Impersonation Attacks: Real Examples and How to Detect Them

A single deepfake video call cost one company $25 million. Here’s how to spot impersonation attacks before you’re next.

Business email compromise cost organizations $2.77 billion in 2024 according to the FBI’s Internet Crime Complaint Center. That figure represents just the reported losses. The actual number is likely much higher.

What makes impersonation attacks so effective? Attackers don’t hack systems. They hack trust. When an email appears to come from your CEO or a message looks like it’s from Microsoft, people respond without thinking twice.

This guide breaks down how impersonation attacks work with real examples. You’ll learn how to detect impersonation infrastructure early.

What Are Impersonation Attacks?

Most phishing emails are easy to spot. Bad grammar, suspicious links, requests from unknown senders. But impersonation attacks are different.

Authority and urgency do the heavy lifting. When an email appears to come from your CEO asking for an immediate wire transfer, questioning it feels uncomfortable. When a login page looks exactly like Microsoft 365, entering your password feels routine.

The IBM Cost of a Data Breach Report 2025 found that 16% of breaches now involve AI-assisted attacks, with 35% of those using deepfake technology for impersonation. Attackers aren’t just sending emails anymore. They’re making phone calls with cloned voices and video calls with synthetic faces.

Knowing what you’re up against helps you recognize the attack.

What Are the Most Common Types of Impersonation Attacks?

Impersonation attacks fall into four main categories, each targeting different trust relationships and using different techniques.

Email Impersonation and Business Email Compromise

Business email compromise (BEC) remains the most financially damaging form of impersonation. Attackers pose as executives or vendors to trick employees into transferring funds or sharing sensitive data.

Executive impersonation targets finance departments. Attackers send emails that appear to come from the CEO or CFO, requesting urgent wire transfers for confidential deals or time-sensitive payments. They often strike when executives are traveling or unavailable to verify requests.

Vendor impersonation exploits existing business relationships. Attackers compromise a vendor’s email account or create lookalike domains, then send invoices with updated payment details pointing to attacker-controlled accounts.

Colleague impersonation works at smaller scale but with high success rates. Attackers pose as coworkers requesting gift cards or payroll changes.

The FBI reports that BEC attacks have generated over $55 billion in losses over the past decade. These aren’t spray-and-pray phishing campaigns. They’re targeted operations where attackers research their victims and know exactly what to say.

Brand Impersonation

Attackers don’t just impersonate people. They impersonate entire organizations.

Brand impersonation casts a wider net than executive impersonation. Attackers create fake websites and social media accounts that mimic trusted brands to harvest credentials from their customers.

Fake login pages replicate the appearance of Microsoft 365 and banking portals. Victims who enter credentials hand them directly to attackers.

Typosquatting domains use slight misspellings or character substitutions to create convincing URLs. Examples include:

• microsfot.com instead of microsoft.com
• arnazon.com instead of amazon.com
• paypa1.com instead of paypal.com

Social media impersonation creates fake customer support accounts. When users complain publicly about a service, fake support accounts reach out offering help, then direct victims to phishing sites or request account credentials.

Check Point’s research found that Microsoft is the most impersonated brand, appearing in 61% of brand phishing attempts. Apple, Google, and Meta round out the top targets.

Domain Impersonation

Domain impersonation is the infrastructure behind most impersonation attacks. Attackers register domains that look legitimate enough to fool both automated systems and human reviewers.

Lookalike domains use similar names with different TLDs (company.co instead of company.com) or add plausible prefixes and suffixes (company-support.com, login-company.com).

Cousin domains exploit variations of legitimate domain names. If your company owns company.com, attackers might register company-inc.com or companygroup.com.

Homoglyph attacks use characters from different alphabets that look identical to Latin letters. The Cyrillic “а” looks exactly like the Latin “a” but registers as a different character. A domain using Cyrillic characters can appear identical to a legitimate domain while pointing to attacker infrastructure.

These domains enable convincing phishing attacks because victims see familiar-looking sender addresses and URLs.

Voice and Video Impersonation

AI has transformed voice and video impersonation from movie plots into real attack vectors.

Vishing attacks use phone calls where attackers impersonate IT support or executives. Traditional vishing relied on acting skills. Now attackers can clone voices from just a few minutes of audio samples.

Deepfake impersonation creates synthetic video of real people. Attackers have used this technology to impersonate executives in video calls, convincing employees to authorize large transfers.

