What Is Impersonation?

Impersonation is a targeted phishing attack where a malicious actor pretends to be someone else—a trusted friend, colleague, business associate, or organization—to steal sensitive data from unsuspecting victims using social engineering tactics. It is one of the most commonly used social engineering techniques employed by hackers and cybercriminals to commit fraud, steal private data, gain access to restricted networks and systems, or manipulate victims into making fraudulent payments.

According to the Identity Theft Resource Center (2025), impersonation scams rose 148% year-over-year, becoming the top reported type of scam. Impersonation scams now account for 34% of all scams (compared to 10% for employment fraud and 9% for Google Voice scams). The Federal Trade Commission (2025) reports that combined losses reported by older adults who lost more than $100,000 to impersonation scams increased eight-fold, from $55 million in 2020 to $445 million in 2024.

How does impersonation work?

Impersonation works by assuming a trusted identity to exploit the victim's existing trust in that person or organization. The attack is typically malware-less, conducted through email, telephone, voicemail, SMS, spoofed domains, fake social media accounts, and fraudulent apps.

Email impersonation

Attackers create fraudulent emails that appear to come from trusted senders by spoofing domains or using visually similar addresses. Domain spoofing registers domains that look nearly identical to legitimate ones—replacing letters with similar-looking characters or adding hyphens. For example, "amaz0n.com" instead of "amazon.com" or "paypa1.com" instead of "paypal.com."

Display name spoofing is simpler—the email address differs from the displayed sender name. Email clients show "CEO John Smith" while the actual address is a random Gmail account. Users who don't examine the full email address are deceived by the familiar display name.

According to Egress (2024-2025), 89% of phishing emails involve impersonation tactics. Adobe ranks as the most impersonated brand, with DHL as the most impersonated mail carrier. Interestingly, 26% of phishing emails impersonate brands unconnected to the recipient's established business relationships, suggesting attackers cast wide nets with trusted brand names.

Executive and CEO impersonation

Business Email Compromise attacks pose as company executives or high-level business associates to request urgent wire transfers or sensitive information. The attacker researches organizational hierarchies, identifies executives with authority to approve transfers, and learns communication patterns.

These attacks exploit authority gradients and urgency. Finance personnel receiving requests from apparent CEOs feel pressured to comply quickly, especially when requests emphasize confidentiality or time sensitivity. The combination of authority and urgency bypasses normal verification procedures.

Domain spoofing and lookalike domains

Attackers register domains visually similar to legitimate ones. Techniques include:

- Character substitution (0 for O, 1 for l, rn for m)

- Adding hyphens or extra words (apple-support.com)

- Using different top-level domains (.net instead of .com)

- Typosquatting common misspellings (gooogle.com)

These domains host fake websites mimicking legitimate login pages, collecting credentials from users who don't notice subtle URL differences.

Fake social media accounts and brand impersonation

Attackers create profiles impersonating executives, celebrities, or organizations on social media platforms. These accounts contact victims with investment opportunities, support requests, or urgent communications. The familiar name and profile picture create false trust.

Brand impersonation involves fraudulent communications claiming to represent well-known companies and their services. Customer support scams impersonate legitimate companies to steal credentials or payment information.

Voice and phone impersonation

Vishing (voice phishing) calls impersonate trusted contacts, often combined with caller ID spoofing displaying legitimate organizational phone numbers. AI-powered voice cloning enables convincing audio impersonation of executives or colleagues. A 700% surge in deepfake incidents was observed in 2024-2025, with businesses reporting a 200% surge in attempted deepfake-aided wire fraud in Q1 2025 alone.

How does impersonation differ from other attacks?

Impersonation is a specific technique within the broader phishing category that relies on identity deception. All impersonation attacks are phishing, but not all phishing involves impersonation—some phishing uses malicious links or attachments without assuming false identities.

Business Email Compromise is a specific variant of impersonation targeting business executives and finance departments. BEC is narrower in scope, focusing on financial fraud through executive impersonation. Impersonation is the broader category encompassing all identity-based deception.

While both pretexting and impersonation use deception, pretexting involves creating a fabricated scenario with a cover story, while impersonation specifically involves assuming a false identity. Pretexting might claim to need information for an audit without impersonating a specific auditor. Impersonation claims to be a specific auditor.

Spoofing is the technical means of impersonation—faking sender identity through email headers, caller ID manipulation, or domain registration. Impersonation is the broader social engineering tactic that may use spoofing among other techniques.

Why does impersonation matter?

Impersonation matters because it has become the dominant social engineering attack type, achieving unprecedented growth and financial impact.

Historic growth and prevalence

The 148% year-over-year rise in impersonation scams makes it the top reported scam type, accounting for 34% of all scams (ITRC, 2025). This dramatic growth reflects increased attacker sophistication and the effectiveness of identity-based deception.

Impersonation's prevalence within phishing is striking. Egress (2024-2025) found 89% of phishing emails involve impersonation tactics, indicating most phishing attempts use identity deception rather than purely technical methods.

Financial devastation

The eight-fold increase in losses among older adults—from $55 million in 2020 to $445 million in 2024 (FTC, 2025)—demonstrates escalating financial impact. The more than four-fold increase in reports of impersonation scammers stealing tens and even hundreds of thousands of dollars indicates both higher success rates and larger per-incident losses.

