Email Impersonation Attacks

Email impersonation is a growing cybersecurity threat that exploits people’s trust in messages from familiar senders. Attackers forge the sender’s email address to make their messages appear to come from a trusted source, such as a company executive or business partner. This form of social engineering, which leverages human psychology to bypass security measures and compromise organisations, is designed to manipulate recipients into taking harmful actions, like sharing sensitive information or transferring funds, that benefit the attacker.

An email impersonation attack is a type of phishing scam where cyber criminals manufacture a sender’s email address to make it appear as if the message is from a trusted source, such as a company executive, business partner, co-worker, or other known individual. The goal is to deceive the recipient into taking an action that benefits the attacker, such as transferring funds, sharing sensitive information, or clicking on a malicious link.

Impersonation attacks leverage people’s inherent trust in emails from familiar senders to bypass security measures and exploit human vulnerabilities. Attackers research their targets and carefully craft legitimate-looking messages, often mimicking the tone, language, and context of communications from the impersonated individual or organisation. These threats are pervasive and growing rampant every year. According to Egress’s latest Email Security Risk Report, 94% of organisations experienced email security incidents, with impersonation attacks a top attack strategy.

Detecting and preventing email impersonation attacks is an uphill battle, as these threats often lack the typical red flags associated with other phishing scams. Effective defences require advanced email security solutions that can analyse sender-recipient relationships, language, and other contextual factors to identify anomalies. Organisations must also educate employees on how to recognise the signs of an impersonation attack and report suspicious messages.

Email impersonation attacks follow a series of steps designed to deceive the recipient into believing they are interacting with a trusted source. Common steps taken to carry out these attacks include:

1. Select a target: Attackers identify a target with the authority to make payments, access sensitive data, or perform actions that can be exploited. Such targets often include employees in accounting, legal, and HR departments.
2. Research the target: The attacker studies the target’s responsibilities, relationships, and communication habits. This research is primarily conducted online, using company websites, directories, and social media platforms like LinkedIn to gather information.
3. Pick an identity to impersonate: After selecting and researching a target, attackers choose an identity to impersonate. This could be a senior executive within the target’s organisation, a trusted vendor, or any other entity the target is likely to trust.
4. Impersonate: The attacker creates a spoofed email account that looks authentic or compromises the actual account of the identity they are impersonating. This step is crucial for making the subsequent outreach to the target seem legitimate.
5. Contact the target: With a plausible impersonated identity and a story, the attacker reaches out to the target, usually via email. The communication is crafted to mimic the tone, style, and type of request that would be expected from the impersonated identity.
6. Make a request: The final step involves the attacker asking the target to perform an action that serves the attacker’s purpose. This could be paying a fake invoice, sending confidential information, or clicking on a link that leads to a malicious site. The request is designed to seem routine or urgent, exploiting the target’s trust in the impersonated identity.

These steps outline the methodical approach attackers use to execute email impersonation attacks, leveraging detailed research and social engineering tactics to bypass security measures and exploit human trust.

Email impersonation and email spoofing are two different types of cyber-attacks that involve deception but have distinct differences.

Email impersonation, also known as email spoofing, is a phishing attack where a cyber criminal fraudulently impersonates a legitimate source, typically via email, to trick the recipient into an action that benefits the attacker. The goal is to trick the recipient into believing they are interacting with a trusted source, such as a company executive or colleague, and to take specific action. Impersonation attacks often involve the attacker using a display name that mimics a legitimate entity, hoping the recipient won’t check the actual email address.

On the other hand, email spoofing is a technique used in email impersonation attacks to make the email appear to come from a different sender. In spoofing, the attacker forges the email’s “From” address to make it appear as if it came from a trusted source. Spoofing is often used to aid phishing attacks by making the message seem more legitimate and trustworthy.

In summary, email impersonation is pretending to be a trusted source, while spoofing makes the email appear to come from a different sender. Both attacks trick targeted recipients into taking an action that benefits the attacker.

The sophistication and complexity of email impersonation attacks have significantly increased, posing a serious threat to organisational security. These attacks meticulously craft scenarios where trust is exploited for malicious gain. Understanding the various forms these deceptions take can empower individuals and organisations to better safeguard sensitive information and financial assets.

