Email impersonation is a type of cyberattack where someone sends an email that appears to come from a trusted source, such as a colleague, boss, vendor, or company, in order to trick the recipient into taking an action—like clicking a malicious link, downloading an attachment, or transferring money or sensitive data. Also very common as SMS text messages sent directly to your phone. The identity info needed to initiate this scam is very often taken from LinkedIn and other public social media. Ex. You post news of your new job on LinkedIn and scammers use that information to formulate an impersonation scam email/text claiming to be from your new boss (with info also taken from LinkedIn). All of this can happen at lightning speed, often within 24 hours of your LinkedIn post.
There are two main forms of email impersonation:
-
Display Name Spoofing: The attacker changes the sender’s name to look like someone the recipient knows, while the actual email address is fake.
-
Example: The email might show as “Jane Smith fakeemail@scammer.com,” but the recipient sees “Jane Smith” and thinks it’s their boss. Almost without fail, these impersonation emails will be from @gmail.com or other generic email service, not from your new company’s domain name. In most cases the attacker is trying to score a quick financial hit by conning you into purchasing e-gift cards and sending them the purchase codes so they can redeem them online before you catch onto the scam.
-
-
Domain Spoofing: The attacker might also forge the email address to make it look like it’s coming from a legitimate domain (e.g., boss@company.com), often by manipulating email headers or using lookalike domains (e.g., boss@cornpany.com instead of boss@company.com). This is more common when the attacker is attempting a bigger payday by requesting a redirect on bank transfers and payments.
These scams can be almost impossible to completely block so your best defense is to be aware and always reach out directly to your hiring contact through the companies published phone number in order to confirm if a request is legit. The attacker will try to use time to their advantage. S-L-O-W down and confirm before you take any action that will cost you money and embarrassment.
This tactic is commonly used in:
-
Phishing
-
Business Email Compromise (BEC)
-
CEO fraud