Threat Intel

How impersonation and brand-spoofing attacks work

A breakdown of the most common impersonation tactics — and what individuals and small businesses can do to spot and resist them.

Impersonation attacks succeed because they exploit trust. The attacker pretends to be someone the victim knows or a brand the victim trusts. Understanding the mechanics makes them easier to spot.

The four common shapes

1. Executive impersonation (BEC)

A fake email from a CEO, owner, or CFO asks finance to wire money or change payment details. The tone is urgent and the request is unusual. These attacks often use lookalike domains and minimal malware.

2. Vendor impersonation

An attacker compromises or mimics a supplier’s email account and sends updated invoice details. Because the relationship already exists, the change is less likely to be questioned.

3. Customer-support scams

A fake support agent contacts a user, claiming account problems, suspicious activity, or a refund. The goal is to capture credentials, install remote-access software, or steal payment information.

4. Brand spoofing

Attackers create fake websites, social profiles, or ads that closely copy a real brand. They intercept customers searching for support or promotions.

Why these attacks work

  • Urgency reduces careful review.
  • Authority makes victims reluctant to push back.
  • Context from stolen email threads makes requests feel legitimate.
  • Lookalike domains pass a quick glance.

Example of a lookalike domain:

Legitimate:  theemporiumagency.com
Lookalike:   theemporiumagencys.com
            the-emporiumagency.com
            theemporiumagencey.com

Defensive habits

For organizations:

  • Require out-of-band verification for payment changes.
  • Flag external emails with banners or subject-line tags.
  • Train staff to verify unusual requests, especially urgent ones.
  • Monitor for newly registered domains similar to your brand.
  • Use SPF, DKIM, and DMARC for email authentication.

For individuals:

  • Do not trust caller ID or email display names.
  • Navigate to support sites manually instead of clicking links.
  • Verify payment and account changes through a known channel.
  • Slow down when an interaction feels rushed or threatening.

What to do if you are targeted

If your brand is spoofed:

  1. Collect evidence: screenshots, URLs, timestamps.
  2. Report the lookalike domain to the registrar and hosting provider.
  3. File reports with the impersonated platform (social, ad network, etc.).
  4. Notify customers through your official channels.
  5. Consider working with a takedown service if the volume is high.

Key takeaway: Impersonation attacks target process and trust more than technology. The strongest defenses are verification procedures and a culture where it is safe to question unusual requests.