• Executive impersonation (CEO fraud or whaling): In this form of attack, cyber criminals assume the identity of high-ranking executives in an organisation—most commonly CEOs—to manipulate employees into divulging confidential data or executing unauthorised financial transactions. The psychological leverage used with CEO fraud plays on respect for authority and urgency.
• Supply chain compromise: Supply chain attacks involve threat actors masquerading as trusted vendors or suppliers in communications with their targets. By feigning legitimate requests, they aim to coax unsuspecting recipients into transferring funds or sharing proprietary information under the guise of routine business operations.
• Account takeover attacks: In this scenario, cyber criminals gain unauthorised access to an employee’s email account. Leveraging this breach, they orchestrate campaigns against colleagues that seem credible coming from a known internal source, thereby increasing the likelihood of eliciting sensitive data or payments under false pretences.
• Sender name impersonation: Utilising subtle manipulations in display names allows attackers to create emails that appear at first glance to be from reputable sources. Familiar sender names often cause recipients to overlook dubious elements elsewhere in the message.
• Domain spoofing: Through slight alterations in domain names—a practice barely noticeable at a cursory look—fraudsters create email addresses that imitate those of legitimate entities closely enough to bypass casual scrutiny.
• Look-alike domain attacks: Similar yet distinct from domain spoofing, this technique involves registering new domains that visually mimic those of targeted entities so that they’re almost identical. Emails from these domains carry an air of legitimacy explicitly designed to deceive recipients about their true origin.
• Compromised email account attacks: This type of email impersonation attack is particularly insidious since it involves direct control over genuine accounts by adversaries who then proceed with further impersonation schemes internally or externally as if originating genuinely from the compromised entity itself.

The underlying strategy shared by these diverse tactics is the art of deception, with each method meticulously designed to imitate trusted figures—be it executives, business partners, or colleagues. These attackers exploit established trust and authority, crafting scenarios that prompt unsuspecting individuals into actions that compromise security.

To highlight the tangible implications of such security threats, here are some real-world examples of email impersonation attacks and their repercussions:

• The Target Data Breach: In 2013, cyber criminals conducted a spear-phishing attack on an HVAC vendor with links to Target’s network, which led to a massive data breach affecting over 40 million debit and credit card holders. This breach illustrates the dangers of interconnected systems and the importance of vendor diligence in cybersecurity.
• The RSA Security Breach: In 2011, RSA Security fell victim to a spear-phishing attack where the attackers sent emails containing a malicious Excel document to employees. This enabled the attackers to install a backdoor and steal critical data from RSA’s network.
• Ubiquiti Networks Scam: In 2015, Ubiquiti Networks suffered a $46.7 million financial loss from a phishing attack where the attackers impersonated the company’s senior executive team members and sent fraudulent wire transfer requests to the finance department. This shows that even technically experienced firms can fall prey to social engineering attacks.
• Facebook and Google: In a $121 million BEC scam, cyber criminals impersonated an Asian hardware vendor to trick employees at Facebook and Google into sending them funds over a two-year period.
• Toyota Subsidiary 2019: Attackers impersonated a Toyota executive and sent an email to the finance department of a Toyota parts subsidiary requesting a wire transfer, resulting in a loss of $37 million.

These examples demonstrate the severe financial and reputational damage that can result from email impersonation attacks. Cyber criminals leverage social engineering tactics to bypass traditional security measures and trick employees into compromising sensitive data or authorising fraudulent payments. Educating employees and implementing robust email security controls are crucial to mitigating these threats.

To bolster your defences against such deceptive strategies, be aware of the following indicators that an email may not be what it seems.

• Verifying email addresses: A critical first step involves scrutinising the sender’s address. At first glance, it may mirror legitimate contact details; however, upon closer inspection, discrepancies such as minor alterations in domain names or subtle character substitutions can reveal malicious intent.
• Assessing urgency and request nature: Emails demanding immediate action or sensitive information—particularly those purporting to originate from senior management—warrant extra caution. Cyber criminals often fabricate urgent scenarios to provoke hasty actions without time for closer inspection or verification.
• Authentication checks: Authentic communications from reputable sources typically incorporate specific authentication protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication Reporting & Conformance). An absence or misconfiguration of these security measures could signify an impersonation effort.
• Analysing communication styles: Discrepancies between the writing style in the questionable email and previous correspondences attributed to the alleged sender could indicate foul play. Such anomalies might include uncharacteristic language use, tone deviations, poor grammar and spelling, or unusual requests that don’t align with standard operational procedures.
• Content consistency review: Pay attention to inconsistencies within the message itself—including but not limited to—the email signature’s accuracy compared to known standards for that individual or organisation, mismatches in provided contact information versus official records, and any contextual clues suggesting unfamiliarity with established relational dynamics.
• Evaluating unsolicited requests: Receiving unexpected emails soliciting confidential data exchanges or financial transactions should automatically trigger scepticism. Legitimate entities usually follow predefined protocols for such communications. In turn, unsolicited approaches are red flags deserving scrutiny before engagement.

