writing style
   • Contextually relevant content that appears timely
4. Creating Urgency: Most impersonation emails include elements of urgency or secrecy to prevent the recipient from verifying the request through normal channels:
   • "This needs to be completed today"
   • "Please keep this confidential"
   • "I'm in meetings all day, so I can't talk by phone"
5. Payload Delivery: The attack culminates with a request designed to compromise security, such as:
   • Wire transfer requests
   • Requests for sensitive data or password resets
   • Links to malicious websites disguised as legitimate resources
   • Attachments containing malware

Email Impersonation vs. Email Spoofing

While people sometimes confuse email impersonation and email spoofing, they have key differences:

Email Spoofing is when attackers fake an email’s sender address to make it look like it’s from a trusted source. These emails can be deceptive but often lack proper authentication, making them easier to detect with security measures.

Email Impersonation goes beyond spoofing. Attackers may register lookalike domains, hack legitimate accounts, or use social engineering tricks to convince recipients that the email is real, making the scam much harder to spot.

Types of Email Impersonation Attacks

1. Executive Impersonation (CEO Fraud)

Cybercriminals pose as company executives, most commonly the CEO or CFO, to make urgent requests for wire transfers or gift card purchases.

Example: An employee in finance receives an email that appears to be from the CEO, requesting an urgent wire transfer to secure a confidential business deal.

2. Vendor/Supplier Impersonation

Attackers impersonate trusted vendors or suppliers and request changes to payment information or send fraudulent invoices.

Example: The accounts payable department gets an email from a familiar supplier, stating their banking details have changed, requesting future payments to a new account.

Watch Webinar: RPost GenAI Session on Cybercriminal Seller, Supplier, Advisor Impersonation Fraud and More

3. Attorney or Legal Representative Impersonation

Criminals pretend to be lawyers or legal representatives handling confidential or urgent legal matters

Example: An email claims to be from the company’s legal firm, demanding immediate payment for a settlement or requiring sensitive company information for a legal filing.

4. IT Support Impersonation

Attackers pose as internal IT staff or service providers, requesting login credentials or urging employees to install malware.

Example: An email pretending to be from the IT department asks employees to verify their credentials through a link due to a security upgrade.

5. HR Impersonation

Cybercriminals pretend to be from human resources, asking employees for personal information or directing them to malicious websites disguised as HR portals.

Example: An email from “HR” tells employees to review updated benefits by clicking a link that leads to a fraudulent login page.

Read Blog: 3 Deepfake Impersonation Schemes Cybercriminals Love—and How RPost Stops Them

Emerging Threats

With technology advancing, cybercriminals are employing increasingly sophisticated tactics. Here are some emerging threats that individuals and businesses need to be aware of:

• Deepfake Attacks: Cybercriminals use AI-generated deepfake audio or video to impersonate executives and convince employees to transfer funds or share confidential data.
• Fake Social Media Profiles: Attackers create fraudulent social media accounts impersonating company executives, tricking employees or customers into sharing sensitive information.
• Ad Fraud: Fraudsters manipulate online ads to redirect users to malicious sites or generate fake ad clicks, draining marketing budgets.
• AI-Powered Phishing Scams: AI-generated phishing emails mimic writing styles, making impersonation attacks more convincing.
• QR Code Scams: Attackers use malicious QR codes in emails or posters to trick users into visiting phishing sites.

Real-World Examples of Email Impersonation Attacks

• The FACC Case: In 2016, Austrian aerospace parts manufacturer FACC lost approximately €50 million ($54 million) when accounting employees were tricked by attackers impersonating the CEO. The attackers requested a large transfer for a supposed acquisition project, resulting in one of the largest publicly disclosed losses from an impersonation attack.
• Google & Facebook Scam (2013-2015): A cybercriminal impersonated a vendor and tricked both companies into transferring $100 million through fraudulent invoices.
• Ubiquiti Networks (2015): Employees were tricked into transferring $46 million to attackers posing as senior executives.

How to Recognize Email Impersonation Attacks

Check the Email Address Carefully

Look beyond the display name to examine the actual email address. Impersonation emails often use domains that look similar to legitimate ones but with subtle differences:

• legitimate-company.net instead of legitimate-company.com
• ceo.legitimate-company@gmail.com instead of ceo@legitimate-company.com
• legitimate-cornpany.com (using "rn" to mimic "m")

Analyze the Tone and Content

Be alert for:

• Communications that don't match the supposed sender's typical writing style
• Unusual requests, especially those involving finances or sensitive information
• Grammar, spelling, or formatting errors inconsistent with professional communications
• Excessive urgency or pressure to act quickly
• Requests to keep communications secret or bypass normal procedures

Question Unusual Requests

Consider whether the request makes sense in context:

• Would this executive typically handle this kind of transaction directly?
• Is this request following normal company procedures?
• Why would this request come via email rather than through established channels?

Verify Through Secondary Channels

For any request involving sensitive information, credentials, or financial transactions:

• Contact the supposed sender directly through a known, verified phone number (not one provided in the suspicious email)
• Consult with colleagues who would typically be involved in such requests
• Follow established verification protocols for financial or data transfers

How to Prevent Email Impersonation Attacks

• Implement Email Authentication Protocols: 
  1. DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent domain spoofing.
  2. DKIM (DomainKeys Identified Mail) to verify email integrity.
  3. SPF (Sender Policy Framework) to validate legitimate senders.
• Enable Multi-Factor Authentication (MFA): Adds an extra layer of security for email access.
• Train Employees on Cybersecurity Awareness: Educate staff on recognizing impersonation attempts.
• Use Advanced Email Security Solutions: Deploy anti-phishing tools and AI-based threat intelligence.
• Monitor Financial Transactions Closely: Set up verification processes for wire transfers and fund requests.
• Deploy Advanced Email Security Solutions: RMail's anti-phishing technology provides advanced protection specifically designed to combat sophisticated email threats:

1. Real-time scanning of incoming emails for impersonation attempts
2. AI-powered analysis of content, sender behaviour, and technical indicators
3. Warning notifications for suspicious messages
4. Automatic quarantine of high-risk communications

What Should You Do with an Impersonation Email?

• Do not engage. Avoid responding to or clicking any links in the email.
• Report the email to your IT team. They can analyze and block the sender.
• Mark the email as spam or phishing. This helps email security systems recognize similar threats.
• Warn colleagues. If one person receives an impersonation attempt, others may be targeted too.

What Else Can You Do to Protect Yourself?

• Regularly update passwords and use strong, unique passwords for different accounts.
• Monitor social media exposure to limit publicly available information that attackers can exploit.
• Set up email alerts for login attempts from unknown locations.
• Work with security professionals to assess vulnerabilities and strengthen defenses.
• Consider Comprehensive Email Security Solutions

RPost's RMail service provides multiple layers of protection against email impersonation, including:

1. Advanced impersonation detection
2. Email encryption for sensitive communications
3. Authenticated tracking and delivery proof
4. Automated security