top of page

How to Spot Email Impersonation

What is email impersonation?

Email impersonation is a phishing tactic, commonly used to impersonate a trusted individual. Impersonation doesn’t always require “spoofing” (sending from a forged email address). With simple impersonation attempts, hackers can create an email account using the display name of an Executive or trusted advisor in your organization. This is also a sly way for hackers to avoid getting caught in an anti-spoofing filter.

An impersonation email may appear to be from “John Smith”, but if you look closer at the email address, you may find a generic domain name (ex., or even a completely unrelated email address (ex.

In some instances, we have witnessed hackers using email impersonation with the goal of obtaining your cell phone number so they can continue their efforts in what’s known as “smishing” or SMS phishing. Smishing is when a hacker impersonates a trusted source to obtain sensitive information via text message. The hacker’s motive here is to conduct their attack outside of a secured environment such as email. Click here to learn more about smishing.

Shouldn't our email security catch these attacks?

Impersonation filters are much more complex in nature than anti-spoofing filters. There are more variables you must consider.

There are 5 unique identifiers that are indicators of impersonation. An example of an identifier would be email that includes the word “payment” or “bill”.

When configuring impersonation protection, you must decide how many of these identifiers an email has to hit before it is filtered. If you require all 5 identifiers to be hit, nearly all impersonation attempts will get through to your inbox. If you require just one hit, you will end up with an excess of false positives and fail to receive legitimate email. The right balance in configuration will vary based on the needs of an organization or industry.

Even when appropriately configured, impersonation protection is not perfect and may let through an occasional imposter.

What additional measures can be taken?

runbiz™ now offers a feature that will flag any email that originates from outside of your organization. In many cases, these are legitimate emails, but if your boss or co-worker’s email is flagged, you will know that this is an impersonation attempt. Contact us to discuss which measures are most appropriate for your organization.

What should I do when I receive an impersonation email?

Simply delete the email. This does not mean that your co-worker or organization has been compromised. The hacker has simply used public information to try to trick you. If you notice impersonation emails getting through on a regular basis, inform your oversight. If necessary, they can then request that the impersonation filters be adjusted.

bottom of page