This Email Sounds Like It Came From Your Boss. But It Didn’t.

• Impersonation attacks keep evolving, but their success is still heavily reliant on human trust.
• Techniques like typosquatting, display name spoofing, and account take over make fake emails look real and have costly consequences.
• Awareness combined with multiple layers of detection and authentication tools can make your organization a harder target for attackers.

Email impersonation remains one of the most persistent threats in cybersecurity. In this blog, I’ll walk through how impersonation attacks have developed over time, the techniques attackers use today and how you can protect your business from becoming a target. 

But what exactly is email impersonation? In short, it’s the use of a false identity when sending an email. Not long after the first email-based malware and spam attacks took place, attackers realised that if they used their own domains when they sent emails, mail administrators would simply block them. 

That’s when they started to use random legitimate email domains—typically big brands—to make it more difficult for defenders to block their attempts. Over time, as email-based threats evolved, attackers started to use more advanced social engineering techniques to encourage their victims to interact with the emails they sent. Among them: Sending emails that appear to be from a trusted brand–or even a trusted person within the victim’s organization. 

Many of these techniques were addressed with the introduction of domain authentication, SPF, DKIM and DMARC. But even to this day, not all domains are protected by these technologies. Even when authentication is in place, attackers sidestep defenses by using tactics like display name spoofing and account takeovers to impersonate legitimate correspondents.

How to spot the red flags

Attackers use a wide range of methods depending on their goals—stealing privileged credentials, spreading ransomware, committing fraud or engaging in other nefarious deeds. Here are the most common types of impersonations you should look out for: 

• Fake product spam. By impersonating a trusted brand, the attacker encourages the victim to make a purchase. The attacker may then simply steal the money or ship a counterfeit or malicious product.
• Phishing emails. The attacker pretends to be your bank, email provider or employer to trick you into clicking on a login link—revealing your credentials.
• Ransomware and other trojans. By impersonating a trusted software provider, attackers encourage users to install malicious software.
• Business email compromise (BEC) scams. Attackers compromise the account of a person you trust and use their address to commit fraud.
• Backscatter attacks. To harass the victim or “hide” other malicious activities, attackers flood your inbox with rejection messages by using their address as the sender on a spam run.

Knowing the types of attacks is only half the battle. It’s just as important to recognize how these attacks are executed.

From deception to delivery: The tactics behind the tricks 

Impersonation attacks rely heavily on deception—attackers don't need to break through firewalls if they can trick someone into letting them in. But once brought to light, their underhanded methods start to crack. 

These are some of the techniques attackers rely on for their deception:

• Exact domain spoofing. This is the most basic form of attack and involves the attacker using the exact domain name of the company they are trying to impersonate. It’s less common now due to widespread SPF, DKIM and DMARC adoption.
• Typosquating/Domain masquerading.  Attackers slightly alter the spelling of the domain name, making it harder to detect the false domain—like using “1” instead of the letter “l” or “5” instead of “S”. Advanced versions of this attack also use alternate character sets that may look indistinguishable from the original name:
  • Broądcom.com—Polish “a” (U+0x105)
  • Broаdcom.com—Cyrillic “a” (U+0x430)
• Display name spoofing.As the name implies, the attacker uses the display name of the person they are impersonationing with a consumer email address instead of attempting to spoof the protected corporate domain.
• Account takeover. For a takeover, the attacker phishes and compromises an actual email account and then uses it to reply to existing threads and commit fraud. 

Real-world impersonations

Over the years I’ve helped investigate many incidents where impersonation was used. Let’s dive into some real-world cases where these tactics were used—including the highlights and their impact.

BEC scam involving a solicitor 

A member of the public lost a large sum of money during a payment process involving a solicitor as part of a payment to a third party. When I investigated the emails, I found a mixture of an account takeover and a typosquat:

1. The solicitor’s email account had been phished and compromised.
2. The attacker logged into the solicitor’s account and started responding to existing email conversation with clients
3. In the response emails, the attacker changed the “reply to” address to a domain that they had registered which was extremely similar to the solicitors actual domain name.
4. The clients continued to correspond with the attacker, believing they were speaking to the solicitor, and ended up transferring a large sum of money to the attacker’s bank account.

“Hacktavist” backscatter attack against a senior executive  

In this case, a botnet sent hundreds of thousands of spam emails to recipients around the world, spoofing a senior executive’s address. When many of those emails were rejected, bounce messages flooded the executive’s inbox. This particular attack was intended to harass the executive in response to statements that they had made online. 

Backscatter attacks to hide nefarious activity 

In another case, a variation of the backscatter attack above was used to disguise a concerted attack on a company’s resources. While investigating a seemingly random backscatter attack, I discovered emails reporting multiple failed login attempts to the company’s DNS provider. The backscatter was just a smokescreen—and their real objective was to take control of the company’s DNS server.

Display name spoofing attack for Amazon vouchers

This next case is incredibly common and far more successful than you might think. The attacker scrapes the identity of a senior staff member from LinkedIn and then sends emails to members of their team with the intention of scamming them out of hundreds of dollars. 

