Email Security

What Is Domain Impersonation, How Does It Work, And How Can You Protect Your Organization?

An in depth look into domain impersonation and how it targets companies using social engineering tactics, resulting in major data breaches and financial losses each year.

Article thumbnail image

Domain impersonation is a common phishing technique which involves attackers creating “legitimate” looking email domains in order to impersonate specific companies, organizations, or individuals. This is done with the intention of tricking users into giving away personal or sensitive information, data, or money by posing as a trusted figure.

Attackers’ time and money goes into acquiring these domains. Domains are purchased and registered, with the attacker setting up an email account to target companies with phishing emails. Hard work pays off; 71% of email attacks consist of at least some form of domain impersonation, making it vital for companies to stay ahead of the game.

How Does Domain Impersonation Work?

Domain impersonation entails attackers impersonating a business or specific figure by creating domain names that are ever so slightly altered to escape most people’s notice. This can be done by replacing letters in a legitimate email domain (for example, becoming or adding a letter that would be difficult to spot at first glance (think instead of 

Email domains are composed of multiple subparts, including a username, a root domain, a top-level domain, and, occasionally, a subdomain. Together it would look like this: [email protected] ([email protected]), or, if using a subdomain: [email protected] ([email protected]). Attackers can capitalize on these potential avenues for impersonation by mixing it up and getting their impersonated domains very close to the real thing. Full stops in the wrong places are common ([email protected] instead of [email protected]), as are slight variations of root and top-level domains.

Impersonation doesn’t just pertain to email communications either. Typo-squatting occurs when attackers register website domains with commonly misspelled versions of popular names, which users can find themselves drawn to from either misspelling a domain name or clicking a link as part of a wider phishing scam. 

These impersonated domains then trick users into either clicking on a link taking them to a malicious website, or into sending information or money. Common examples would be an attacker posing as a trusted person within the targeted user’s company, requesting sensitive information or as someone from an external company requesting payment for a bogus invoice. Company or client data is often requested, as are log-in details. 

Requests for this kind of information will usually be presented with urgency to get the recipient to complete the action without paying too much notice or causing enough stress and panic that they bypass regular protocols. It’s common for these emails to contain requests that seem uncharacteristic of the sender, such as a senior executive asking for personal details of the user, or a client requesting payment for an invoice saying that it does not need to be verified or go through the usual approval channels.

What is The Difference Between Domain Impersonation And Domain Spoofing?

Domain impersonation refers to the act of attackers attempting to impersonate the domain of a business. Impersonation relies on social engineering focus, using hard to spot changes to a domain so as to trick users into making an error. It essentially relies on users either not checking or briefly glancing at domains before acting.

Domain spoofing refers to the sender attempting to make it appear as though mail is being sent from the target domain. Synonymous with forging, domain spoofing goes to great lengths on a technological level to make an email appear legitimate. 

For example, an attacker could modify an email’s header, so for the receiver it will appear as genuine in their inbox. For instance, the attacker’s email address could be [email protected], but spoofing would cause employees to see it as their CEO’s email address or another trusted figure within (or from outside) the company.

Domain Impersonation And Its Impact

It can be devastating for companies if employees fall victim to these attacks. Fake invoices can result in the loss of a few hundred or thousands of dollars, but, beyond direct financial loss, requests for sensitive and private information can have a much larger impact. The costs of data breaches can run into millions, with IBM reporting an average loss of an eye watering $3.86 million per breach.

Common forms of domain impersonation phishing usually consist of either one of these three, though there are others:

  • Attackers impersonating a company executive to target an employee of the organization. 
  • Whaling;  a more sophisticated attack that targets senior executives. 
  • Business Email Compromise (BEC), in which attackers impersonate a business to target employees, customers or partners.

BEC is more frequent, with the potential to be more successful and therefore more harmful to businesses. In their annual cybercrime report, the FBI announced last year that BEC cost businesses $1.8 billion worth of losses in 2021. While domain impersonation may not be as sophisticated as other phishing attacks, its impact is widespread and damaging, so safeguarding your company against these attacks is crucial. 

How To Prevent Domain Impersonation Phishing Attacks

These attacks’ success relies heavily on human error – i.e., someone clicking on or sharing something they shouldn’t. The IBM Cyber Security Intelligence Index Report details that 95% of security breaches are mostly caused by human error. Deloitte also reports that a staggering 91% of all cyber-attacks begin with a phishing email. It’s clear that this is an area that needs securing, but how do you prevent human error?

Security Awareness Training

While it might be impossible to eradicate every possibility of human error, safeguarding against these mistakes as best as possible is still important. That leaves the question, how do you safeguard against genuine mistakes? The answer is security awareness training. Employing specialized training for your staff is a great way to educate employees on several cybersecurity risks, including how to identify and deal with potential phishing scams.

Security awareness training programs are often virtual, presenting employees with scenario-based videos and quizzes that help them learn to spot suspicious emails. Comprehensive, effective training topics should include: social engineering, phishing, and insider threats (amongst others). The aim is to get employees to think critically about emails they receive. In addition to spotting suspicious email domains, they also learn to question the contents of an email. Would a senior executive really be interested in their personal and financial information? And why would a client suddenly want an invoice paid quietly and immediately when they didn’t before?

There are plenty of awareness training programs available, giving you greater freedom in making the right decision for your business. Check out our guide below to help you make a decision that works best for everyone.

Read now: Top 10 Security Awareness Training Solutions

Phishing simulations

Of course, while it’s good to have the knowledge in place, having practice runs can’t hurt. Phishing simulations help employees learn to detect and report phishing scams, protecting your organization from threats. Many (but not all) security awareness training packages come with phishing simulations, which are deployed after the training is complete. 

These simulations allow admins to send simulated phishing scams to employees so they can learn to spot and respond to potential threats. Phishing simulations contain hundreds of email templates with the option for these emails to contain requests for sensitive information, links, and attachments.

These phishing simulations can run for any length of time, helping employees stay up to date and on alert for any potential threats. If an employee continues to fail to detect these scams, a supervisor can see that this issue has been flagged and help the employee with further training.

Read now: Top 10 Phishing Simulation Solutions

Install And Integrate Specialized Email Security Software

It can be difficult for software to detect impersonated domains as they don’t use any form of malware or malicious URLs. It is, essentially, just another email address. In addition to human intelligence, implementing technical protection such as secure email gateway providers strengthen protection. Email communications should be included in any data protection strategy, with what kinds of data are being shared internally and externally should be analyzed and appropriate controls put in place where necessary. 

There are several email security software solutions that can detect and flag the use of impersonation domains, adding protection against phishing attacks. Companies such as IRONSCALES, Barracuda, and Tessian offer advanced email security software that can notify users and admins when something isn’t right. These usually combine machine learning and human behavior that learn in real time. This software will analyze the entire content of an email – including sender details, time stamps, and more. From there, it can detect and flag any suspicious activity in real-time with advisory banners, giving guidance to users on reporting the email:

Taking advantage of emerging APIs by integrating any email security systems in place with other security tools will also help give admins a broader, more comprehensive look into their email security, allowing for them to track security events with greater ease.

Read NowTop 11 Email Security Solutions


A comprehensive approach that combines technology and human intelligence is the best way to safeguard against spear phishing attacks. Check out our blogs on security awareness training and phishing simulations before looking at our buyer’s guides for each, helping you make the right choice for your business.