The $445 million represents only elderly victims losing over $100,000 each. Total losses across all demographics and incident sizes substantially exceed reported figures.

AI amplification

AI is helping optimize impersonation campaigns by empowering malicious actors to create fake websites, send highly convincing phishing emails and texts, and post ads on search engines. AI-powered deepfakes enable voice and video impersonation far more convincing than previous techniques.

The University of Oxford (2024) found AI-generated phishing emails have a 60% higher click rate than traditional ones. This effectiveness boost combined with reduced effort requirements makes AI-powered impersonation increasingly accessible to less sophisticated attackers.

Target selection patterns

General business impersonation represents 51% of impersonation scams, while financial institution impersonation accounts for 21%. This distribution shows attackers target a range of organizations, not just financial entities. Any trusted brand or relationship can be exploited for impersonation.

What are the limitations of impersonation?

Email authentication protocols

Email authentication standards (SPF, DKIM, DMARC) can prevent domain spoofing when properly configured. SPF specifies which servers can send email for a domain. DKIM adds cryptographic signatures verifying message integrity. DMARC tells receiving servers how to handle authentication failures and provides reporting on attempted abuse.

Properly configured DMARC with a reject policy prevents attackers from forging exact domain addresses and generates reports showing spoofing attempts. However, these protocols only protect against exact domain spoofing—they cannot prevent lookalike domains or display name spoofing.

Visual inspection

Careful examination of sender addresses and domain names can reveal impersonation attempts. Users who check the actual email address rather than just the display name detect spoofing. Hovering over links to preview URLs before clicking exposes fake domains.

However, relying on user vigilance has limitations. Many users don't inspect addresses carefully, especially on mobile devices where full addresses are truncated. Sophisticated lookalike domains can fool even careful inspection.

Out-of-band verification

Calling back using known numbers rather than numbers provided in messages exposes impersonation. When an email from an apparent colleague requests unusual action, calling their known number verifies legitimacy. This breaks the attacker's control of communication.

Organizations implementing mandatory verification policies for unusual requests reduce impersonation success regardless of technical sophistication.

Inconsistencies in communication

Deviations in language, tone, or formatting may reveal fraudulent communications. Impersonation emails often contain subtle errors—unusual phrasings from supposed colleagues, formatting inconsistencies with legitimate corporate emails, or uncharacteristic urgency from normally methodical executives.

Requests trigger suspicion

Requests for sensitive information or unusual payment methods should trigger suspicion. Legitimate executives don't request wire transfers via email without following established procedures. Real IT support doesn't request passwords. Banks don't ask for account verification through unsolicited messages.

Strong security cultures

Organizations with strong security cultures that verify unusual requests reduce impersonation success rates. When employees feel empowered to question apparent executive requests, verify through alternative channels, and escalate concerns, impersonation faces multiple hurdles.

How can organizations defend against impersonation?

Email authentication protocols

Implementing SPF (Sender Policy Framework) specifies which servers can send email for organizational domains. SPF records published in DNS prevent unauthorized mail servers from sending messages claiming to be from the organization.

DKIM (DomainKeys Identified Mail) adds cryptographic signatures that verify message integrity and sender authenticity. DKIM signing proves messages haven't been altered in transit and originated from authorized servers.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM, telling receiving servers how to handle authentication failures. DMARC policies set to "reject" prevent delivery of messages failing authentication. DMARC reporting provides visibility into spoofing attempts, allowing organizations to monitor impersonation targeting their brand.

Brand Indicators for Message Identification (BIMI) allows brands to display logos next to authenticated emails in recipients' inboxes. BIMI works with DMARC to guarantee only authenticated emails show brand logos, providing additional verification for recipients.

Multi-layered defense strategy

Organizations should enable messaging authentication, behavioral detection, administrative controls, and user education simultaneously. No single control provides complete protection; layered defenses create multiple barriers attackers must overcome.

Configure impersonation protection policies in Microsoft Defender and similar platforms, including display name policies, domain impersonation checks, and user impersonation rules. These tools flag emails with suspicious characteristics for additional scrutiny.

Enforce multi-factor authentication for accessing accounts, software, and other sensitive systems. MFA prevents compromised credentials from enabling full account access, limiting impersonation attack impact.

Implement conditional access and zero-trust security models requiring continuous verification rather than perimeter-based trust. Monitor for suspicious login attempts and account access patterns indicating compromised credentials.

User awareness and verification

Training users to identify impersonation red flags is essential. Warning signs include:

- Urgency language pressuring immediate action

- Unusual requests from familiar contacts

- Requests for sensitive information outside normal procedures

- Generic greetings despite supposed personal relationships

- Requests for payment via unusual methods

Users should always call the alleged sender to verify they sent the email, using independently verified contact information rather than numbers or links in the message. Use organization-provided directories to verify contact information before responding.

Train users to inspect sender email addresses carefully, checking for domain spoofing attempts, and verify unusual requests through alternative communication channels.

Incident response

When suspected impersonation is reported, organizations should act quickly. Immediate investigation determines if credentials were compromised, whether financial transactions occurred, and what information was shared.

If credentials were compromised, force immediate password resets and enable MFA. Monitor affected accounts for suspicious activity. For financial fraud, contact banks immediately and file reports with the FTC and FBI Internet Crime Complaint Center (IC3).

Document all impersonation incidents to identify patterns, understand attacker techniques, and improve defenses based on actual attacks targeting the organization.