As these tools become more accessible and the results more convincing, deepfake impersonation will only increase.

What Real-World Impersonation Attacks Have Cost Companies Millions?

Abstract warnings about impersonation risks don’t capture the reality of these attacks. These examples show the actual financial damage.

Ubiquiti Networks: $46.7 Million

In 2015, networking equipment maker Ubiquiti Networks lost $46.7 million to a BEC attack. Attackers impersonated company executives and an outside attorney, convincing finance employees to make wire transfers to overseas accounts.

The attackers used executive impersonation combined with fake legal documentation. They created a sense of urgency around a confidential acquisition that required immediate fund transfers. Ubiquiti recovered approximately $15 million through legal action, but the remaining losses stood.

Toyota Boshoku: $37 Million

In 2019, attackers targeted Toyota Boshoku, a Toyota subsidiary that manufactures auto parts. Using BEC techniques, they convinced a finance executive to change bank account information for a wire transfer.

The attackers had researched Toyota’s supply chain and business relationships. They impersonated a legitimate business partner and knew enough about ongoing transactions to make their request seem routine. The company transferred $37 million before discovering the fraud.

Facebook and Google: $121 Million

Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas orchestrated one of the largest BEC schemes ever prosecuted. He impersonated Quanta Computer, a legitimate hardware vendor that both Facebook and Google used.

Rimasauskas registered a company in Latvia with the same name as the Taiwanese manufacturer. He then sent fake invoices to Facebook and Google for goods and services that Quanta had actually provided. Both companies paid the invoices to his accounts. Facebook lost $99 million and Google lost $23 million before the attack was discovered.

Arup: $25 Million

In early 2024, British engineering firm Arup lost $25 million after attackers used deepfake technology to impersonate the company’s CFO on a video call with an employee in their Hong Kong office.

The finance employee received what appeared to be a video conference request from the CFO and other colleagues. He joined the call, saw faces and heard voices that matched people he recognized, and followed their instructions to make 15 transfers totaling $25 million. Every other participant on the call was a deepfake. The attackers had used publicly available video and audio of the executives to create convincing synthetic versions.

Target Corporation: 40+ Million Cards Exposed

The 2013 Target breach started with impersonation. Attackers sent phishing emails to Fazio Mechanical Services, an HVAC vendor that did work for Target stores. The emails impersonated a legitimate business contact.

When Fazio employees clicked malicious links and entered credentials, attackers gained access to Fazio’s systems. From there, they moved laterally into Target’s network using the vendor’s legitimate access credentials. The resulting breach exposed payment card data for over 40 million customers.

This example shows how impersonation attacks don’t just cause direct financial loss. They enable deeper network compromises that affect millions of people.

How Do Attackers Set Up Impersonation Infrastructure?

Knowing how attackers set things up helps you detect them sooner.

Phishing Kit Acquisition

The dark web provides turnkey solutions for impersonation attacks. Phishing kits include:

• Pre-built templates that replicate login pages for major services
• Backend code that captures and logs stolen credentials
• Proxy capabilities that relay authentication in real-time, capturing MFA tokens
• Instructions for deployment and operation

These kits sell for anywhere from $50 to several thousand dollars depending on sophistication. Some operate on subscription models, providing regular updates as target companies change their login pages.

Domain Registration Patterns

Before launching attacks, threat actors register the infrastructure they’ll need. This includes:

• Lookalike domains for email sending
• Domains to host fake login pages
• Domains for command-and-control communication

Attackers often register multiple domain variations at once. Registration details are hidden by default, which makes attribution difficult. Some use hosting providers that intentionally resist takedown requests.

There’s a gap between when attackers register domains and when they use them. That’s your window to act.

Credential Harvesting From Breaches

Many impersonation attacks exploit credentials stolen in previous breaches. Attackers use this information to:

• Access victim email accounts directly, sending impersonation emails from real addresses
• Research targets by reading their communications
• Understand business relationships and payment patterns
• Build believable stories based on actual ongoing transactions

Credential monitoring detects when your organization’s credentials appear in breach data, enabling password resets before attackers can exploit them.

Social Engineering Research

Targeted impersonation requires research. Attackers gather information from:

• LinkedIn profiles showing organizational structure and job titles
• Press releases announcing deals and partnerships
• Social media posts revealing travel schedules
• Court filings and regulatory documents with financial details

This reconnaissance phase can take weeks for high-value targets. The research helps them know exactly what to say and when to say it.

