Impersonation attack

How it works

The attacker borrows an identity the target already trusts and uses it to request money, credentials, or access. The disguise can be a lookalike domain, a cloned login page, a fake social profile, a spoofed email, or a deepfaked voice. The trust does the work; the technical trick just delivers it.

Impersonation attacks often chain several of these together, such as a fake profile that leads to a spoofed email that links to a phishing page.

How it relates to brand impersonation

This is brand impersonation described from the attacker side. Every entry in this glossary is a flavour of impersonation attack, which is why the defence has to span domains, social, email, and search at once.

How nebty helps

nebty watches the channels impersonation attacks use, including domains, social media, ads, and search, and removes confirmed fakes on demand.

How the pieces chain together

A real impersonation attack is usually a sequence, not a single trick. A typical chain starts with reconnaissance on public sources, moves to a lookalike domain registered to host a fake page or send spoofed mail, adds a cloned site or a fake profile to carry the disguise, and ends with the payload: a stolen credential, an authorized payment, or an installed file. Each link is weak on its own and easy to dismiss, which is why defenders who look at one channel miss the campaign. The useful response targets the shared infrastructure rather than the individual messages: take down the lookalike domain and the fake profile, and the later links lose the trust they depend on. Monitoring across channels is what reveals the chain while it is still being assembled.