All You Need to Know About Phishing Email Impersonation

Scams that rely on impersonation are as old as the hills. Impersonation scams are a core part of fraud, and they are increasing. The FTC in the US records all types of fraud and scams. The FTC 2024 report "Impersonation scams: not what they used to be" notes that around half of all frauds reported directly to the agency are based on impersonation. One interesting thing the FTC noted is that email impersonation is soaring. Alerts on email impersonation scams are being issued worldwide, from Singapore to New Zealand, the UK, and beyond. Email impersonation is an attack vector that opens opportunities for cybercriminals, with more scammers jumping on the email bandwagon daily.

TitanHQ explores what email impersonation is and how to stop it before it harms your organization.

What is Email Impersonation?

Email phishing, a common cyber-attack, is often the gateway for hackers to infiltrate your systems. Email impersonation is a specific type of phishing attack that involves the creation of emails that appear to be from a trusted source, making them difficult to identify as fraudulent. If such an email is opened, the potential damage is significant, ranging from malware infections to data breaches and even financial loss through Business Email Compromise (BEC) scams.

For businesses, the stakes are even higher. The threat of system damage is compounded by the need to safeguard customer data. With the increasing frequency of targeted attacks, companies can no longer afford to be passive about email security. It's crucial for businesses to be proactive in protecting against email impersonation and other cyber threats.

Email impersonation uses social engineering tricks of the cybercriminals' trade to manipulate employees and others. The scammer exploits human psychology to encourage the recipient to perform an action that benefits the scammer. For example, by transferring company funds to the scammer's bank account, the employee believes the scammer to be a trusted member of staff or a supplier.

Email impersonation is typically a highly targeted attack. The cybercriminals behind email impersonation will often spend time building up a profile of a business and then targeting a specific employee. This reconnaissance needed to do this gives the scammer the intelligence to make the impersonation more believable.

Email impersonation is successful. A 2024 report from Egress found that 94% of organizations experienced security incidents in which impersonation attacks were the main strategy.

A Step-By-Step Guide to an Email Impersonation Attack

Step One: Choose a Target

Cybercriminals intent on using email impersonation as an attack type typically wish to extract large sums of money. The FTC report on email impersonation notes that bank transfers of funds because of impersonation fraud have soared from $57 million in 2020 to $383 million in 2023. Business Email Compromise (BEC) scams involve identifying a target, typically an employee in accounts payable or HR departments, then using email to impersonate a senior-level manager.

Step Two: Surveil the Target

Successful email impersonation relies on the scammer understanding the target. The business that the target works for is also under the cybercriminal's lens. Cybercriminals gather intelligence on business operations, email communication, methods of payment, and other vital information, such as supply chain members. The cybercriminal will use whatever means to understand how the company operates and communicates, using social media, newspaper articles, etc.

Step Three: Choose the Person to Impersonate

The intelligence gathered forms the basis for the email impersonation plan. The scammers must choose their impersonation victim wisely and in a way that fits the type of scam they want to carry out. For example, a BEC scam would typically impersonate a senior staff member, like the CEO or CFO.

Step Four: Prepare to Impersonate the Chosen Victim

Once chosen, the target victim is in the sights of the scammer, and their email account will become the focus of the attack. The victim's email may be compromised and used to send out emails. However, this is only sometimes the case. Email impersonation scammers may, instead, spoof the email address so that it simply looks like it is from the CEO, CFO, etc.

Step Five: Create the Impersonation Email

A vital step to get right is creating the impersonation email. The intelligence gathered during the earlier steps helps scammers create believable emails that reflect the style of the chosen impersonation target. Today, scammers can also turn to Generative AI to help them compose realistic-looking emails.

Step Six: Execute the Scam

The impersonation email will contain a request, such as a note of a change of bank details and an invoice for payment. It will typically have an air of urgency, e.g., "We must pay this invoice immediately; otherwise, we may lose this client." Alternatively, the email may contain a malicious link or request for confidential or proprietary information. Because the target believes this has come from a senior staff member, they will carry out the request.