Here’s an example:
From: Warren Sealey <woz1379@gmail.com>
Hi Dave,
This is Warren, I’m at a staff offsite right now without my laptop so I’m emailing you from my gmail account. Could you please purchase ten $50 Amazon gift cards and email me the numbers? I’m going to be using them as awards.
Many thanks,
Warren

From typosquats to display name spoofing, these attacks rely on the exploitation of human trust, but they’re not unstoppable. Avoid costly consequences and build up your defenses, so you can stay ahead of these unpleasant threats. 

Layer up protection to go beyond the basics 

Defense starts with knowing where to look and what to lock down. To protect yourself and your business against these kind of attacks, you’ll need a combination of controls, including:

Email authentication protocols

The first layer of defense begins with SPF, DKIM and DMARC. These foundational email authentication protocols should be mandatory for every business. These controls not only protect your employees against attacks, but they also protect your customers and suppliers from malicious actors pretending to be you. 

Exact domain match detection

SPF, DKIM and DMARC are essential controls, but they do not cover all use cases. For added protection, consider adding extra detections to identify the use of your own domain name in email headers. This may be available directly through your mail hygiene provider, or you can create a data protection rule. 

Keep in mind, there are many legitimate uses for your domain name in an email, so you may want to introduce these rules slowly by monitoring traffic instead of blocking emails from reaching their destination.

Fuzzy domain match detection

Fuzzy domain matching helps you detect typosquats of your domain name—meaning you can finally identify any altered addresses designed to trick your recipients. Because there are many ways to create a typosquat and mimic credentials, you may want to create your own custom regular expression (regex). 

Here’s what it could look like for some common variations on Broadcom.com:
b[\W_]*r[\W_]*o[\W_]*a[\W_]*d[\W_]*c[\W_]*[o0][\W_]*m[\W_]*(?:\.|dot|\[.\]|\(.\))[\W_]*c[\W_]*o[\W_]*m

• broadcom.com
• brodacom.com (typo)
• broadc0m.com (0 instead of o)
• broad-com.com (extra punctuation)
• broadcom[.]com, broadcom(dot)com (obfuscation)

Display name controls 

Some email hygiene solutions now allow inspection of the display name in the “body from” header—an area often exploited in impersonation attacks. This can be compared against a curated list of high-risk individuals within your business like executives, finance leads or other VIPs.

But don’t add everybody in your company—names like “John Smith” are common and can trigger false positives. More advanced email security solutions will have a regex sitting behind the list of names to ensure that common variations are also detected. If you don’t have display name controls built into your email hygiene product then you may be able to build data protection rules to achieve the same aim. An example regex would be:
^(?:From:(?:\n?.*?){1,2}?)((?:(?<!\p{L})warren(?:(?!\p{L})(?:(?:\n[\t]{0,2}?)?.+?)(?<!\p{L}))?sealey(?!\p{L})|(?<!\p{L}sealey(?:(?!\p{L})(?:(?:\n[\t]{0,2}?)?.+?)(?<!\p{L}))?warren(?!\p{L}))(?=\p{P}{0,3}?[<]|\p{P}{0,3}?(?<!\/|\\)\w{1,}?\p{P}{0,3}?[<])|(?<=['“"”<\(:])(?:warren\p{P}{0,3}sealey|sealey\p{P}{0,3}warren)[0-9]{0,1}(?=@))(?:.*?\n){1,4}?(?=^[\w-]+?:)

Anti-backscatter controls 

While not specifically designed to stop impersonation attacks, anti-backscatter controls help protect your users when their email addresses are spoofed as senders in spam or phishing campaigns. These attacks can generate large volumes of non-delivery reports (NDRs), creating confusion and consuming resources. 

There are a number of ways of doing anti-backscatter. Some email gateways add a unique number to each email header and check for its existence on NDRs. Other vendors may allow you to create a regex to distinguish between legitimate NDRs (from emails which were sent through your gateway) and backscatter attacks. The exact implementation will usually depend on your email gateway and service provider. 

Mixed character detection in headers 

To detect the use of alternate characters sets in the header of an email, use a regex like:
=\?([^?]+)\?[BQbq]\?[^?]*\?=(?:\s*=\?(?!\1)[^?]+\?[BQbq]\?[^?]*\?=)+

Geolocation-based email detection

In BEC and account takeover scenarios, attackers often operate from a different country from those of the compromised account. Knowing where an email is coming from can be very useful in identifying BEC scams and other impersonation-based attacks. 

This can be achieved by examining the IP addresses in the header of the email and mapping them to lists of IP address space owned by different countries. As with other controls, this may be offered as an option by your email service provider or you may be able to achieve it using regex and a list of IP addresses grouped by owner.

Your shield is only as strong as its layers

From foundational controls like SPF, DKIM AND DMARC to more advanced techniques like regex-based detection and geolocation filtering, layering defenses can significantly reduce your exposure to threat actors. With the potentially significant costs of a breach at stake, and given the increasingly underhanded tactics employed by threat actors, businesses cannot afford to rely on a single layer of defense.

To learn more about the leading solutions that simplify your defenses without cutting corners, download our free ebook, Code Red Alert: Don’t Become The Next Digital Hostage.