Email impersonation scams

are one of the fastest growing threats businesses face today. They are cheap to run, easy to scale, and often succeed without attackers ever touching your systems.

All they do is pretend to be you.

This article explains what email impersonation attacks really are, how they work, why they are so effective, and what actually prevents them. No scare tactics. No sales pitch. Just the mechanics and the reality.

What email impersonation actually means

An email impersonation scam happens when someone sends emails that appear to come from your domain or your brand without having access to your email account.

The sender address is forged. To the recipient, everything looks familiar. Same domain, same name, often even the same tone or signature.

This is not generic phishing. This is domain level abuse.

Common examples

• Fake invoices sent to customers

• Payment change requests sent to finance teams

• Password reset emails sent to employees

• CEO fraud and executive impersonation

In many cases, these emails never pass through your infrastructure at all.

 

Why these attacks keep working  

Email was never designed with authentication built in. By default, anyone can send an email claiming to be from almost any domain.

Modern protections exist, but most domains do not use them correctly.

Less than ten percent of domains worldwide enforce DMARC properly. That leaves the majority of companies exposed without realizing it.

Attackers rely on three things

• Trust in known domains

• Lack of visible warning signs

• Misconfigured or missing email authentication

If your domain allows unauthenticated emails to be delivered, someone will eventually abuse it.

The main types of impersonation attacks

• Direct domain spoofing: Emails are sent using your exact domain in the From address.

• Display name impersonation: The domain differs, but the sender name matches a trusted person or brand.

• Lookalike domains: Domains are registered that closely resemble yours, often differing by a single character.

• Third party sender abuse: Legitimate tools send email on your behalf without proper authorization or alignment.

Only direct domain spoofing can be reliably stopped at the protocol level. That is also where most financial damage occurs. 

What email impersonation costs businesses in practice

Email impersonation is not just a security issue. It affects revenue, trust, and daily operations.

1. Financial loss Business email compromise causes billions in losses every year. Individual incidents often exceed six figures.

2. Brand damage Customers associate fake emails with your brand. Trust drops quickly and recovers slowly.

3. Operational drag Teams stop trusting email. Processes slow down. Every request needs extra verification.

4. Deliverability issues Once your domain is abused, mailbox providers become more suspicious of all your email, including legitimate messages.

If email matters to your business, impersonation is a real operational risk. 

How to know if your domain is exposed

Most companies assume they are protected. Many are not.

Your domain is likely vulnerable if:

• You have no DMARC record

• Your DMARC policy is set to none

• You do not know which tools send email for your domain

• You have never reviewed DMARC reports

• Your SPF record has grown unchecked over time

None of this is visible from your inbox. That is why the problem often goes unnoticed. 

How email authentication actually stops impersonation

Three protocols matter.

SPF Defines which servers are allowed to send email for your domain.

DKIM Cryptographically signs messages so they cannot be altered in transit.

DMARC Connects SPF and DKIM and tells receiving servers what to do when checks fail.

DMARC is the enforcement layer. Without it, SPF and DKIM alone do not stop impersonation. When DMARC is enforced, mailbox providers can block fake emails before they ever reach a human. This is not theoretical. It is how large brands shut down spoofing at scale.

Why most DMARC setups fail

DMARC looks simple and behaves strictly.

Typical failure points are missing legitimate senders, broken alignment between SPF, DKIM, and From domain, SPF records exceeding lookup limits, inconsistent DKIM usage across tools, no visibility into real world traffic, Ffear of breaking email leading to permanent monitoring mode

As a result, many companies stop halfway. Attackers do not. 

A realistic way to reduce risk without breaking email

The right approach is gradual and based on real data.

Start with visibility. Move to enforcement once you understand your traffic.

In practice, that means:

• Deploying DMARC in monitoring mode

• Discovering all sending domains and tools

• Auditing SPF and DKIM for every sender

• Analyzing reports and fixing misalignments

-> Only then enforcing strict policy

This is not guesswork. It is configuration guided by evidence. 

Where prevention quietly fits in

The fastest way to understand your exposure is to see how your domain looks from the outside. A simple domain check can show:

• Whether your domain can be spoofed

• Which authentication records are missing or broken

• Whether attackers could impersonate you today

From there, closing the gaps is mostly configuration and monitoring, not heavy engineering.

If you are responsible for a domain that sends business critical email, the real question is not whether impersonation is possible. It is whether you can see it and stop it.

Check your domain here: https://dmarcdkim.com/dmarc-check 

Final takeaway

Email impersonation works because it exploits defaults and blind spots, not because attackers are especially clever.

The tools to prevent it already exist. Most companies just have not enabled them properly.

If email matters to your business, visibility and enforcement are no longer optional. Seeing where you stand is the first step. The rest follows.