Impersonation Attack Taxonomy
Every impersonation attack fakes identity at a specific layer. Understanding the layer determines which defense applies.
| Attack Type | Layer | What's Faked | Defense |
|---|---|---|---|
| Display Name Spoofing | Email (Application) | Sender name visible in inbox | User training to verify full From: address; email client config to show full addresses |
| Cousin Domain | DNS / Email | Domain name (visually similar) | Register common variants; DMARC on real domain; user training |
| Exact Domain Spoofing | Email (Application) | Legitimate domain, unauthorized server | DMARC policy=reject with SPF + DKIM |
| ARP Spoofing | Data Link (Layer 2) | MACβIP mapping on local LAN | Dynamic ARP Inspection (DAI) on managed switches |
| IP Spoofing | Network (Layer 3) | Source IP address in packets | BCP38 ingress filtering at network edge |
| DNS Spoofing | Application (DNS) | DNS responses (IP for domain) | DNSSEC for cryptographic DNS record integrity |
| Caller ID Spoofing | Voice / PSTN | Phone number displayed to recipient | STIR/SHAKEN; callback verification policy |
| Deepfake (Audio/Video) | Physical / Human | Voice and/or face of a real person | Out-of-band verification; codewords; dual-channel authorization |
| Badge Cloning | Physical | RFID credential from proximity card | Encrypted challenge-response cards (MIFARE DESFire, SEOS); RFID-shielded holders |
The Attack Chain: BEC Wire Transfer
How Yusuf's $340K pharma case unfolded β a complete Business Email Compromise kill chain.
1
Reconnaissance
Attacker researches target via LinkedIn, company website, press releases, and earnings calls. Identifies CFO name, AP staff names, active vendor relationships, and the procurement process workflow. Identifies employee email formats and internal naming conventions.
Attacker researches target via LinkedIn, company website, press releases, and earnings calls. Identifies CFO name, AP staff names, active vendor relationships, and the procurement process workflow. Identifies employee email formats and internal naming conventions.
β
2
Domain Registration (Cousin Domains)
Attacker registers pharma-corp-billing.com, pharma-corp-ap.com, and IDN homograph variants. Configures mail server on cousin domain. Creates convincing email address: sarah.chen@pharma-corp-billing.com. Sets display name to "Sarah Chen - CFO Office."
Attacker registers pharma-corp-billing.com, pharma-corp-ap.com, and IDN homograph variants. Configures mail server on cousin domain. Creates convincing email address: sarah.chen@pharma-corp-billing.com. Sets display name to "Sarah Chen - CFO Office."
β
3
Credential Stuffing for Initial Access
Attacker tests millions of username/password pairs from breach databases against the company's Okta portal. Finds that Marcus (vendor liaison) reused a password from a prior breach. Automated tool flags successful credential match.
Attacker tests millions of username/password pairs from breach databases against the company's Okta portal. Finds that Marcus (vendor liaison) reused a password from a prior breach. Automated tool flags successful credential match.
β
4
SIM Swap to Bypass SMS MFA
Attacker calls Marcus's mobile carrier, impersonates Marcus using researched personal details (name, address, last 4 SSN digits from breach data). Convinces carrier representative to port Marcus's number to attacker's SIM. Attacker now receives Marcus's MFA codes.
Attacker calls Marcus's mobile carrier, impersonates Marcus using researched personal details (name, address, last 4 SSN digits from breach data). Convinces carrier representative to port Marcus's number to attacker's SIM. Attacker now receives Marcus's MFA codes.
β
5
Account Access and Internal Reconnaissance
Attacker logs in as Marcus using the captured credentials + SMS MFA code now delivered to their SIM. Reads 3 weeks of internal emails, maps AP workflows, learns procurement context, identifies the $340K equipment discussion. Understands who has authority and what communication style looks legitimate.
Attacker logs in as Marcus using the captured credentials + SMS MFA code now delivered to their SIM. Reads 3 weeks of internal emails, maps AP workflows, learns procurement context, identifies the $340K equipment discussion. Understands who has authority and what communication style looks legitimate.