How Do You Detect Impersonation Attacks Early?

The best defense catches impersonation infrastructure during the preparation phase, before attacks reach employees or customers.

Domain Monitoring for Typosquatting

Automated domain monitoring tracks new registrations that resemble your brand. This includes:

• Exact match variations with different TLDs
• Common typos and keyboard adjacency errors
• Homoglyph attacks using similar-looking characters
• Prefix and suffix variations

When a suspicious domain appears, security teams can investigate and request takedowns before phishing campaigns launch.

Brand Monitoring Across Channels

Brand monitoring extends beyond domains to catch impersonation on:

• Social media platforms where fake support accounts operate
• App stores where malicious apps use your branding
• Dark web forums where your data or access credentials may be sold

Catching brand abuse early lets you respond before the damage spreads.

Credential Monitoring for Early Warning

Stolen credentials enable the most convincing impersonation attacks. When attackers have actual access to executive email accounts, they send authentic messages from real addresses. Dark web monitoring identifies:

• Stolen credentials that could enable account-based impersonation
• Compromised employee devices leaking credentials through infostealer malware
• Mentions of your organization on criminal forums

Detecting leaked credentials early enables password resets before attackers can exploit them for impersonation.

Email Authentication Implementation

While email authentication doesn’t stop all impersonation, it eliminates direct spoofing and provides visibility into abuse attempts. Three protocols work together to make this happen:

SPF (Sender Policy Framework) specifies which servers can send email for your domain.

DKIM (DomainKeys Identified Mail) adds cryptographic signatures that verify message integrity.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers how to handle authentication failures and provides reporting on attempted abuse.

Properly configured DMARC with a reject policy prevents attackers from forging your exact domain. It also generates reports showing when someone attempts to spoof your addresses.

How Do You Prevent Impersonation Attacks?

Detection catches attacks before they launch. Prevention stops the ones that slip through.

Security Awareness Training

Employees are the last line of defense when impersonation emails reach inboxes. Effective training covers:

• Recognition of urgent or unusual requests, especially involving money or credentials
• Verification procedures for financial requests and sensitive information
• Reporting mechanisms for suspicious communications
• Real examples of impersonation attacks and their consequences

Training works best when it’s ongoing rather than annual. Regular simulated phishing exercises maintain awareness and identify employees who need additional support.

Email Authentication Protocols

Implementing DMARC at enforcement level (quarantine or reject) prevents direct spoofing of your domain. This doesn’t stop all impersonation but eliminates one attack vector.

Work with email security vendors to ensure authentication is properly configured for all sending sources, including marketing platforms and CRM systems that send email on your behalf.

Multi-Factor Authentication

MFA prevents attackers from accessing accounts even when they’ve stolen credentials. This limits the damage from successful credential harvesting and reduces opportunities for authenticated impersonation.

Phishing-resistant MFA using hardware security keys provides the strongest protection. Attackers can’t capture or replay hardware-based authentication.

Verification Procedures for Financial Requests

Establish and enforce procedures for verifying unusual requests:

• Callback verification using known phone numbers, not numbers from the request
• Dual authorization for large transfers
• Mandatory waiting periods for urgent payment requests
• Out-of-band confirmation for changes to payment details

This friction breaks the urgency attackers rely on and gives your team time to verify before acting.

Domain Protection Strategies

Proactively register domain variations to prevent attackers from obtaining them:

• Common misspellings of your primary domain
• Your domain with different TLDs
• Obvious variations like yourcompany-support.com

While you can’t register every possible variation, covering the most likely candidates reduces the attack surface.

Conclusion

Impersonation attacks succeed by exploiting trust. Attackers pose as executives and trusted brands because people respond to familiar names and authority figures. Technical controls alone can’t solve a human problem.

The most effective defense combines multiple layers. Email authentication blocks direct spoofing. Training helps employees recognize suspicious requests. Verification procedures catch impersonation attempts. But the real advantage comes from early detection.

When you monitor for typosquatting domains and compromised credentials, you find impersonation infrastructure before attacks launch. Instead of responding to incidents, you’re preventing them.

Start by understanding your current exposure. A dark web scan shows which of your credentials are already exposed. From there, reset exposed passwords and set up monitoring to catch impersonation attempts early.