• Email impersonation is a highly sophisticated, intelligence-led version of conventional mass mailout phishing emails. This makes it hard to detect using traditional anti-phishing solutions.

Some examples of email impersonation attacks show the complex nature of this increasingly concerning threat.

Types of Email Impersonation Attacks

Business Email Compromise/CEO Fraud

The FBI collected evidence of over $50 billion in losses due to BEC scams in the USA. BEC scams focus on extracting company or individual funds by impersonating a senior staff member, like a CEO. Emails are then sent using the impersonated individual's details and writing tone. A recent example of a successful BEC scam was carried out against wireless product manufacturer Ubiquiti.  The company lost $46.7 million to BEC scammers. The BEC fraudsters impersonated Ubiquiti supplier employees and then targeted Ubiquiti finance department staff to get them to approve money transfers.

GenAI-Powered Email Impersonation

GenAI and the LLM models underpinning the technology are used by fraudsters to draw in information from multiple online sources. This information is then used to create believable impersonation emails. GenAI-powered impersonation emails are behind some BEC attacks and are now used for targeted spear phishing. Cybercriminals choose specific employees, like administrators, and then generate emails using GenAI to reflect a typical communication process used by the administrator and the organization they work for. An experiment at Black Hat USA 2021 showed the success rate of AI-generated impersonation emails used in phishing. Singapore's Government Technology Agency ran the experiment. The experiment used simulated spear phishing emails, with some created by humans and others generated using ChatGPT3. The results showed that more people clicked the links in the AI-generated phishing emails.

Corporate Account Takeover

If a cybercriminal can take control of an employee account, especially one with privileged access to company resources, they can install malware, steal data, and cause general havoc. Around 29% of US citizens have been victims of account takeover (ATO). Various methods are used to access an account, including credential Stuffing, Adversary-in-the-Middle (AitM), and phishing. ATO is now a more significant threat than ransomware, with 88% of organizations experiencing at least one account takeover attack. ATO attackers can use this access to impersonate a corporate employee; the cybercriminal has power over email and can phish and manipulate other employees.

Brand Impersonation

Tricking people into thinking they are dealing with a trusted brand is phishing 101. Big names from Facebook to Microsoft are all victims of brand impersonation. The brand is used in phishing emails to build trust with the recipient, getting the individual to click on malicious links or download infected attachments. Brand impersonation leads to credential theft, ransomware infection, and data breaches.

Email Phishing and Email Impersonation.

Email impersonation often goes hand-in-hand with email phishing, which involves using fraudulent emails to trick users into revealing sensitive information or doing unauthorized actions. Phishing emails are personalized, highly targeted, and meticulously crafted to look like they're from a trusted source. Attackers use social engineering to exploit human weaknesses, like the natural tendency to trust or the need for approval. By playing on these emotions, attackers can trick even the most security-savvy users into taking actions they wouldn't normally do. Many types of phishing involve impersonating someone in a position of authority, like a CEO or senior manager. They also format the emails with logos and branding to make them look like they're from a legitimate company, i.e., brand impersonation.

Email phishing attacks can have severe consequences for businesses. Not only can they lead to data breaches and financial loss, but they can also damage the business's reputation. Especially if customer data is involved, companies can face heavy fines from regulators.

So, how can you protect your business from email phishing attacks? The first step is to educate your employees about the dangers of phishing emails and how to spot them.

Even a well-crafted email can have some tell-tale signs that it's not legitimate.

How to Spot a Phishing Email?

Since phishing emails look like they're from a trusted source, they can be compelling. But even a well-crafted email can have some tell-tale signs that it's not legitimate. The email address is the key that may give away a phishing email. Here are some things to look out for:

1. Typosquatting Domains:

These are domains similar to legitimate domains but with slight misspellings. For example, an attacker may use a domain like "noreply@amazaon.com" instead of "noreply@amazon.com." Most people would miss the subtle difference in spelling, but it's a dead giveaway that the email is not from Amazon.

2. Sub-Domain Spoofing:

With this tactic, attackers trick users into thinking that the email is from a trusted company using a splitting technique. For example, in "noreply@google.security.spammailer.com," the "google. security" part of the domain looks legitimate, but the actual domain is "spammailer.com."

