theNet by CLOUDFLARE

Impersonation is fooling the enterprise

3 real-life examples of this growing threat

Email-based name impersonation attacks are an evolving form of Business Email Compromise (BEC) that deceives the recipient into believing the email came from a trusted source. At Cloudflare, we detect and retract email-based name impersonation attacks every day from customer inboxes. While the vast majority of these are basic scams, such as asking for an employee to buy gift cards; more sophisticated attacks utilize new ways to leverage social engineering and OSINT to craft increasingly compelling phishing emails.

You have likely seen phishing emails such as the one below. In this instance, someone is pretending to be an employee and requesting their banking information for their payroll deposits be changed.

Image source: Cloudflare Email Security

This and similar attacks utilize basic information about their targeted users; their name and job titles, harvested from LinkedIn or other social media platforms. These are generally sent en masse to many different organizations and users at once - a “wide net” approach.

A more complex form of name impersonation attack is known as a VIP/Vendor Impersonation Combo. In this example, the attacker has registered a fake domain impersonating a legitimate vendor. The attacker has also created an email address impersonating a VIP at the targeted organization. The attacker creates a fake email thread from the supposed vendor requesting payment of an invoice.

Image source: Cloudflare Email Security

These can be particularly dangerous as the fabricated thread gives authority to the request. Generally speaking, these attacks are more targeted than the mass-mailed direct deposit attacks. The attackers tend to spend more time researching the target’s environment. In the event of a compromised account, threat actors can read the target’s latest emails and are better equipped to legitimize their requests. Let’s look at an even more complicated example of name impersonation that uses such tactics.

Image source: Cloudflare Email Security

In this example, we have a threat actor impersonating an employee using a domain nearly identical to the legitimate domain. Additionally, they have hijacked the existing email thread between the companies by compromising the sender email account.

This is an extremely dangerous and targeted form of name impersonation - “vendor compromise”. Attacks of this nature play on all of the above tactics, including VIP impersonation, vendor impersonation, and capitalizes on information collected from a compromised vendor account. In this case, there was a high monetary risk for customers. Thankfully, Cloudflare alerts clients who are then able to take action before harm is done.

As Name Impersonation attacks evolve, it is very important to recognize the risks these attacks present to your organization. After all, email remains the number one vector for business compromises.

Cloudflare Email Security’s advanced machine learning and Artificial Intelligence technology uncovers new tactics used by malicious actors to bypass legacy solutions in real time. See more recent trends and recommendations for preventing successful phishing attacks in the 2023 Phishing Threats Report. To see Cloudflare Email Security in action, get a free phishing risk assessment.


This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.


Author

Adam Leverette — @adam-leverette
Threat Response Engineer, Cloudflare



Key takeaways

After reading this article you will be able to understand:

  • How malicious actors use impersonation to appear legitimate

  • 3 common types of name impersonation

  • Why legacy email security can’t distinguish this type of attack



Receive a monthly recap of the most popular Internet insights!