Cultivating an awareness of these warning signs equips individuals across the organisation to adeptly spot potential threats disguised as benign emails, significantly reducing the risk of data breaches. This proactive approach not only protects organisational integrity but also safeguards personal information against sophisticated social engineering tactics aimed at exploiting trust.

To fortify defences against such vulnerabilities, a multifaceted approach combining technology solutions, informed procedures, and human insight is essential.

• Empowering employees through education: The cornerstone of any cybersecurity strategy involves cultivating a knowledgeable workforce capable of identifying early signs of email fraud. Security awareness training initiatives that focus on recognising suspicious indicators—such as unexpected urgency in requests or anomalies in sender addresses—transform employees into vigilant guardians of organisational security.
• Strengthening email authentication practices: Establishing robust authentication mechanisms constitutes another critical defence layer. Protocols like SPF, DKIM, and DMARC significantly diminish the likelihood of domain spoofing attempts succeeding by verifying the legitimacy of email sources.
• Implementing advanced email security solutions: Leveraging state-of-the-art secure email gateway technologies provides an effective barrier against malicious actors. These email security systems employ advanced algorithms to identify and neutralise potential impersonation efforts—including those involving counterfeit domains or hijacked accounts—before they reach their intended targets.
• Enhancing system access controls with multifactor authentication: Enforcing multifactor authentication for accessing emails and other sensitive systems adds a crucial security layer by mitigating risks associated with account takeover scenarios—a common precursor to impersonation exploits.
• Rigorous vetting process for vendors: Given the interconnected nature of modern supply chains, ensuring third-party vendors adhere to stringent security standards minimises exposure to indirect impersonation tactics stemming from compromised external entities.
• Comprehensive incident response strategies: Despite best efforts at prevention, having a detailed incident response plan ensures rapid identification and resolution should an attack occur. This agility can substantially limit both operational disruptions and financial repercussions.

Successfully navigating these complexities requires vigilance at all organisational levels—from frontline staff to executive leadership. It’s imperative to achieve a resilient posture amidst future challenges. Collectively embracing a culture of continuous learning and adaptation is pivotal for enduring against evolving adversarial tactics.

Proofpoint stands at the forefront of combating email impersonation attacks with a suite of sophisticated solutions designed to fortify organisational defences. Through a blend of advanced technology, actionable intelligence, and targeted training, Proofpoint offers an integrated approach to secure digital communications against increasingly cunning cyber threats.

• Email Protection: Proofpoint’s Email Protection solutions deliver cutting-edge safeguards through anti-spoofing measures and subject tagging that alert users to potential fraud. Leveraging machine learning technologies, the “Impostor Classifier” delves into email content analysis, scrutinises sender reputations, and detects subtle address manipulations indicative of impersonation efforts. Additionally, robust authentication protocols, including DMARC, SPF, and DKIM, are employed to effectively thwart domain spoofing attempts.
• Advanced BEC Defense: Tailored specifically for business email compromise (BEC) scenarios—from intricate payment redirection schemes to supplier invoicing deception—this solution harnesses artificial intelligence alongside machine learning capabilities. It meticulously examines various message components, such as header information and sender IP addresses, and analyses the body text for signs consistent with BEC methodologies.
• Threat Intelligence Services: Knowledge is power when navigating the murky waters of cybersecurity threats. In comes Proofpoint’s Threat Intelligence Services, offering deep-dive analyses into prevailing risks coupled with pragmatic recommendations tailored towards mitigating vulnerabilities specific to email impersonation dangers across different operational scales and organisational requirements.
• Security Awareness Training: A key component of Proofpoint’s strategy is empowering employees through education. This training equips staff with the knowledge to identify tell-tale signs of impersonation attacks, such as urgent requests that seem out of character or email addresses that just don’t look right.

By arming organisations with these multifaceted solutions, Proofpoint ensures they are well-equipped to navigate and counteract complex cybersecurity challenges presented by modern-day impostors. To learn more, contact Proofpoint.