Impersonation is a social engineering tactic in which an attacker assumes the identity of a trusted individual - a colleague, executive, IT support representative, vendor, or authority figure - to manipulate a target into revealing sensitive information, granting access, or performing a harmful action..
What is Impersonation?
Impersonation is a social engineering tactic in which an attacker assumes the identity of a trusted individual - a colleague, executive, IT support representative, vendor, or authority figure - to manipulate a target into revealing sensitive information, granting access, or performing a harmful action.
How Impersonation Works
Attackers choose an identity that gives them authority or trust in the target's context. They may impersonate the target's manager via email, call the help desk pretending to be an employee who lost their credentials, or join a video call using deepfake technology to mimic an executive. The impersonation is supported by real information gathered during reconnaissance - the attacker knows names, titles, project details, and organizational structure, making the impersonation convincing.
Why Impersonation Matters
Impersonation is the mechanism behind most successful social engineering attacks. Scattered Spider breached MGM Resorts by impersonating an employee when calling the help desk. BEC attacks impersonate executives to authorize wire transfers. Deepfake vishing impersonates leadership to pressure employees into compliance. The common thread: when someone believes they're talking to a trusted person, they comply with requests they would otherwise question.
How to Protect Against Impersonation
- Test employees with realistic impersonation scenarios across all channels
- Implement callback verification for sensitive requests - always call back on a known number
- Use multi-factor verification for high-stakes actions (wire transfers, access changes)
- Reduce publicly available org chart data that helps attackers choose who to impersonate
- Train employees that voice, email, and even video can be faked
Frequently Asked Questions
How do attackers choose who to impersonate?
Attackers use OSINT to identify high-trust targets like managers, executives, or IT staff. They research org structures on LinkedIn, company websites, and social media to find someone whose impersonation would be difficult to verify quickly.
What's the difference between impersonation and pretexting?
Impersonation is assuming a real person's identity. Pretexting is creating a fabricated role or scenario that doesn't necessarily correspond to a real person - like pretending to be 'the IT vendor' rather than 'John from IT.'
Can deepfakes really be used for impersonation attacks?
Yes. Deepfake videos and audio can impersonate executives in video calls or voice messages. The technology is still detectable but improving rapidly. Organizations should treat all video and voice communications requesting sensitive actions with skepticism.
How should employees verify they're talking to someone real?
Use callback verification - end the call and independently call back on a number from your company directory or website, never a number the 'caller' provides. For sensitive requests, require approval through a separate channel (in-person, different communication method).