How Email Impersonation Actually Works

Here's something most business owners don't realize: sending an email "from" any address you want is trivially easy. The SMTP protocol—the thing that powers email—was designed in the 1970s, before security was a concern.

I can send an email right now that appears to come from ceo@yourcompany.com. I don't need your password. I don't need access to your account. I just type the address in the "From" field.

This is email impersonation. Here's how it works and what you can actually do about it.

Method 1: Direct Spoofing (No Hacking Required)

The attacker connects directly to a mail server (many are open) and submits an email with a forged "From" address. They can set any display name and sender address they want.

Example: I open a command prompt and type:

MAIL FROM:<attacker@some-server.com>
RCPT TO:<victim@customer.com>
DATA
From: "John Smith" <ceo@yourcompany.com>
Subject: Urgent Wire Transfer

Please wire $15,000 to the attached account immediately.
.

Your customer receives an email that looks like it came from your CEO. The sender address shows ceo@yourcompany.com. The display name is "John Smith" but that doesn't match the domain.

This works because most mail servers in 2026 still accept email from anyone without authentication. There's no check: "Is this server actually authorized to send for yourcompany.com?"

Method 2: Lookalike Domains

Instead of faking your exact domain, attackers register a similar one.

Your domain: acmecorp.com Attacker's domain: acmecorp.net, acmec0rp.com (zero instead of 'o'), acme-corp.com, acmecorp.net.support-desk.com

They email your customers and vendors from these domains. The emails look professional. The tone matches your company's voice (they've done research). The request seems legitimate.

Example: Attacker registers acmeco.com (singular instead of "acmecorp.com"). Sends emails to your vendors: "This is John from Acme Corp, please update our payment information." Two months of payments go to the attacker's account.

Method 3: Display Name Spoofing

The attacker uses your actual email domain for the display name but a different (usually external) address for the actual sender.

Example in email headers:

• Display Name: "John Smith"
• Actual From: john.smith@gmail.com

Gmail displays this as "John Smith" without showing the actual address unless the recipient looks closely. Mobile email apps often hide this entirely.

Method 4: Compromised Accounts

Attacker phishing attack compromises your employee's email account. Now they send emails from your legitimate domain with full SPF/DKIM passing. Every email looks 100% authentic.

This is the most dangerous scenario because authentication mechanisms like SPF and DKIM cannot detect it—the attacker genuinely is sending from your infrastructure.

Why This Matters for Gulf Coast SMBs

Your industry is a target:

Construction companies wire large payments to vendors for equipment, materials, and subcontractors. Fake change-of-bank-account notices are common and costly.

Marine services and oilfield vendors process expensive invoices for fuel, charters, and repairs. Payment fraud is frequent.

Seafood processors communicate with distributors and buyers. Fake purchase orders redirect payments.

Restaurants and hospitality have thin margins and frequent vendor changes. Fake statements get paid to the wrong accounts.

What Can Go Wrong

The Vendor Payment Scam Attacker spoofs or lookalikes your email to a customer. "We've changed banks—please update our payment records." Customer updates the bank account. Pays their next invoice to the attacker. You've now delivered product and haven't been paid. Customer doesn't want to pay twice.

The Invoice Interception Attacker compromises a vendor's email account. Intercepts an invoice in transit. Modifies the bank details. Forwards the modified invoice to you. You pay the attacker's account. Vendor doesn't get paid. Vendor resends the invoice with the correct account. You now realize you paid twice—or you don't realize until the vendor's collections calls.

The Spear-Phishing Attack Attacker researches your company for weeks (LinkedIn, your website, press releases). Knows your CFO's name, your biggest client's name, your project timeline. Sends a targeted email from a lookalike domain asking for an urgent wire. Your CFO recognizes the details. Sends the wire.

The HR Data Request Attacker impersonates the IRS, a benefits administrator, or an attorney requesting W-2s or employee SSNs. Small businesses hand over this data routinely because it seems legitimate. Those records sell for $5-$20 each on Dark Web marketplaces.

What It Costs

Prevention:

• SPF/DKIM/DMARC setup: $0 (built into Microsoft 365 and Google Workspace)
• DMARC monitoring service: $0-$50/month
• Employee training: $500-$2,000/year for phishing simulations
• Email filtering with impersonation protection: $5-$15/user/month

If You're Hit:

• Wire transfer losses: $10,000-$250,000 (usually unrecoverable)
• Vendor relationship damage: Hard to quantify
• Customer trust erosion: Hard to quantify
• Regulatory notification costs (if employee/customer data exposed): $1,000-$50,000+
• Legal fees: $5,000-$50,000

What Stops Each Method

Direct Spoofing: SPF + DMARC SPF says "only these servers can send for my domain." DMARC says "reject anything that doesn't pass SPF." This stops most direct spoofing.

Lookalike Domains: DMARC + User Training + Domain Monitoring No technical control fully stops lookalike domains (you can't control what others register). DMARC with strict alignment helps. Domain monitoring services alert you when someone registers something similar. Training employees to verify requests through separate channels catches the rest.

Display Name Spoofing: Email Filtering + User Training Modern email filtering in Microsoft 365 and Google Workspace can flag mismatches between display name and actual sender. User training helps employees recognize this.

Compromised Accounts: MFA + Anomaly Detection MFA prevents most account compromises. If an account is compromised despite MFA, anomaly detection flags unusual activity (new location, new device, bulk downloads).

Minimum Viable Implementation

1. Set up SPF, DKIM, and DMARC. If you use Microsoft 365 or Google Workspace, this is built in and mostly automatic. Check that it's actually enabled.

2. Set DMARC to p=none for 4 weeks. Monitor reports. Learn what's sending "from" your domain.

3. Enable Microsoft 365 or Google Workspace impersonation protection. Both offer features that flag when external senders use your company name. Enable them.

4. Train employees on verification procedures. Any request involving money, gift cards, sensitive data, or changed payment information must be verified through a separate channel (phone call to known number).

5. Monitor for lookalike domains. Services like DomainTools, Crowdstrike, or your IT provider can alert you when domains similar to yours are registered.

Vendor Questions (Copy/Paste)

1. "Does your email filtering flag when the display name shows our company name but the actual sender is external?"

2. "Can you detect and alert us when someone registers a domain similar to ours?"

3. "What percentage of impersonation attempts get blocked vs. flagged for user review?"

4. "Do you have any controls to warn users when an email comes from a newly registered domain?"

5. "What's your false-positive rate for impersonation detection?"

When to Hire Help

DIY-friendly if:

• Using Microsoft 365 or Google Workspace
• Simple email setup (no complex routing)
• Have someone who can verify SPF/DKIM/DMARC are configured

Get professional help if:

• You've already been targeted by impersonation attempts
• Complex email environment (multiple domains, third-party email senders)
• No internal capacity to monitor DMARC reports
• High-risk position (frequent wire transfers, valuable vendor relationships)