Check Point Email Security | Blog

How Impersonation Attacks Fool Users

Written by Jeremy Fuchs | October 14, 2021

October is National Cybersecurity Awareness Month. Each week has a theme. This week's theme? Fight the Phish. This blog shows a typical impersonation attack and how Avanan stops it.  

A common form of phishing is impersonation. There are three main types: User, Domain, or Brand. Attackers will change the sender address on the email’s headers to spoof the desired target. That can mean impersonating the CEO or CFO. It can mean impersonating someone from an external company. It can mean impersonating a widespread and trusted brand, as well. Whatever the impersonation is, the idea is to convince the victim to give up information or data that they would normally feel comfortable releasing. Typically, at least according to recent thinking, hackers would try to impersonate C-level executives. And while that happens often—according to our findings, 29.4% of all impersonation emails are in the C-Suite— what is a novel finding is that hackers have switched up tactics.

According to our findings, 51.9% of all impersonation emails attempted to impersonate a non-executive in the organization. Non-executives are targeted 77% more often, according to Avanan research. There are a few reasons behind this. One, security admins might be spending a lot of time providing extra attention to the C-Suite and hackers have adjusted. Two, non-executives still hold sensitive information and have access to financial data. There is no need to go all the way up the food chain.

Brands are commonly impersonated, and it's often trusted and popular brands. Some of the most impersonated brands are what you would expect. According to Check Point, here are the most impersonated brands:

  1. Microsoft (related to 45% of all brand phishing attempts globally)
  2. DHL (26%)
  3. Amazon (11%)
  4. Best Buy (4%)
  5. Google (3%)
  6. LinkedIn (3%)
  7. Dropbox (1%)
  8. Chase (1%)
  9. Apple (1%)
  10. PayPal (0.5%)

Of course, there are tons of popular brands impersonated on a daily basis. One that we see often is DocuSign

We've written in the past about how hackers can sign up for accounts and send phishing directly through the service.

Another way that hackers use DocuSign for phishing is through impersonation attempts. Here's what it looks like:

Notice at the bottom how it offers an alternate signing method. It asks you to enter your email password. 

On a real DocuSign email, they also offer an alternate signing method. It does not ask for your password, but rather for a code they generate:

Utilizing a multi-tiered security solution like Avanan's is crucial because it allows emails to be caught by Avanan's AI. Avanan's AI determined this email was phishing due to the language used in the email combined with static layers like low domain and sender reputation.