Business Email Security: What Is An Impersonation Attack?

An impersonation attack is when a cyber criminal pretends to be someone your business trusts, usually over email, to get money, data, credentials, or access.

If your team relies on email for approvals, invoices, logins, or customer communications, impersonation attacks are one of the most effective ways to exploit that trust.

An impersonation attack is a form of social engineering in which the attacker poses as a trusted colleague, executive, supplier, adviser, IT contact, or brand.

In business email security, that usually means sending a message that looks legitimate enough to trigger action before the recipient slows down and verifies it.

Sometimes they hijack a real mailbox and continue an existing email thread.

But the attacker does not always need to break into the real account of the person or company they are impersonating.

Sometimes they use a lookalike domain or a fake display name.

Either way, the aim is the same - use trust to lower suspicion and speed up action.

Contents

• What Is An Impersonation Attack?
• Impersonation, Phishing, Spoofing, and BEC - What’s The Difference?
• How An Impersonation Attack Works
• Common Types Of Impersonation Attacks
• Why These Attacks Are Dangerous For Businesses
• Warning Signs Employees and Admins Should Watch For
• How To Prevent Impersonation Attacks
• What To Do If You Suspect An Impersonation Attack

What Is An Impersonation Attack?

An impersonation attack uses a deceptive message or interaction to make the target believe the sender is someone credible and expected.

In business settings, that often means pretending to be a senior executive, a finance contact, a supplier, a lawyer, HR, or internal IT.

The request may look routine, but the real goal is fraud, credential theft, data exposure, or account compromise.

Why It Works

Impersonation attacks work because email is built around identity cues that people use every day - names, signatures, domain names, ongoing threads, and normal business routines.

If the message also adds urgency, authority, secrecy, or familiarity, the recipient may act before they fully verify the sender.

This is one reason business email compromise is so effective: attackers exploit how heavily organisations rely on email for approvals, invoices, password resets, document sharing, and executive communication.

“Look at the sender’s name and email address. Does it sound legitimate, or is it trying to mimic someone you know?”

National Cyber Security Centre

Why Email Is The Preferred Channel

Email is the most common channel for these attacks because it is universal, fast, and full of context attackers can mimic.

People expect email from suppliers, payroll teams, legal advisers, and executives.

That makes it easier for a malicious message to blend into routine workflows.

Email also supports several attack paths at once, including direct domain spoofing, display-name abuse, lookalike domains, malicious links, stolen credentials, and compromised reply chains.

Impersonation, Phishing, Spoofing, and BEC - What’s The Difference?

These terms overlap, but they are not identical.

Getting this right helps businesses choose better controls.

Phishing vs Impersonation

Phishing is the broader category of attack.

It usually refers to scam emails or messages designed to trick users into clicking a malicious link, downloading malware, revealing credentials, or sending money.

Impersonation is one tactic within that broader category.

The attacker makes the message feel trustworthy by pretending to be a specific person, team, or organisation.

Spear phishing is a more targeted version of phishing aimed at a specific person or function, often using research about their role, suppliers, projects, or senior stakeholders.

Many impersonation attacks are effectively spear phishing because they are tailored to the target and context.

AI is also making these personalised attacks faster to produce at scale.

Spoofing vs Impersonation

Email spoofing is a technical method used to make a message appear to come from a domain or sender it did not really come from.

Impersonation is the broader deception outcome.

An attacker can impersonate someone through spoofing, but also through a lookalike domain, a fake display name, or a real compromised mailbox.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) can help stop direct domain spoofing, but they do not automatically stop every form of impersonation.

BEC and Account Takeover

Business email compromise, or BEC, is a business-focused fraud category in which attackers use email that appears legitimate to manipulate payments, invoices, or sensitive business actions.

Impersonation is one of the most common ways BEC happens.

Account takeover means the attacker gains control of a real user account.

That can make impersonation far more convincing because the message comes from a genuine mailbox, sometimes within a real thread, with real signatures, previous context, and trusted sending history.

How An Impersonation Attack Works

Research and Pretext

The attacker starts by learning how the business communicates.

They may review public websites, LinkedIn profiles, supplier names, job titles, finance processes, or recent announcements.

That research helps them choose a believable identity and a plausible request.

For example, they may impersonate a finance director near payroll day, or a supplier just before a regular invoice cycle.

Delivery and Pressure

Next, the attacker creates the email setup that best supports the deception.

That might be a spoofed message, a lookalike domain, a display name that matches a real executive, or a compromised mailbox already trusted by staff.

They then send a message that feels urgent, routine, confidential, or all three.

Common pressure tactics include “I need this paid today”, “don’t call because I’m in a meeting”, or “use this new bank account for this invoice”.