3. Top-Level Domain Spoofing:

This is a more sophisticated type of phishing in which the domain and subdomain are legitimate or close to legitimate, but the top-level domain is different. For example, "noreply@support.microsoft.website" looks similar to "noreply@support.microsoft.com," but Microsoft may not own the .website top-level domain. This type of phishing easily crosses the spam and phishing filters.

4. False Display Names:

When you receive an email, you first see the display name. This is the name that appears in the "From" field. Attackers tend to use the names of well-known companies or individuals to make their emails look more legitimate. If it's a more personalized attack, they may even use the name of your boss or a colleague. This type of phishing works on mobile devices where the sender's email address isn't shown by default, and people see the display name on the first window.

Other than the email address, some common indicators in the email itself may suggest it's a phishing email:

A common tactic is to create a fake sense of urgency or say that the email contains time-sensitive information. This prompts people to act without thinking about it.

Unexpected attachments or unknown links in the email are other red flags. Don't download it if you're not expecting an attachment from the sender. And if there's a link in the email, hover over it to see where it's taking you. The link may look legitimate at first glance, but when you hover over it, you may see it taking you to a completely different website.

Attackers ask to maintain confidentiality to prevent victims from discussing the email with others and potentially figuring out it's a scam. Phrases like "Please keep this email confidential" or "for your eyes only" are common in phishing emails.

Most professionals and businesses don't use free email servers like Gmail, Yahoo, or Hotmail for work-related communication. Some legitimate companies use these services, but it's still a red flag.

Even a well-crafted email can have some tell-tale signs that it's not legitimate.

Are You Responding to an Email Phishing Attempt?

If you think you've received a phishing email, don't panic. Please report it to your IT or security team immediately. They can determine a real threat and take the appropriate steps to protect your organization.

Phishing is a punishable offense by law. Some dedicated agencies, like the FBI, handle these types of complaints. You can report it to the FTC or file a complaint with the Internet Crime Complaint Center (IC3).

In addition, take steps to notify the people who may be impacted by the email. This includes colleagues or customers who may be attacked by similar emails.

How to Protect Your Business from Email Phishing Attacks?

The best way to protect your business from email phishing attacks is to take a multi-layered “defense-in-depth” approach. This includes a mix of technical measures and employee education.

Technical Solution Layer to Email Impersonation

Technical solutions include spam filters, authentication, and malware detection and prevention tools. Prevention is better than cure, and many email impersonation attempts, like BEC, begin with a compromised email account. Using AI-enabled anti-phishing tools to protect email from phishing threats is essential as the security threat landscape changes constantly. TitanHQ's PhishTitan uses AI to navigate the changing threat landscape and detect emerging threats continuously. 

PhishTitan uses a layered approach to the prevention of phishing email attacks as well as powerful AI-enabled algorithms. Features of PhishTitan include the following:

• AI-Driven Threat Intelligence: To meet the complex needs of an ever-changing threat landscape.
• Time of Click Protection: Email links are replaced, and the original link is sent to an inspection site to check its validity.
• Link Lock Service: Your company remains protected even if a recipient clicks a malicious URL.
• Post-Delivery Remediation: Even if an email slips through the layers of defense, administrators can still remove it from employees' inboxes.
• Data Loss Prevention (DLP): Prevents sensitive data from leaving the corporate network.

Security Awareness Layer for Email Impersonation

SafeTitan is a comprehensive training program that covers all the bases regarding email phishing awareness and protection. The SafeTitan Security Awareness Training platform includes educational videos, interactive simulations, and gamification. The SafeTitan reporting and analytics tool gives you the insights you need to further improve your employees' awareness and keep your business safe from email phishing attacks.

Employee awareness and training programs should cover topics like how to spot a phishing email, what to do if they receive one, and how to report it. These programs should be ongoing and updated regularly to reflect the latest trends in phishing attacks. Interactive approaches like simulated phishing attacks can be especially effective in driving home the importance of these topics. It's also essential to have a process for responding to phishing attacks so that everyone knows what to do if one does make it through.