8 Tips to Reduce the Risk of Email Impersonation Attacks

Email impersonation attacks, a form of Business Email Compromise (BEC), are becoming increasingly common and sophisticated. According to the FBI's Internet Crime Complaint Center, BEC attacks topped the list of cybercrime complaints, with adjusted losses of over $2.7 billion in 2022.

What is an impersonation attack? In email impersonation scams, a bad actor pretends to be a trusted person or organization to steal money or sensitive information via email. The trusted entity being spoofed could be anyone — a high-level executive, colleague, vendor, or a consumer brand that emails you regularly.

Scammers blend impersonation with other techniques to defraud organizations and steal account credentials. Unfortunately, victims often don’t realize their fate for days or weeks after the fraud.

So what can you do to keep your business safe? Here are eight tips to protect your business against email impersonation attacks.

• Tip 1: Educate Your Employees
• Tip 2: Watch For Social Engineering Cues
• Tip 3: Monitor For Unusual Activity
• Tip 4: Always Do a Context Check on Emails
• Tip 5: Check for Email Address and Sender Name Deviations
• Tip 6: Learn the ‘Greatest Hits’ of Impersonation Phrases
• Tip 7: Use Secondary Channels of Authentication
• Tip 8: Implement Integrated Cloud Email Security

Tip 1: Educate Your Employees

The first line of defense against email impersonation attacks is your employees. Offer regular security awareness training on email impersonation scams, like spoofing and spear phishing attacks. Give them examples of what to look out for, such as requests to share sensitive information or urgent requests to transfer money.

Tip 2: Watch For Social Engineering Cues

Scammers often craft email impersonation attacks using language that creates a sense of urgency or fear, pressuring victims to take immediate action. Of course, not every email that makes people feel these emotions is an impersonation attack. It’s an essential factor to watch for, nonetheless.

Impersonation attack examples include:

• Requests involving the transfer of money or sensitive information given at short notice
• Unusual purchase requests (e.g., iTunes or Amazon gift cards)
• Employees requesting sudden changes to direct deposit information
• Vendors sharing new bank account details, usually right before an invoice is due

Fig: This email impersonation attack exploits the COVID-19 pandemic to make an urgent request for gift card purchases.

Tip 3: Monitor For Unusual Activity

Regularly monitor your email account for unusual activity, such as login attempts from unfamiliar locations or devices. If you notice anything suspicious, immediately change your password and notify your IT department.

Tip 4: Always Do a Context Check on Emails

Targeted email attacks count on victims “doing before thinking” instead of stopping and engaging with a request rationally. So while it may take a few extra seconds, always ask yourself if the email you’re reading (and what it’s asking for) makes sense.

• Why would your CEO really ask you to purchase iTunes gift cards with two hours’ notice? Have they done it before?
• Why would Netflix emails come to your business email address?
• Why would the IRS ask for your SSN and other sensitive personal information over email?

Bottom line: Be a little paranoid while reading emails, even if they’re from trusted entities.

Tip 5: Check for Email Address and Sender Name Deviations

Many organizations have deployed keyword-based protection that catches email addresses or sender names that match executives or other related keywords. However, impersonation attacks use email addresses and sender names with slight deviations to get past these security controls.

Some common deviations to look out for are:

• Spelling changes, especially ones missed at first glance (e.g., ‘ei’ instead of ‘ie’ in a name).
• Changes based on visual similarities to trick victims (e.g., replacing an ‘rn’ with an ‘m’ because they look alike).
• Business emails sent from personal accounts like Gmail or Yahoo without advance notice. It’s advisable to validate the sender's identity through secondary channels (like texting, Slacking, or calling them) if they’re emailing you with requests from their personal account for the first time.
• Descriptive changes to the name, even if the changes fit in context. For example, attackers impersonating a Chief Technology Officer named Ryan Fraser can send emails with the sender name “Ryan Fraser, Chief Technology Officer.”
• Changes to the components of the sender name (e.g., adding or removing a middle initial, abbreviating Mary Jane to MJ).

Bottom line: Do an extra pass on email addresses and sender names, especially if they look suspicious.

Fig: A sender name deviation (adding “Chief Technology Officer”) allowed this impersonation email to get past keyword-based security controls

Tip 6: Learn the “Greatest Hits” of Impersonation Phrases

Email impersonation has been around for long enough that there are well-known phrases and tactics you should be aware of. However, malicious emails don’t always have to be directly related to money or data. The first email is sometimes a simple request to see who takes the bait.

