What is an impersonation attack?

This is often stolen by deception such that the employee:

• Gives up sensitive information unwittingly.
• Grants unauthorised access to networks and systems.
• Divulges private login credentials, or
• Is convinced to transfer money.

How do impersonation attacks work?

While every attack looks different, the basic structure of an impersonation attack is as follows.

Target selection

The bad actor starts by identifying an employee of interest. This is typically the person who pays invoices or has access to sensitive information.

Target research

Research is then performed on the employee. What vendors do they liaise with? Who do they report to? What are their general responsibilities?

Cybercriminals exploit open-source intelligence (OSINT) to learn more about the intended victim.

OSINT comprises publicly available data that may relate to corporate reports, conference minutes, employee profiles, social media posts and even media appearances.

Identity selection

Once the actor has researched the victim in detail, they repeat the intelligence-gathering process for the identity they want to impersonate.

This is someone who engenders trust in the target, such as one of their superiors or a well-acquainted colleague.

Impersonation

Here, the actor impersonates the identity with credentials that appear authentic (such as an email account).

First contact

The attacker then crafts a plausible reason for having to contact the victim.

Communication tends to occur via email (more on this below), but some may reach out with a text or phone call.

Request

In the final step, the employee is asked to perform a certain action.

Common examples include:

• An abrupt request to alter direct deposit details.
• Purchase requests that need to be completed on behalf of the CEO, and
• Requests that appear on short notice that involve the sharing of bank details or login credentials.

Social engineering

To be successful, impersonation attacks rely on social engineering. In a cybercrime context, social engineering is the act of deceiving an employee into betraying company data or resources.

Social engineering tactics work because they capitalise on quirks in human psychology. Invariably, the victim is motivated to act because of:

• Fear, greed or urgency.
• The need to please or obey, and
• The need to avoid criticism.

The technique is also easier for the criminal to carry out. Instead of having to locate and exploit a system vulnerability themselves, they simply manipulate employees into giving them what they want.

The varied ways this manipulation occurs are explained in the next section.

How are impersonation attacks facilitated?

Unfortunately, there are numerous ways.

Phishing

Phishing is a type of email impersonation attack where employees are contacted by the stolen email account of a coworker, manager or executive. This is often called email impersonation or email spoofing.

As we noted earlier, emails often trick employees into divulging sensitive data. However, some emails will direct the employee to links or images that contain malware.

The numbers on phishing are staggering. Worldwide, email impersonation accounts for 1.2% of all daily email traffic or around 3.4 billion emails per day.

The most commonly targeted industries are finance and insurance and 43% of all phishing attacks imitate Microsoft alone.

Email-based phishing is so prevalent that various sub-types exist:

• Business email compromise (BEC) – any attack that impersonates a business email account.
• Clone phishing – where bad actors create near-identical copies of an authentic email and substitute links or attachments with malicious replacements.
• Whaling – where C-suite personnel such as the CEO and CFO are impersonated.
• Spear phishing – a more pernicious form of phishing where attackers customise messages based on specific information about the victim (such as their position or recent movements). Spear phishing is responsible for 66% of all breaches, despite accounting for just 0.1% of all email-based phishing attacks.

Additional types of non-email-based phishing (but with similar objectives) include:

• Smishing – where fabricated smartphone text messages deceive the recipient into downloading malware, sending money or providing access to confidential information.
• Vishing – similar to smishing but occurring over telephone instead of mobile. Generative AI is increasingly being used to impersonate voices and deceive victims in this way.

Cousin domains

Cousin domains refer to any domain names that are registered to resemble more legitimate versions.

To trick users into believing they are interacting with a legitimate entity, cousin domains leverage minor variations in spelling, add extra words or replace certain characters. These domains will also imitate the design and layout of the legitimate domain to enhance the deception.

The objective of this type of impersonation attack is much the same as it is with phishing. Invariably, victims are prompted to enter their login credentials, transfer money or download malicious files.

Account takeovers

In an account takeover (ATO), the cybercriminal obtains access to an account with stolen credentials that are often purchased on the dark web.

Accounts without multi-factor authentication are especially vulnerable. The criminal can use the details to commit identity fraud or perform further account takeovers if the victim tends to use the same password.

Man-in-the-middle attacks

Man-in-the-middle (MTM) attacks occur when the malicious actor intercepts and then alters communication between two parties without their knowledge.

In some cases, MTM attacks are a digital form of eavesdropping that occurs on unsecured Wi-Fi networks. But messages can also be intercepted via HTTPS and SSL/TLS connections.

How to combat impersonation attacks

Since impersonation attacks are designed to take advantage of human error, preventing them can be difficult.

Nevertheless, they can be mitigated or even prevented with a multifaceted approach that combines user education, technical defences and proactive surveillance.

User education

Forewarned, as they say, is forearmed, and impersonation attacks are no different.

Businesses do not need to spend vast sums of money to create awareness among their employees, but the importance of training frontline staff is paramount.

Sessions should educate employees on the dangers of such attacks and familiarise them with the warning signs of email impersonation.

Various tools are also available to simulate phishing scams and provide alerts and other functionality that integrates into existing email platforms.

Technical defences

Robust authentication mechanisms are another facet of the defence against email impersonation. Considered the golden trio of email authentication technologies, DMARC, SPF and DKIM validate emails and substantially reduce the likelihood of cybersecurity incidents.

Otherwise, various email security providers offer tools that anticipate and protect against even the most advanced email impersonation attacks.

Many are powered by machine learning and AI technology that block malicious emails with accurate threat classification and multilayered detection techniques.

Some also offer email encryption, content filtering and various analysis tools that provide complete visibility across multiple communication channels.

One of these analysis tools is threat intelligence, which enables businesses to stay one step ahead of attackers with insights into the tactics, techniques and procedures (TTPs) they employ.

Proactive surveillance

Proactive surveillance requires the organisation to use initiative and monitor for impersonation attempts. Telltale signs include unusual website behaviour or any suspicious login, email, social media, DNS or network activity.

To check for cousin domains, the organisation can use plagiarism detection tools or manually check derivations of its URL or social media accounts for impersonation.

Automated software can not only detect and validate cousin domains but can enforce intellectual property (IP) rights and have the offending domain taken down.

In summary:

• In an impersonation attack, a bad actor uses deception to obtain unauthorised access to a company’s systems, data or resources. Attackers conduct background research on a target before making contact with a story that is plausible and convincing.
• Every impersonation attack is different, but the vast majority occur via email in a process called phishing. There are numerous types of phishing, with some targeting C-suite personnel and others employed exclusively on smartphones.
• Bad actors may also impersonate a business with a cousin domain. These domains imitate the online presence of a business and trick individuals into thinking they are interacting with a legitimate entity. Other impersonation attack types include account takeovers and man-in-the-middle (MTM) attacks.
• Impersonation attacks often take advantage of human error, which makes them harder to prevent. However, employee education, a multi-layered defence system and proactive surveillance are all effective.