Email Impersonation vs. Email Spoofing vs. Account Takeover

Sometimes, terminology can lead to confusion in the tech industry. Take email impersonation, email spoofing, and account takeover—what are they, and is there any difference between them? With email-borne cyberattacks soaring to record levels, education on techniques and tactics and knowledge of preventing attacks is essential.

TitanHQ works to stop all types of email-borne cyber-attacks. This article will explain the operations and dynamics of these three types of threats and how to prevent cyber-attacks from damaging your organization.

What Do Email Impersonation, Email Spoofing, and Account Takeover Have in Common?

Before embarking on "what is…" it is helpful to understand what these three attack types have in common. Email impersonation, spoofing, and account takeover are all used to carry out successful phishing attacks. The phishing exercises are usually part of broader attacks, such as Business Email Compromise or ransomware infection; cyber-attacks are often multi-stage and complex, so all three of these tactics could feasibly be part of the same attack chain. It is important to recognize that all involve some form of deception at some point in the attack chain; typically, this is where a human being interacts with email.

Now that we've established the commonalities between email impersonation, email spoofing, and account takeover, what exactly is each technique about?

What is Email Impersonation?

Impersonating another person has a long history within the context of scams and fraud. The infamous scammer Frank Abernale was renowned for impersonating PanAm pilots. However, in the digital age, impersonation is performed using the most personal of technologies: email. Email impersonation is where a fraudster tricks the recipient into thinking an email they've received is from a trusted brand or individual, such as a C-level executive. 

Imagine a trusted CEO named Jen Smart. If the real email address is jen.smart@acme.com, the impersonated email will be a variant of this, for example, jen.smart@akme.com. The attacker will have registered the root domain www.akme.com to allow the creation of legitimate-looking email addresses. 

Attackers use similar tricks to change an email address subtly. For example, imagine the company in this example, Acme, had not purchased the domain Acme.io. The attacker could register the domain www.acme.io and use this domain to generate the email address jen.smart@acme.io. The result is the same: a legitimate-looking email to trick the recipient.

Email impersonation often involves reconnaissance and intelligence gathering to establish the modus operandi of the impersonated and the target. This exercise requires social engineering tactics to develop this know-how. This level of espionage is created to create a highly believable phishing email that looks like it is from someone trusted.

What is Email Spoofing?

Email spoofing has a similar goal as email impersonation: to trick the recipient into thinking this is a legitimate email from a trusted source. However, in the case of email spoofing, the technique is to change the email header's display name so it shows a trusted person's name. Take Jen Smart, for example. The email may have been sent by "Hacker Joe" via hacker@fraudster.com, but the email header will be changed to show it is from "Jen Smart" and jen.smart@acme.com. 

Changing the email header is straightforward, but each email client has different methods. For example, following these instructions can change the M365 Outlook email name. For example, M365 Outlook email name can be changed by following these instructions (taken from Microsoft 365 Learn) :

1. In the admin center, go to the Users > Active users page.
2. Select the user's name, and then on the Account tab select Manage contact information.
3. Update the user's name and contact information.
4. Select Save Changes.

Note that only a global administrator can perform the above action. However, hackers make themselves the admin.

Unlike email impersonation, the email spoofing attack is not reliant on the hacker registering a domain, making it simpler. However, the fraudster does require some basic technical ability to manipulate the email header. The fraudster will also often have carried out some reconnaissance to understand who to target and how to manipulate that target.

Around 29% of US citizens have been victims of account takeover.

Digital information world

What is Account Takeover?

According to research, around 29% of US citizens have been victims of account takeover (ATO). An ATO attack may target an email, social media, or online account. Once access is gained, the attacker has complete control of that account. Hackers use several methods to gain access to an account; some of the most common include the following:

Credential Stuffing: Bots are used alongside stolen and weak credentials to attempt logins across multiple accounts.

Adversary-in-the-Middle (AitM): Attackers intercept credentials as they are passed over insecure channels, such as unsecured WiFi.

Phishing: Spear phishing and other forms of targeted phishing emails are used to steal credentials to an account.

Malware Infection: Specialized malware, like a keylogger, can be used to steal login credentials to an account.

Account takeover requires technical ability. However, hacking-as-a-service kits make it much easier to compromise accounts.

In the UK, Action Fraud, recently warned of ATO attacks, after receiving a record 18,011 reports of social media and email hacking.

Action Fraud

The Damage Caused by Email Impersonation, Email Spoofing, and Account Takeover.

Any email-borne threat is dangerous as it can be used to manipulate employees. All three of these email-based threats can be used to perform damaging cyber-attacks. The following are typical examples of attacks in the real world when emails are spoofed, taken over, or impersonated.

Spoof Email Attack

A UK scam saw students receive spoof emails that contained malicious links. The spoof emails had a display name that looked like a legitimate, trusted source. The malicious link took students to a spoof website that attempted to steal personal data. 

Email Impersonation

Recent research highlights how flaws in email systems can lead to easier domain impersonation. The researcher found evidence to show that major brands such as Mastercard and US government departments had been victims of domain spoofing. The technique is called forwarding-based spoofing and exploits flaws in email forwarding. The hackers were able to bypass in-built security in email providers, such as Gmail and Outlook, to send emails that impersonated trusted brands.

Account Takeover (ATO)

In the UK, Action Fraud, recently warned of ATO attacks, after receiving a record 18,011 reports of social media and email hacking. Victims had money stolen and their compromised accounts used to commit further fraud. In a business context, ATO scams result in Business Email Compromise, which results in stolen company funds.

How to Prevent Email-Borne Cyber-Attacks

Security awareness training gives employees the know-how to detect spoof emails or email impersonation attempts. Security awareness training packages, like SafeTitan, also provide simulated phishing. SafeTitan provides templates for creating emails that mimic the same techniques hackers use to spoof or impersonate. These fake emails are then sent to employees to teach them how to identify an email-borne attack.

All three attack types, email impersonation, email spoofing, and account takeover, will typically use phishing at some point. Security awareness training and simulated phishing campaigns are one layer of prevention. However, an essential layer of protection should be advanced anti-phishing prevention. Integrated Cloud Email Security (ICES) works alongside the native security in M365. An advanced ICES solution, like PhishTitan, uses advanced technologies such as AI to stop a malicious email from ending in an employee’s inbox.

Preventing email impersonation, email spoofing, and account takeover requires a comprehensive, layered approach.

Talk to a TitanHQ expert who can show you how to prevent even the most complex, multi-stage, email-borne attack.