Beware of the following phrases/context:

• “Are you free now?” or “Are you at your desk?” and related questions are frequent opening lines in impersonation emails. Because they seem like harmless emails with simple requests, they often get past email security controls.
• “Can you do something for me within the next 15 minutes?” or “I need an urgent favor” imply the email is time-sensitive. If you get this email from someone pretending to be your CEO, your instinct might be to respond quickly and be duped by the impersonation.
• “Can you share your cell phone number?” or “I need your personal email” and other out-of-context requests for personal information. These requests aim to harvest data and build out the victim's profile. Once adversaries have enough information, they have another entity to impersonate.

Bottom line: Watch for unusual requests, especially if they’re of a personal nature.

Tip 7: Use Secondary Channels of Authentication

Enterprise adoption of two-factor authentication (2FA) and multi-factor authentication (MFA) has grown considerably. These methods help safeguard employee accounts by adding an extra layer of security, reducing the impact of account compromise.

Even if an attacker gains access to your email credentials, they cannot log in without the second factor, like a code sent to your phone. Individuals should try to replicate these methods for any email that makes unusual requests related to money or data.

For example:

• If a vendor emailed you with a sudden change in their bank account details, call or text them to confirm they sent the email. Do not reply to the email or click on any links or attachments.
• If your manager emails you asking for gift card purchases, send them a Slack message (or whatever productivity app you use) or call them to confirm the request.
• If your HR representative emails you a document that requires your email account credentials to view it, check the email's veracity with the HR rep directly.

Bottom line: Even if you contact busy people for additional authentication, they will understand and appreciate your caution.

Tip 8: Implement Integrated Cloud Email Security

Organizations are changing their approach to email security by moving away from Secure Email Gateways (SEGs) and towards a combination of native email security and Integrated Cloud Email Security (ICES) solutions.

Gartner introduced the ICES nomenclature in its 2021 Market Guide for Email Security. ICES refers to advanced email security capabilities that use APIs to connect to an organization’s native email provider. These solutions go beyond blocking known harmful content and use language-based, contextual understanding of email communications to protect against targeted attacks, detect compromised internal accounts, and provide in-line prompts to users for reinforced security awareness training.

By analyzing email traffic, ICES solutions continuously learn and improve their ability to detect and protect against advanced threats. This results in reduced false positives, automated security responses, and better-informed personnel, all of which work together to minimize the risk of human error.

Integrated Cloud Email Security solutions can either augment or replace Secure Email Gateways (SEGs) –– now legacy technology – and integrate directly with email platforms, providing better detection and protection against targeted threats. These include:

• GPT Large Language Models & AI analyze the content and context of email communications. These include text in the email body and attachments for tone (like urgency) and intent (unusual requests), often seen in social engineering tactics. GPT and AI provide in-depth email analysis to protect against sender impersonation, ransomware/extortion, account compromise attacks, and graymail.
• Contextual Analysis & Attacks Overview create user-specific and organization models for custom behavior baselines. How and who one communicates with are continuously monitored, and anomalous communications and conversations are automatically flagged.
• Computer Vision follows URLs to their final destination and inspects in real-time to protect against fake landing pages used in malicious credential phishing campaigns. Minute, visual deviations in images and layouts often go unnoticed by the human eye. Armorblox analyzes and safely redirects end users away from these malicious pages.
• Malware & File Attachment Inspection analyze attachments, malware, and advanced persistent threats while ensuring there are no delays in end users gaining access to critical emails or disrupting critical email-based business workflows. Armorblox provides static and dynamic analysis and safely blocks end users from engaging or downloading malicious files.

Email impersonation attacks are a serious threat that can result in significant financial and reputational damage. These tips are meant as starting points to understand email impersonation better and start addressing its risk factors.

Stopping email impersonation attacks requires a combination of security hygiene, some healthy paranoia while reading emails (even if they seem to be from people you trust), and email security solutions that provide specific impersonation protection.

Implementing a GPT-powered email security and data loss prevention solution like Armorblox can help you quickly identify, categorize, and remediate email threats and prevent data loss. Our advanced email security solution uses the same language models as ChatGPT, and our constant innovations have led to a future-proof approach to security.

If you’d like to learn how Armorblox stops email impersonation and other targeted email attacks, take a guided 5-minute product tour below.