Action and Follow-Through

The final stage is the action the attacker wants.

That may be a bank transfer, a change to supplier bank details, a credential submission through a fake login page, or the release of payroll records, contracts, or customer data.

If the first message works, the attacker often keeps going.

They may ask follow-up questions, join a legitimate thread, or use the compromised account to target more people internally.

Common Types Of Impersonation Attacks

Executive Impersonation

This is the classic “CEO fraud” scenario.

The attacker pretends to be a senior leader and asks finance, operations, or an executive assistant to make a payment, buy gift cards, release sensitive files, or approve a change urgently.

The goal is speed, obedience, and silence.

The likely impact is direct financial loss, plus the breakdown of trust in executive communication.

Vendor and Supplier Impersonation

Here, the attacker poses as a supplier and says invoice details have changed.

Sometimes they use a lookalike domain.

Sometimes they break into the supplier’s real mailbox and send the request from a legitimate thread.

The goal is invoice fraud or diversion of future payments.

The impact can include unrecoverable transfers, delayed fulfilment, and disputes with the real vendor.

Payroll, HR, and Legal Impersonation

Payroll and HR impersonation often targets employee data, tax forms, salary changes, or direct debit updates.

Legal impersonation usually adds authority and secrecy.

The attacker may claim an acquisition, dispute, or confidential review is in progress and pressure the recipient not to discuss it.

The impact can include privacy incidents, fraud, and regulatory exposure if personal data is disclosed.

IT, Help Desk, and Brand Impersonation

These attacks often aim for credentials.

The message may claim a password reset is needed, that Microsoft 365 or Google Workspace access is expiring, or that the user must re-authenticate to view a document.

Brand impersonation works the same way, but uses a familiar vendor, delivery provider, or partner brand to lower suspicion.

The likely impact is account takeover, malware, or wider lateral movement across the business.

Reply-Chain Hijacking, Display-Name Spoofing, and Lookalike Domains

These are some of the hardest forms of impersonation attack to spot.

In a reply-chain hijack, the attacker uses a compromised mailbox to respond inside an existing conversation.

With display-name spoofing, the sender name looks familiar, even if the actual address does not.

With a lookalike domain, a small spelling change makes the domain appear legitimate at a glance.

Admin platforms such as Google Workspace explicitly track similar-domain, display-name, and domain-name spoofing because each pattern creates a different detection problem.

Why These Attacks Are Dangerous For Businesses

Financial and Operational Impact

The most obvious risk of these attacks is fraud.

That can mean invoice fraud, payroll diversion, bank transfer fraud, or gift card scams.

But the damage rarely stops there.

A successful impersonation attack can also trigger credential theft, mailbox compromise, data loss, and operational disruption while teams investigate, notify contacts, and repair trust.

Compliance and Reputational Impact

If regulated data, customer records, employee information, or financial details are exposed, the incident may become more than a fraud problem.

It can quickly become a compliance, reporting, and reputation issue too.

Even when the loss is small, the signal it sends is serious: a business can have good tools and still fail if identity verification, approvals, and user judgement do not line up.

Warning Signs Employees and Admins Should Watch For

User-Level Red Flags

For employees, the warning signs are often simple, but easy to miss under pressure.

Look for unusual urgency, requests for secrecy, sudden payment changes, unexpected login prompts, or messages that try to push you away from normal process.

Check the real sender address, not just the display name.

Watch for small spelling changes in the domain, mismatched reply-to addresses, off-hours timing, odd tone, or a request that feels out of character for the sender.

If the message asks for money, credentials, changes to bank details, sensitive data, or document access, pause and verify it through another channel.

Admin and Platform-Level Clues

Admins should also look for signals users may never see.

Examples include failed authentication, similar-domain activity, display-name spoofing, unusual sign-in patterns, impossible travel, abnormal reply behaviour, strange forwarding rules, or a mailbox suddenly sending messages it never sent before.

Abnormal thread behaviour matters as well.

If a trusted contact suddenly changes payment details mid-thread, switches tone, or introduces a new external address, that should trigger review.

How To Prevent Impersonation Attacks

Lock Down Domain Authentication

Start with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

These controls help receiving mail systems verify whether messages claiming to come from your domain are legitimate, and they are a core part of reducing direct domain spoofing.

NCSC guidance explains that SPF identifies trusted sending hosts, DKIM signs outbound mail, and DMARC sets the policy for handling messages that fail checks.

In mature setups, moving from monitoring to quarantine and then to reject can materially reduce spoofing risk, but it still does not remove the need for broader impersonation controls.

Protect Accounts and Privileged Users

Multi-factor authentication matters, especially for accounts with access to sensitive data, finance workflows, or admin tools.