β
6
Display Name Spoof Email to AP
Sends wire transfer request from sarah.chen@pharma-corp-billing.com with display name "Sarah Chen - CFO Office." Email references the real equipment procurement discussion (from Marcus's inbox). Requests $340K to a "new vendor" bank account. Professionally formatted, contextually accurate.
Sends wire transfer request from sarah.chen@pharma-corp-billing.com with display name "Sarah Chen - CFO Office." Email references the real equipment procurement discussion (from Marcus's inbox). Requests $340K to a "new vendor" bank account. Professionally formatted, contextually accurate.
β
7
Caller ID Spoof Follow-Up Call
AP clerk is nervous about the amount and calls to verify. Attacker is ready β uses VoIP caller ID spoofing to display the CFO's real internal extension (4-2287). Answers as "CFO's assistant," verbally confirms the wire, provides additional vendor details. Clerk's verification attempt is defeated.
AP clerk is nervous about the amount and calls to verify. Attacker is ready β uses VoIP caller ID spoofing to display the CFO's real internal extension (4-2287). Answers as "CFO's assistant," verbally confirms the wire, provides additional vendor details. Clerk's verification attempt is defeated.
β
8
Wire Transfer Executed β $340,000 Gone
AP clerk processes the wire. Funds transferred to attacker-controlled account. Fraud detected 4 days later by the bank's transaction monitoring team. $180K clawback possible through rapid action; $160K irrecoverable after onward transfer through multiple accounts.
AP clerk processes the wire. Funds transferred to attacker-controlled account. Fraud detected 4 days later by the bank's transaction monitoring team. $180K clawback possible through rapid action; $160K irrecoverable after onward transfer through multiple accounts.
STIR/SHAKEN Attestation Levels
A β Full Attestation
The originating carrier has verified that the calling party is a customer of the carrier AND that the customer is authorized to use the specific calling number being displayed. Highest level of confidence. The carrier can definitively say: this call is from our customer, and that customer owns or is permitted to use this phone number. Still does not guarantee the subscriber isn't an attacker β it only verifies subscriber authorization of the number.
B β Partial Attestation
The originating carrier has verified that the call came from a known customer, but cannot verify that the customer is authorized to use the specific calling number displayed. The carrier knows where the call originated (their customer) but cannot confirm the displayed number belongs to that customer. Common for scenarios where a business customer presents caller ID numbers from a pool or a number the carrier can't independently verify.
C β Gateway Attestation
The originating carrier can only attest that the call entered the carrier's network at a specific interconnect gateway. No verification of the caller's identity or their authorization to use the displayed number. The lowest level of attestation β essentially "this call came in here, we have no idea who sent it or whether the number is legitimate." Calls from overseas SIP providers and unregistered trunks often receive C attestation or no attestation at all.
STIR/SHAKEN is an improvement but not a complete solution. Calls originating overseas, through unregistered SIP trunks, or from carriers that have not fully deployed STIR/SHAKEN can still carry spoofed caller ID. Even A-level attestation means only that the carrier verified the subscriber's authorization β not that the subscriber isn't an attacker. Defense policy cannot rely on caller ID as proof of identity regardless of attestation level.
Credential Attack Comparison
| Technique | Speed | Target Pattern | Lockout Risk | What to Monitor |
|---|---|---|---|---|
| Credential Stuffing | Fast (fully automated) | Many users Γ known specific passwords (breach pairs) | High per account (many attempts per account if using known password lists) | Repeated failed logins with known-breached passwords; logins from IP reputation bad addresses; login volume spikes |
| Password Spraying | Slow (one password at a time, deliberately paced) | Many users Γ very few common passwords (often 1β2) | Low (stays under per-account lockout threshold) | Distributed low-frequency login failures across many different accounts simultaneously; common password attempts across wide user base |
| Brute Force | Varies (fast for short/simple passwords) | One user Γ many passwords (exhaustive) | Very high (many attempts against one account) | Many failed login attempts against a single account in a short time window; account lockout events |
| SIM Swap + MFA Bypass | Varies (carrier call can take minutes to hours) | One targeted user, high-value account | N/A (legitimate credentials + legitimate MFA code) | Phone number port-out from carrier records; sudden SIM change; victim phone goes offline; unexpected MFA success from new device/location |