Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Email impersonation scams: What are the types and how to protect your business against them?

Email impersonation
Email impersonation is the common reason why organisations suffer a data breach. Here are the types and ways you can protect your business against them.

Email impersonation scams: What are the types and how to protect your business against them?

For the longest time, employees have been the constant target of bad actors simply because they have the level of access that could penetrate the organisation’s cybersecurity. This could be in the form of hacking for passwords, phishing, and, the most common, email impersonation scams.

Email impersonation, defined.

Email impersonation is a type of phishing in which a fake email address that looks like a real one is used. Attackers use slightly different email addresses and sender names to make users think the message is real. They may pretend to be the target company’s employees, vendors, or business partners to get the user to give them sensitive information like intellectual property or payroll data, transfer money, or enter their login information into a fake website to steal it (credential harvesting).

Haunting consequences 

When there is a breach of personal data due to a successful email impersonation scheme, consequences include:

  • A hefty financial penalty from the PDPC, which could range up to S$1,000,000. 
  • Besmirched reputation
  • Loss of client’s trust from customers, both current and potential ones.

This is why it is of a great deal that organisations must not be negligent in setting up security arrangements and cybersecurity policies, as a successful breach could mean a great deal to them. As to extent, a data breach could end an organisation. 

Types of email impersonation

1. Root Domain-Based Impersonation

Most businesses have a unique root domain that shows up on all of their emails. Some examples are [email protected] or [email protected]. Microsoft and Capital One are the root domains in these examples. In the case of root domain-based impersonation, cybercriminals use replacement characters to make root domains that look like these real ones. A reader can see a small change if they look closely, like a letter that has been changed to a number.

2. Top-Level Domain-Based Impersonation

The top-level domain is the part of a website or email address that tells you where it’s from or what kind of business it is. Here are a few common top-level domains:

  • .au: Australian company
  • .com: Business
  • .de: German company
  • .edu: Educational institution
  • .gov: U.S. government agency
  • .org: Nonprofit organization
  • .uk: UK-based company

Some fake email addresses look like real ones, but the top-level domains are not the same. For example, the email address could end with the domain of a different country or type of institution. Many people won’t notice that the address is wrong because it looks close.

3. Subdomain-Based Impersonation

Most email addresses don’t have a subdomain, so this kind of impersonation happens less often. A cybercriminal can use the subdomain in two main ways to make a fake email address. One way is to change both the domain and subdomain.

For example, instead of writing [email protected], a cybercriminal might make an address like [email protected], which may look real but isn’t the real company email or subdomain. “microsoft” is the subdomain in this case, and “mailerinfo” is the domain. The company name can also be split between a subdomain and a domain, as in [email protected].

4. Display name impersonation

The display name is how an email client shows the name of the sender. When a person sets up an email account, they can choose how they want their display name to look. The name on the account may not always match the username. For example, the username might be [email protected], but the display name might be “Microsoft Customer Services,” if that’s what the cybercriminal chose when they set up their account. 

Some popular email platforms only show the display name to the person who receives the email. If the person who gets the email doesn’t look for it, they won’t see the real email address. This makes it easy for the recipient to know who is contacting them, but it also makes it easy for attackers to use a display name as their own.

5. Username impersonation

Username impersonation is one of the least complicated ways to pretend to be someone else, but it can still fool people who don’t know what’s going on. In this case, the cybercriminal makes an email account that looks like it belongs to someone else. They might make these addresses on Yahoo or another free email service. For example, if an executive at a company has an email address like [email protected], a bad actor could make one like [email protected].

Employees have been the constant target of bad actors simply because they have the level of access that could penetrate the organisation’s cybersecurity.

Due to the pandemic, businesses have been forced to go digital. Their employees were forced to work from home and finish their deliverables online. While reports had been made regarding the level of comfort that employees experienced, it’s been a nightmare for business owners as email impersonation scams arose, taking advantage of this setup. 

Rising cases of business email impersonation scams as scammers take advantage of more working from home

Singapore – Scammers have been pretending to be business partners or supervisors in order to get employees to reply to emails that look like they are from work so they can steal their money. 

Most of the time, these email addresses are simple misspellings of real business email addresses, like leaving out a letter or replacing numbers with letters that look similar. 

Police said that more than $9.2 million was lost in these kinds of scams in the first three months of this year. This is a 30% rise in the number of reported cases but a 28% drop in the amount of money stolen over the same time period in 2019.

During this time, the scams are pertinent because many companies have employees who work from home and may need them to process payments remotely. The police said that scammers probably take advantage of this situation to try to trick more people since the way people work can make it harder to keep an eye on them. 

Police said that people who fell for scams lost a total of $41.3 million in the first quarter of 2020. E-commerce and loan scams were among the most common types of scams. In other cases, the scammers pretended to be the victims’ bosses and asked them to buy iTunes or Google Play cards and send them the redemption codes after paying for the cards. 

Email impersonation is a type of phishing in which a fake email address that looks like a real one is used.

Protection against email impersonation attacks

Since email is still the main way businesses communicate with each other, it is important to protect against impersonation attacks and reduce the security risks of email. Organizations that want to make sure they have full protection should focus on training their employees to be aware and on machine-intelligent security solutions that stop impersonation emails from getting to employees’ inboxes.

Training for employee awareness

Email attacks can only be stopped if employees know about them. These are getting harder to spot because they are getting more complicated. This problem can be fixed by teaching people about security. 

This training should be thorough and made to fit the needs of each organisation. It can help employees spot the obvious signs of email impersonation: 

  • Using a subdomain to look like a company’s main domain 
  • Using a fake display name 
  • Using a fake username 
  • Changing characters in the root domain 

Employees should also learn to look for signs of social engineering in addition to these signs of email impersonation. One common sign is an “urgent” email asking for action right away. 

Employing machine-intelligent email security solutions

Using email security solutions with machine intelligence should be a part of any complete security plan. Employees can only be aware of so much. Traditional secure email gateways are a good start, but they are not enough to protect businesses from targeted and sophisticated attacks. Organizations have the best chance of finding and stopping email impersonation attacks when they use machine-intelligent email security tools. These solutions can tell when someone is impersonating you in an email because they understand the local context, communication relationships, and behavior in an organisation. 

A DPO can help 

An outsourced Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

DPOs complement the efforts of Organizations in making sure that the organisation’s email environment is safe from any threat actor who wanted to infiltrate its servers and system in general. It also ensures that policies are set in place, and employees are well aware of the danger that email impersonation brings. 

How Privacy Ninja can help

Email spoofing activities could be a potential threat to the growth of your business. While it is true that there are good cyber hygiene practices that you should always follow to prevent bad actors from having access to your system, there is a way for you to identify if your organization’s email domain could be vulnerable to any phishing attack. This can be done through an email spoofing vulnerability test.

Privacy Ninja offers a free non-obligatory email spoofing vulnerability test that you can request anytime. All you have to do is email us at ([email protected]) and determine if your email can be prone to phishing attacks. 

What are you waiting for? Contact Privacy Ninja now!

Also Read: Choosing a penetration testing vendor: Your complete checklist in Singapore



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us