Just bear in mind that not all MFA offers the same protection against phishing, so stronger, phishing-resistant options are worth prioritising where possible.

Apply extra scrutiny to executives, finance staff, HR, and admins.

These are the identities attackers most want to imitate or compromise.

Cloud email platforms also support anti-phishing and impersonation settings such as spoof intelligence, protected user lists, mailbox intelligence, and configurable anti-phishing policies.

Add Detection and Workflow Controls

Prevention is not only about blocking bad mail.

It is also about making risky actions harder to complete without verification.

Use out-of-band verification for payment requests, changes to bank details, payroll changes, and sensitive data requests.

Require dual approval for finance changes.

Monitor newly registered lookalike domains where practical.

Give users a simple way to report suspicious messages from Outlook, Gmail, or your security portal so suspicious emails reach IT fast.

Train People For High-Risk Scenarios

Security awareness training works best when it focuses on realistic business scenarios, not generic scare slides.

Teach users how impersonation looks in practice - fake executive requests, supplier bank changes, account re-authentication prompts, and unexpected requests for confidential files.

Most importantly, make sure staff know they will be backed for slowing down and verifying a suspicious request.

A good culture reduces risk just as much as a good filter.

If you are reviewing ways to add stronger controls to sensitive outbound email, Mailock is one option to explore.

What To Do If You Suspect An Impersonation Attack

Immediate Actions

Do not reply, do not click, and do not open attachments until the message is verified.

Use another channel to confirm the request, such as a known phone number, a trusted Teams contact, or an existing supplier contact record.

Then report the message to your security or IT team straight away.

If money may have been sent, involve finance, your bank, and the right fraud-reporting process immediately.

If sensitive data may have been shared, start your internal incident process without delay.

If An Account May Be Compromised

If there are signs of account takeover, move quickly to contain it.

That usually means isolating the affected account, resetting credentials, revoking active sessions, reviewing MFA methods, checking consented apps, and looking for suspicious mailbox forwarding or inbox rules.

Notify affected contacts if the mailbox may have sent malicious messages.

Then review the timeline, document what happened, and tighten the control that failed - whether that was identity protection, email filtering, approval workflow, or user verification.

The Bottom Line

An impersonation attack is not just a fake email problem.

It is a trust problem.

Attackers win when a message looks normal enough to slip past both people and controls.

That is why effective business email security needs layers - domain authentication, account protection, impersonation-aware detection, strong approval workflows, and users who know when to stop and verify.

If your organisation wants to reduce risk, start by asking a simple question: could someone inside the business confidently spot the difference between a familiar email and a trustworthy one?

FAQs

Is An Impersonation Attack The Same As Phishing?

No. Phishing is the broader category of deceptive messages designed to trick people into taking harmful actions.

Impersonation is one common tactic within phishing, where the attacker pretends to be someone trusted.

What Is The Difference Between Spoofing and Impersonation?

Spoofing is usually the technical act of falsifying sender identity.

Impersonation is the broader attempt to appear trustworthy.

An attacker can impersonate someone through spoofing, a lookalike domain, a fake display name, or a real compromised account.

Is Business Email Compromise A Type Of Impersonation Attack?

Often, yes.

BEC commonly relies on impersonation to make payment requests, invoice changes, or sensitive approvals look legitimate.

But BEC can also involve a real compromised mailbox rather than a purely fake sender.

Can DMARC Stop Impersonation Attacks?

DMARC helps reduce direct domain spoofing, especially when it is correctly implemented alongside SPF and DKIM.

It does not stop every impersonation tactic on its own.

Display-name fraud, lookalike domains, and compromised accounts still need other controls and user checks.

How Do Attackers Impersonate Executives?

They often research the executive’s role, writing style, and reporting lines, then use urgency and authority to pressure staff into bypassing normal process.

The email may come from a spoofed sender, a lookalike domain, or a compromised mailbox.

What Should Employees Do If They Receive A Suspicious Request?

Pause, verify it through another channel, and report it to IT or security.

Do not reply directly to the suspicious message, and do not click links or open attachments until the sender is confirmed.

References

Phishing Attacks, NCSC, 2024

How To Spot A Scam, NCSC, 2021

Email Security and Anti-Spoofing, NCSC, 2019

Reject Spoof Emails, NCSC, 2019

MFA Guidance, NCSC, 2024

Business Email Compromise, FBI, 2020

Anti-Phishing Policies, Microsoft Learn, 2026

Microsoft 365 Security Settings, Microsoft Learn, 2026

Compromised Email Response, Microsoft Learn, 2025

Spoofing Report, Google Workspace Admin Help, 2026

Reviewed by

Sam Kendall, 12.03.26