GF 02 720x478 2x

Stop Executive and Employee Impersonation

Block spoofed emails that appear to come from trusted executives and employees.


reported lost to business email compromise

Source: FBI Internet Crime Report, 2020


of all socially-engineered attacks impersonate individuals

Source: Abnormal Security, 2021


increase in impersonated internal automated systems

Source: Abnormal Security, 2021

Recognizing Executive and
Employee Impersonation

In this type of socially engineered scam, an attacker will typically use domain name deception or another type of spoofed email to impersonate a trusted executive — typically the CEO — trusted systems, or other high-profile employees. In these attacks, the threat actor:


Determines who in the organization is most likely to inspire a sense of urgency in employees, typically the CEO


Sends a targeted email to a lower-level employee, using a variety of tactics to make them believe its from the CEO


Makes a request, usually for a wire transfer or gift cards, and engages with the victim with an increasing sense of urgency


Continues conversation until victim sends the funds, buys the gift cards, or completes the original request

02 EEI 01 Executive Employee Impersonation 2x

Recognizing an Executive Impersonation Attack

This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:

  • It appears to be sent by a known executive within the organization, but the email address is spoofed

  • It includes a request and the tone suggests urgency

  • The victim is asked to respond back via text message for further instructions, a common tactic in phishing scams

Despite having no traditional indicators of compromise, Abnormal can determine that this email is malicious.

Stop Impersonation Scams That Bypass Secure Email Gateways

EE Impersonation 01 2x

Detect Suspicious Language and Tone

This message from Michael Scott asks Pam if she is at her desk, with no added context.

Typical of phishing attacks, this message attempts to start a conversation with the victim, encouraging them to engage with their attacker for further instructions.

This message has no links or attachments to scan, but Abnormal recognizes that the language is typical of phishing attacks.

EE Impersonation 02 2x

Inspect Email Headers to Expose Impersonators

Inspection of the email shows that it doesn’t come from the real domain name, but rather from a similar one that uses the number 1 in place of the l:

By analyzing header information, Abnormal can determine that this email domain has been spoofed. It is attempting to trick users into believing that the email is legitimate, using a well-known trick of replacing letters in the original domain.

EE Impersonation 03 2x

Understand Communication Patterns to Detect Suspicious Behavior

Michael does not typically email Pam at 8:03 am. And because he can see her desk from his own office, he’s never asked her if she’s at her desk.

Unlike secure email gateways, Abnormal uses natural language processing to understand people, their behavior, their communication patterns, and typical tone and content shared.

This understanding of known good behavior helps Abnormal flag suspicious behavior with a high degree of confidence.

EE Impersonation 04 2x

Eliminate the Threat Before Unsuspecting Employees Are Scammed

Pam never sees the email, making it impossible for her to be scammed by the attackers impersonating Michael.

Because Abnormal understood that this email was not actually coming from Michael, the email was removed in milliseconds.

Pam never had the chance to open or respond to it, and was never aware of the threat.

With Abnormal, you can see who else was targeted by the same or a similar email as part of a broader attack campaign, and how those emails were remediated.

Trusted by Global Enterprises


See an Abnormal Product Demo

Related Resources

Webinar microsoft cover
The emergence and evolution of advanced socially-engineered cyber attacks, including business email compromise, supply chain fraud, and ransomware, has organizations rethinking their security strategies and tech stacks.
Read More
Whitepaper cover 1
Business email compromise (BEC) is the most significant cybersecurity threat to enterprise organizations, with $1.8 billion lost in 2020 alone. This type of email attack occurs when a cybercriminal uses social engineering to impersonate a trusted contact—typically an executive, coworker, vendor, or partner.
Read More
Blog purple calendar
Abnormal Security recently detected two new types of attacks where scammers are targeting victims by redirecting their own Microsoft 365 out-of-office replies as well as read receipts back to them. These tactics indicate attackers are using every available tool and loophole...
Read More
Threat report 1
Cybercriminals upped their game over the last quarter—increasing the number of credential phishing attacks and account takeover attempts. In our quarterly threat report, Abnormal Security discovered significant increases in the number of brute force attacks and impersonation attempts.
Read More
Webinar cover 1
Traditional cybersecurity infrastructure can’t stop new and emerging threats, particularly in the email channel, and cybercriminals are constantly changing their methods to stay one step ahead. Hear how Theresa Payton, first female White House CIO, thinks about these attacks.
Read More