persona-logo
Industry
Published March 18, 2025
Last updated March 18, 2025

Business impersonation: How to spot and avoid impersonation fraud

How sure are you that the businesses you work with aren't bad actors impersonating legit organizations? Learn how to guard against business impersonation fraud.
Shana Vu
Shana Vu
10 min
Key takeaways
Business impersonation is when a bad actor impersonates a legitimate business to commit fraud, like scamming a customer out of money via a fraudulent transaction or compromising an account’s login credentials for account takeovers. 
Fraudsters use a variety of tactics to engage in business impersonation, including cloning legitimate business websites, social media profiles, and emails. 
A comprehensive Know Your Business (KYB) process and link analysis can help you avoid being scammed by impersonators posing as potential vendors or business partners, while employee education and periodic reverification can help protect against account takeovers.

Picture this: Your team has decided to purchase new software. You settle on a vendor, sign a contract, and make the first quarterly payment — but the software never comes, and every email you send to your contact at the company goes unanswered. In frustration, you reach out to customer service to learn that they have no record of your business or the payment you just made. 

You’ve just fallen victim to business impersonation, a nefarious type of fraud that resulted in more than $1 billion of losses in 2023, according to the FTC. 

Below, we take a closer look at what business impersonation is and the different tactics fraudsters might use in their impersonation attempts. We also offer a number of safeguards you can implement to better protect your business against this potentially costly threat. 

What is business impersonation?

Business impersonation is a type of fraud where a bad actor impersonates a legitimate business to engage in some type of fraudulent activity. It’s also sometimes called brand impersonation or, fittingly, business identity theft

Fraudsters engage in business impersonation for various reasons. Sometimes, theyimpersonate a legitimate business to trick an individual or business into purchasing a product or service that will never come. Or, if the product or service does come, it may not be to the standard that was expected. Sometimes, they impersonate a legitimate business — like a bank, social media company, or software vendor — to engage in phishing attacks with a goal of stealing sensitive financial information or login credentials that can be used for account takeover (ATO) attacks. They could even impersonate your own business to engage in phishing attempts against your employees. 

Whatever the case, business impersonation can have significant negative impacts on your business, both in the form of financial losses as well as lost productivity. If the attack results in customer information becoming compromised, it can even open you up to legal and regulatory action. 

It’s also important to note that impersonation fraud can damage the reputation of the brand being impersonated, as it may receive negative reviews and media attention. 

Business impersonation vs. fraudulent misrepresentation

Fraudulent misrepresentation occurs when a business makes a false statement to trick a second party into making a purchase or entering a contract. With this in mind, business impersonation can fall under the umbrella of fraudulent misrepresentation, but not all misrepresentation will rise to the level of impersonation. 

Government impersonation

Government impersonation is similar to business impersonation, except instead of impersonating a business, the fraudster impersonates a government body. This can include the Internal Revenue Service (IRS), Federal Trade Commission (FTC), or other federal agencies and regulators — as well as state and local offices. As with business impersonation, the goal behind government impersonation is often to steal payments, financial information, or login credentials to sensitive accounts. 

Business impersonation tactics

Fraudsters looking to engage in business impersonation can leverage a number of different tactics — often in coordination — depending on their specific goals, including:

Cloned websites

If a fraudster is impersonating a legitimate business, they may attempt to clone that business’s website to trick current or prospective customers — often leveraging GenAI tools to streamline the process. 

Fraudsters also often leverage URL hijacking, also called typosquatting, to engage in these attacks. URL hijacking is a strategy where a fraudster registers a URL that is very close to a legitimate brand’s web address in the hopes that a customer won’t notice the discrepancy. This can include URLs that:

  • Misspell a legitimate brand’s URL; e.g., Faceboook.com instead of Facebook.com

  • Pluralize a legitimate brand’s URL; e.g. Facebooks.com

  • Leverage a different top-level domain; e.g., Facebook.org

  • Adding a legitimate-sounding word to the URL; e.g., Facebookapp.com 

Often, the goal is to get an existing customer to try logging in to their account on the cloned website, allowing the fraudster to steal those login credentials and take over the customer’s actual account. Alternatively, the goal may be for the customer to engage in a transaction on the cloned site, allowing the fraudster to steal either the funds used in the purchase or the customer’s financial information.

Email phishing attacks

Likewise, a fraudster may impersonate a legitimate business to send phishing or spear-phishing emails. As with cloned websites, these emails often duplicate a legitimate business’s branding, voice, and design to trick the recipient into trusting it.   

These phishing emails may automatically install malware on the recipient’s device if they click on an infected link within the email. Alternatively, the link may bring the recipient to a cloned website where they are encouraged to enter their credentials — again, facilitating an account takeover. They can also be used to extort funds directly from the recipient. 

While business impersonation emails can take many forms, the FTC notes that some of the most common include:

  • Fake account security alerts; e.g., stating that your account has been compromised and directing you to a link to reset your password

  • Phony giveaways or discounts; e.g., stating that you qualify for a discount if you fill out a form

  • Fraudulent subscription renewals; e.g., stating that your account is past due and you must renew your subscription or lose access

Social media impersonation

A fraudster impersonating a brand may also open fake social media accounts under the brand’s name — cloning their legitimate accounts in much the same way as they’d clone a website — to direct customers to a fake website or engage in phishing attempts or other forms of fraud. 

