Security magazine sits down with Amber Johanson, Mimecast SVP of Global Sales Engineering, to discuss brand impersonation attacks.


Security: What is your background?

Johanson: I joined Mimecast in 2021 as the senior vice president for the global sales engineering organization. Prior to joining Mimecast, I spent time at Symantec, Veritas, Zerto and Forcepoint. I have extensive experience in supporting go-to-market strategies and driving systems engineering, sales, and services for technology companies. 

I am a proud U.S. Navy veteran, and in one of my previous roles, I started an employee resource group to help mentor and guide veteran employees. I’m passionate about helping veterans succeed, and I firmly believe our sector provides a great home for veterans to use the valuable skills they acquire while in service. 


Security: Can you talk about the increase in brand impersonation attacks?

Johanson: Brand impersonation attacks are a real and imminent threat across the cybersecurity landscape. Mimecast’s 2022 State of Email Security Report found that 90% of organizations experienced an impersonation attack over the previous 12 months. This sharp uptick largely stems from societal shifts to hybrid workplace structures at the onset of COVID-19.

According to the Mimecast 2021 State of Brand Protection Report, companies on the BrandZ Top 100 Most Valuable Global Brands 2020 list experienced a 381% rise in brand impersonation attacks over May and June of 2020 compared to before the pandemic. New domains suspected of brand impersonation also rose by 366%.

There are two primary types of impersonation attacks. The first is internal attacks, where threat actors disguise themselves as part of the organization’s IT team to trick remote employees into clicking a malicious link under the guise of technical support. In these cases, hackers are heavily leveraging third parties, MSPs, and logical outsourcing to replicate a trusted source.

The second type of impersonation attacks target an organization’s external supply chain, customers, and partners. Oftentimes hackers will reference real-world events during these attempts to make end-users drop their suspicion of disbelief and assume it is an authentic message. This is why there was such an uptick in attacks at the onset of the pandemic — everyone was seeking real-time updates, and threat actors used it to their advantage. 

Security: Why are threat actors pivoting to this tactic?

Johanson: The hybrid culture has evolved the way employees interact with one another, moving traditional in-person communications regarding sensitive and confidential information to email and collaboration channels like Slack and Microsoft Teams. Now, all those interactions have transformed into high-value unstructured data assets that can be stolen and leveraged for monetary gain, digital extortion, and state-sponsored intelligence. This evolution of business communications has expanded the attack surface exponentially. 

Opportunistic threat actors have done their homework, capitalizing on additional vulnerabilities enabled by cloud-based hybrid employees who are experiencing “change fatigue” from following different sets of rules and guidelines, depending on the environment they are working in. Those employees are more susceptible to falling victim to an impersonation attack. 


Security: Why and how should organizations protect themselves and their users from brand impersonation attacks?

Johanson: There’s no silver bullet to eradicating impersonation attacks, but there are proactive steps organizations can take to strengthen their security posture against them. As risks and complexities increase, companies need to remain secure and resilient. It starts with being able to understand and articulate risk. After all, it takes just one successful impersonation attack to cause irreparable damage to a brand, whether from an operational, financial, or reputational perspective.

Once you understand that reality, you can determine your risk level relative to hybrid workplace vulnerabilities, data storage, web real estate, the attack surface, and threat actor TTPs.

Organizations should implement a security framework that protects their most vulnerable attack vector: the intersection of business communications, people, and data. This approach is the most effective way to navigate the modern threat landscape.

Does your company leverage the right advanced email and collaboration security products, AI and machine learning tools, and API integrations that simplify the complexities of tool sprawl and actively safeguard data? From a people perspective, is there a strong commitment to cybersecurity at the executive level? Do employees fully understand the severity of the situation and the harm an impersonation attack could cause their company? Are they engaged in cybersecurity best practices and continuous user awareness training?

These are the questions that need to be addressed in order to foster collective buy-in around the concept that cybersecurity is a team sport — we’re all in this together.


 In addition, it’s critical to implement Domain-based Message Authentication Reporting and Conformance (DMARC) for all email services. DMARC is an email authentication, policy, and reporting protocol that layers on two protocols already widely used by organizations: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). If a particular email fails both protocols, DMARC helps receiving mail servers determine whether to accept, block, or quarantine the message. By leveraging DMARC, organizations can set policies that help prevent spoofed emails from reaching employees, customers, and supply chain partners. 

Security: What are some tips for organizations to retain brand trust during an attack? 

Johanson: Maintaining trust is critical to a brand’s sustained success and growth trajectory. While it can take years to build strong levels of trust among your customer base, that connection can be destroyed in a matter of seconds by a single spoofed email. Mimecast’s 2021 State of Brand Protection Report found that most consumers (61%) would lose trust in their favorite brand if their money was stolen after disclosing personal information to a spoofed version of its website. And with consumer brand loyalty more volatile than ever amid economic inflation and supply chain disruptions, organizations need to be doing everything in their power to prevent impersonation attacks.


 However, in reality, the current volume of impersonation attempts won’t slow down anytime soon — so organizations must have a proactive response plan in place that establishes transparency with their customers before, during, and after an attack. Being open and honest about the root cause of the threat, as well as what measures are being implemented to alleviate the issue and prevent it from happening again, is a good place to start.