What is an email impersonation attack? In email impersonation attacks, scammers pretend to be a trusted person or organization to steal money or sensitive information from unwitting victims via email. The trusted entity being impersonated could be anyone — your boss, colleague, a vendor, or a consumer brand you get automated emails from.
Email impersonation attacks are a form of Business Email Compromise (BEC). They are worryingly effective because we tend to take quick action on emails from those we trust. In addition, impersonation attacks have moved past standard phishing emails and become more targeted over the years.
Fortunately, you can follow a few security hygiene best practices to reduce the risk of email impersonation attacks:
Tip #1 - Watch For Social Engineering Cues
Email impersonation attacks are often crafted with language that induces a sense of urgency or fear in victims, coercing them into taking some immediate action. Not every email that makes us feel these emotions is an impersonation attack, of course. It’s an important factor to watch for nonetheless.
Impersonation attack examples include:
- Requests involving the transfer of money or sensitive information given at short notice
- Unusual purchase requests (e.g., iTunes or Amazon gift cards)
- Employees requesting sudden changes to direct deposit information
- Vendors sharing new bank account details, usually right before an invoice is due
Fig: This email impersonation attack exploits the COVID-19 pandemic to make an urgent request for gift card purchases.
Tip #2 - Always Do a Context Check on Emails
Targeted email attacks count on victims “doing before thinking” instead of stopping and engaging with a request rationally. So while it may take a few extra seconds, always ask yourself if the email you’re reading — and what the email is asking for — makes sense.
- Why would your CEO really ask you to purchase iTunes gift cards with two hours’ notice? Have they done it before?
- Why would Netflix emails come to your business email address?
- Why would the IRS ask for your SSN and other sensitive personal information over email?
Bottom line: Be a little paranoid while reading emails, even if they’re from trusted entities.
Tip #3 - Check for Email Address and Sender Name Deviations
Many organizations have deployed keyword-based protection that catches email addresses or sender names that match key executives (or other related keywords). However, impersonation attacks use email addresses and sender names with slight deviations to get past these security controls.
Some common deviations to look out for are:
- Changes to the spelling, especially ones that are missed at first glance (e.g., ‘ei’ instead of ‘ie’ in a name).
- Changes based on visual similarities to trick victims (e.g., replacing an ‘rn’ with an ‘m’ because they look alike).
- Business emails that are sent from personal accounts like Gmail or Yahoo without advance notice. It’s advisable to validate the sender's identity through secondary channels (texting, Slacking, or calling them) if they’re emailing you with requests from their personal account for the first time.
- Descriptive changes to the name, even if the changes fit in context. For example, attackers impersonating a Chief Technology Officer named Ryan Fraser can send emails with the sender name as “Ryan Fraser, Chief Technology Officer.”
- Changes to the components of the sender name (e.g., adding or removing a middle initial, abbreviating Mary Jane to MJ).
Bottom line: Do an extra pass on email addresses and sender names, especially if they look suspicious.
Fig: A sender name deviation (adding ‘Chief Technology Officer’) allowed this impersonation email to get past keyword-based security controls
Tip #4 - Learn the ‘Greatest Hits’ of Impersonation Phrases
Email impersonation has been around for long enough that there are well-known phrases and tactics you should be aware of. However, malicious emails don’t always have to be directly related to money or data. The first email is sometimes a simple request to see who takes the bait.
Beware of the following phrases/context:
- “Are you free now?” or “Are you at your desk?” and related questions are frequent opening lines in impersonation emails. Because they seem like harmless emails with simple requests, they often get past email security controls.
- “Can you do something for me within the next 15 minutes?” or “I need an urgent favor,” and other phrases implying the email is time-sensitive. If you get this email from your “CEO,” your instinct might be to respond quickly and be duped by the impersonation in the process.
- “Can you share your personal cell phone number?” or “I need your personal email,” and other out-of-context requests for personal information. The objective of these requests is to harvest data and build out a profile of the victim. Once adversaries have enough information, they have another entity to impersonate.
Bottom line: Watch for unusual requests, especially if they’re of a personal nature.
Tip #5 - Use Secondary Channels of Authentication
Enterprise adoption of two-factor authentication (2FA) has grown considerably over the years, helping safeguard employee accounts and reduce the impact of account compromise. Individuals should try to replicate this best practice for any email that makes unusual requests related to money or data.
- If a vendor emailed you with a sudden change in their bank account details, call or text them to confirm they sent the email.
- If your manager emails you asking for gift card purchases, send them a Slack message (or whatever productivity app you use) to confirm the request.
- If your HR representative emails you a COVID resource document that needs email account credentials to be viewed, check the email's veracity with the HR rep.
Bottom line: Even if you’re reaching out to very busy people for additional authentication, they will understand and appreciate your caution.
These tips are meant as starting points to understand email impersonation better and start addressing its risk factors. But effective protection against email impersonation shouldn’t be left to eye tests alone. Instead, enterprise security teams should conduct a thorough audit of their email security stack and explore augmentations to native email security that offer specific impersonation protection.
With email more critical to our digital lives than ever, we must be able to believe people’s email identities. Stopping email impersonation attacks requires a combination of security hygiene, email security solutions that provide specific impersonation protection, and some healthy paranoia while reading emails — even if they seem to be from people you trust.
If you’d like more insight on email security trends and real-life examples of targeted email attacks, subscribe to email updates from Armorblox (we promise we won’t impersonate anyone). If you’d like to learn how Armorblox stops executive impersonation and other targeted email attacks, take a guided 5-minute product tour below.