What Is an Impersonation Attack? How Attackers Trick Victims Into Paying Invoices or Sharing Private Data

An impersonation attack is a type of cybercrime where a criminal poses as a known person or organization to steal confidential data or money. Attackers use social engineering tactics to assume an identity–either by compromising an account or creating a lookalike–and ask unsuspecting victims to complete routine tasks like paying an invoice, sharing a file, or clicking a link.

Impersonation is a common tactic in attacks like CEO fraud, business email compromise, and supply chain compromise. It’s difficult to detect and prevent since it preys on the human element, rather than traditional cyberattacks which are more technical in nature.

According to the FBI, impersonation attacks cost organizations billions of dollars every year. Learn how these attacks work, why they succeed, and how to stop them from impacting your organization.

While specific targets and methods vary, impersonation threats are usually delivered as an email attack. They often share these steps:

1. Select a target: Identify a target who pays invoices or has access to sensitive data. Accounting, legal, and HR departments are common targets, for example.

2. Research the target: Study the target’s responsibilities and relationships, including vendors they work with and executives they report to. This is done primarily online, through company websites, directories, and LinkedIn.

3. Pick an identity: Once an attacker picks and researches a target, they repeat the process with the identity they will impersonate to trick the target.

4. Impersonate: Mimic the account of the chosen identity. Attackers can create spoofed email accounts that look authentic or even compromise the identity’s actual account.

5. Contact: Once the attacker has a target, a plausible outreach story, and an impersonated account, they reach out to the target. This is primarily done via email, though impersonation attacks also occur through phone calls or text.

6. Request: The attacker asks the target to pay a fake invoice, send confidential information, or access a suspicious file.

In this example, the attacker chooses the target before identifying an account to impersonate. In some instances, attackers takeover an account without a target in mind, but identify potential victims based on existing email threads.

Impersonation is a key strategy used in a variety of cyberattacks. Some common examples of impersonation attacks include:

• CEO fraud: Also known as executive impersonation or whaling, CEO fraud occurs when attackers impersonate an executive–typically a CEO. They then reach out to unsuspecting employees to request sensitive data or invoice payment.

• Supply chain compromise: Attackers specifically target an organization’s supply chain with phishing campaigns. If successful, they’ll impersonate the vendor with their legitimate account to request invoice payment.

• Account takeover: Attackers compromise an employee's account to launch impersonation attacks against coworkers. Like other impersonations, account takeover attacks come with similar requests for invoice payment and data sharing.

Abnormal Security has seen a recent change in impersonation tactics, shifting from impersonating executives to third-party vendors and suppliers. An urgent request from a CEO or high-level executive may arouse suspicion, especially for employees who don’t usually communicate with executives. A seemingly routine invoice from a trusted vendor, on the other hand, doesn’t appear unusual.

Email is the primary delivery method of impersonation attacks, so organizations need email security that can detect and prevent these impersonations. But legacy solutions like secure email gateways struggle with these threats, which is part of the reason why they’re growing in frequency and severity.

An impersonation email often doesn’t contain the known red flags that secure email gateways scan for, like malicious attachments and suspicious URLs. While those are important to prevent, they aren’t cornerstones of an impersonation track.

Since attackers rely on social engineering, many impersonation attack emails look completely normal at first glance. They appear to come from a known contact. They’re often text-only, meaning there are no attachments or URLs. And if an attacker compromises an account, they can even come from legitimate email addresses, rather than spoofed lookalikes.

Email security that can stop impersonation attacks must:

• Analyze the sender and recipient relationship. If a trusted colleague sends an email at an odd hour from a new geographic location with an unusual request, contextual analysis flags the anomalies.

• Understand an email's tone and language. Does the email contain urgent requests? Does it ask for sensitive data? Does it include an invoice? These emails require additional security measures.

• Identify compromised vendor accounts. If a trusted partner falls for a phishing attack, compromising their account, how will your users know? Advanced email security can detect unusual behavior from vendors, including irregular invoice timing and new routing numbers.

The bottom line: preventing impersonation attacks from reaching your user's email security with behavioral analysis that understands content and context.

Want to see how Abnormal Security prevents impersonation attacks from landing in your inbox? Get a demo today.