Impersonation is fooling the enterprise

Campaign Snapshot - March 15, 2024


Overview

Email-based name impersonation attacks are an evolving form of Business Email Compromise (BEC) that deceives the recipient into believing the email came from a trusted source. At Cloudflare, we detect and retract email-based name impersonation attacks every day from customer inboxes. While the vast majority of these are basic scams, such as asking for an employee to buy gift cards; more sophisticated attacks utilize new ways to leverage social engineering and OSINT to craft increasingly compelling phishing emails.

You have likely seen phishing emails such as the one below. In this instance, someone is pretending to be an employee and requesting their banking information for their payroll deposits be changed.

Image source: Cloudflare Email Security

This and similar attacks utilize basic information about their targeted users; their name and job titles, harvested from LinkedIn or other social media platforms. These are generally sent en masse to many different organizations and users at once - a “wide net” approach.

A more complex form of name impersonation attack is known as a VIP/Vendor Impersonation Combo. In this example, the attacker has registered a fake domain impersonating a legitimate vendor. The attacker has also created an email address impersonating a VIP at the targeted organization. The attacker creates a fake email thread from the supposed vendor requesting payment of an invoice.

Image source: Cloudflare Email Security

These can be particularly dangerous as the fabricated thread gives authority to the request. Generally speaking, these attacks are more targeted than the mass-mailed direct deposit attacks. The attackers tend to spend more time researching the target’s environment. In the event of a compromised account, threat actors can read the target’s latest emails and are better equipped to legitimize their requests. Let’s look at an even more complicated example of name impersonation that uses such tactics.


Image source:
Cloudflare Email Security

In this example, we have a threat actor impersonating an employee using a domain nearly identical to the legitimate domain. Additionally, they have hijacked the existing email thread between the companies by compromising the sender email account.

This is an extremely dangerous and targeted form of name impersonation - “vendor compromise”. Attacks of this nature play on all of the above tactics, including VIP impersonation, vendor impersonation, and capitalizes on information collected from a compromised vendor account. In this case, there was a high monetary risk for customers. Thankfully, Cloudflare alerts clients who are then able to take action before harm is done.

As Name Impersonation attacks evolve, it is very important to recognize the risks these attacks present to your organization. After all, email remains the number one vector for business compromises.

Cloudflare Email Security’s advanced machine learning and Artificial Intelligence technology uncovers new tactics used by malicious actors to bypass legacy solutions in real time. See more recent trends and recommendations for preventing successful phishing attacks in the 2023 Phishing Threats Report. To see Cloudflare Email Security in action, get a free phishing risk assessment.


About Cloudforce One

Cloudflare’s mission is to help build a better Internet. And a better Internet can only exist with forces of good that detect, disrupt and degrade threat actors who seek to erode trust and bend the Internet for personal or political gain. Enter Cloudforce One – Cloudflare’s dedicated team of world-renowned threat researchers, tasked with publishing threat intelligence to arm security teams with the necessary context to make fast, confident decisions. We identify and defend against attacks with unique insight that no one else has.

The foundation of our visibility is Cloudflare’s global network – one of the largest in the world – which encompasses about 20% of the Internet. Our services are adopted by millions of users across every corner of the Internet, giving us unparalleled visibility into global events – including the most interesting attacks on the Internet. This vantage point allows Cloudforce One to execute real-time reconnaissance, disrupt attacks from the point of launch, and turn intelligence into tactical success.

Subscribe to Cloudforce One

Related Resources

Unraveling SloppyLemming’s Operations Across South Asia
Unraveling SloppyLemming’s Operations Across South Asia

Threat brief

Disrupting FlyingYeti's campaign targeting Ukraine
Disrupting FlyingYeti's campaign targeting Ukraine

Threat brief

Freight fraud surge: global supply chain compromises
Freight fraud surge: global supply chain compromises

Campaign snapshot