Impersonation and Spoof Protection

Email impersonation attacks account for 1.2% of all email traffic daily, with the US being the most targeted country. Over half of cybersecurity experts have encountered a brand impersonation attack– is your organization protected?

What is Email Impersonation? 

Email impersonation, or email spoofing, occurs when attackers forge a malicious email to appear from a reputable sender. Bad actors can manipulate email headers, exploit SMTP weaknesses, create look-alike domains, and more in order to fool unsuspecting recipients.

Have you ever received an email….from yourself? But one you never sent? What about one from another employee that they never sent? How about from a vendor asking for an invoice to be paid?

These situations aren’t simply Mandela Effects; it’s called Email Impersonation or “Spoofing.”

These attacks range in sophistication, but the common ones are:

  • The simple use of an employee’s Display Name on an email sent from some other email address and domain.

  • Using a similar email address but a different domain name, extremely common with compromised personal accounts.

  • Spearphish-grade attacks using a “lookalike” domain name, like Micr0soft.com instead of Microsoft.com.

While some of the low grade attacks are easy to spot, when people get busy and are just trying to power their way through a long stack of emails needing attention, it’s unfortunately very easy to only give the briefest of looks at an email’s sender and respond as per normal. When all it takes is one response or a click on someone’s email to lead to a data breach, company structure profiling or worse, preventing even these attacks is another component of a Defense-In-Depth strategy that DMARC Director excels at.

You’ve undoubtedly seen something similar to this PayPal phishing email example.

Financial institutions get emails sent out spoofing their domain all the time since the ultimate end goal of the vast majority of bad actors out there is to get paid.

What you may not see as frequently is when these emails are spoofing your own domain, both with an aim towards your own internal employees and to your organization’s vendors and clients.

These kinds of attacks where your domain is being used as a mask of legitimacy in order to fool these people into conducting actions they wouldn’t otherwise perform for a ‘stranger.’

Financial Loss

Spoofing leads to fraudulent transactions, unauthorized fund transfers and loss of customers.

Why do attackers use spoofing attacks?

  1. Malware Delivery: A spoofed email can contain malicious downloads or links, triggering viruses, ransomware or spyware that is downloaded to the recipient’s device. 

  2. Business Email Compromise (BEC): A spoofed email may convince trusted business partners or employees to transfer money or reveal sensitive information.

  3. Phishing Attacks: A spoofed email appears from a social media network, financial institution or other well-known company. If not identified as fraudulent, recipients could reveal sensitive information and data, furthering the potential breach into even more critical systems and personnel.

The Costs of Email Impersonation

Email impersonation attacks can have significant, far-reaching effects on your organization.

Operational Disruption

An email attack halts daily operations as you take the time to conduct an investigation, set up new security processes and clean up damage.

Reputational Damage

42% of companies experience reputational damage from email attacks. It can take years to restore customer trust.

Lessons Learned: Real-World Impersonation Attacks

In 2015, Google and Facebook lost over $100 million due to a business email compromise (BEC) scheme. Despite the tech giants’ advanced security measures, attackers successfully impersonated trusted vendors and faked invoices, contracts and more. The organizations were falsely billed tens of millions of dollars over several years before the scheme was discovered.

In 2022, a San Francisco nonprofit became another target of a BEC threat. Attackers successfully spoofed the email account of the organization’s bookkeeper, sending messages requesting changes to wire payment instructions. The nonprofit lost over $650,000 before the error was discovered; unfortunately, none of the funds were recoverable. 


If these companies had implemented DMARC prior to the security attack, the spoofed emails would have been flagged as having failed authentication checks. The organization could have taken immediate action to quarantine or reject the fraudulent emails, preventing any financial loss.

How DMARC Director Protects Your Organization from Spoofing/Impersonation

  • Verifies Email Origin: DMARC Director uses SPF (Sender Policy Framework) to verify that the email is sent from an IP address authorized by the domain owner. If the sender’s IP is not listed in the SPF record, the email will be flagged as suspicious. 

  • Check for Email Integrity: DMARC Director checks if the email has a valid DKIM signature, ensuring that the email was sent by an authorized domain and was not altered in transit. 

  • Conduct Alignment Checks: DMARC Director ensures that the “From” domain in the email header aligns with the domain authenticated by SPF and DKIM. This alignment is crucial for detecting spoofed emails. 

Maintain credibility and trust within your emails to clients, vendors, and staff with DMARC Director.