Some fraudsters may even go a step further, creating fake social media profiles for key figures within the company they are impersonating, such as the CEO or other executives. This extra step gives the fake brand an air of legitimacy, making it more difficult to tell the difference between the impersonator and the business they are impersonating.  

How to protect your business 

However damaging it might be to fall victim to business impersonation, the good news is that there are steps you can take to protect your business. Some protective measures include:

Implementing a comprehensive KYB process for all new business partners

Know Your Business (KYB) is the process of verifying the legitimacy of any business your company is considering engaging with. The goal of KYB is typically to a) determine whether a company actually exists, and b) evaluate the risks posed by the company and its owners.  

KYB helps protect against impersonation fraud by establishing an additional layer of security and scrutiny for fraudsters to get through. By requiring any business your company might potentially engage with — including suppliers, vendors, distributors, etc. — to go through KYB, you decrease the odds that a fraudster impersonating a legitimate business will slip through the cracks.

While your KYB process should be tailored to your company’s specific needs, some potential checks to help you weed out business impersonation include:

While you can (and should) check individual aspects of a business — its website, documents, business identification number, etc. — to deter fraud, a more effective strategy is cross-checking these signals. For instance, you’ll want to make sure that the official address listed on the business documents actually appears on its website or that the stated business purpose also matches the content of the website. 

New to KYB?
Learn about 24 unique risk factors you should consider when onboarding new business partners.
Read now

Link analysis to surface suspicious connections

When fraudsters successfully carry out fraud attacks, they often reuse the assets to carry out additional attacks — things like email addresses, phone numbers, physical addresses, AI-generated selfies, and more. Alternatively, they may share or swap those assets with other fraudsters, especially if they are  part of a large-scale fraud ring

Link analysis helps catch these instances by surfacing suspicious links so you can investigate them further and determine if it is a coincidence. 

Say, for example, your business recently onboarded an independent contractor. A month later, another contractor tries to engage with you. Via link analysis, you discover that both contractors share a suspicious number of links with each other — including IP address, device fingerprint, and browser fingerprint — which leads you to believe that they may be the same person. Link analysis empowers you to ask questions of both individuals or else simply stop engaging with them out of an abundance of caution. 

Educating employees about phishing threats

If you are concerned about business impersonation scams being used to phish sensitive information from your employees, it’s important to educate your team about these threats. This might include training sessions designed to illustrate the common tactics that phishing emails often take to con their recipients.

Some best practices you might instruct your employees to follow to avoid phishing scams include:

  • Never clicking on a link or downloading a file attached to an email or social media message from an unknown sender

  • Never sharing sensitive information (such as login credentials, banking details, etc.) over email or social media, even if you believe the recipient to be legitimate

  • Double checking the URL in the sender’s email address to ensure it matches the legitimate company’s URL, paying special attention to typos or misspellings

  • When in doubt, navigating directly to the company’s website (ignoring any links in the email) to take further actions, such as resetting a password or renewing a subscription

  • Staying up to date with software updates across all devices, including smartphones and computers, to quickly resolve known security issues

Taking steps to avoid account takeover 

Of course, educating your employees only goes so far — and with the proliferation of AI-enabled phishing scams, it’s becoming more and more difficult for even experts to identify phishing attempts 100% of the time. 

So how can you protect yourself against employee slip-ups? Enforcing two-factor or multi-factor authentication (MFA) can be a big help, especially against bot-powered attacks

For accounts that you directly control — such as proprietary workforce accounts or identity management services (like Okta) that employees must sign into to access work files or sensitive data — it can be a good idea to periodically reverify the identity of your employees to avoid account takeover attempts. For example, you can trigger reverification if an employee tries to access their work account from an unrecognized device, unfamiliar IP address, or location far from where you know they’re based (such as another state or country).

Avoid business impersonation with Persona KYB

Persona’s flexible suite of identity tools can be used to implement many of the protections discussed above so your organization doesn’t inadvertently engage with a fraudster impersonating a legitimate business. 

Design a KYB process that makes sense for your unique needs — including anything from business document verification to UBO verification, Secretary of State screenings, VAT validation, address lookups, and more. Use Persona’s link analysis tool, Graph, to identify suspicious links between your business partners and known or suspected fraudsters. Verify and reverify your employees’ identities to shield yourself against damaging account takeover attacks. 

Ready to see how Persona can help protect your business against business impersonation? Request a custom demo today or get in touch with any questions.

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Shana Vu
Shana Vu
Shana is a product marketing manager focused on the Persona platform and marketplaces. You can usually find her running around San Francisco with a coffee in hand.
Continue reading
  • Fraudulent misrepresentation in business: How to protect your organization
    8 min

    Fraudulent misrepresentation in business: How to protect your organization

    When business partners misrepresent themselves, it can have a big impact on your business. Learn how to protect against business...

  • Business impersonation: is your KYB strategy up to the challenge?
    7 min

    Business impersonation: is your KYB strategy up to the challenge?

    A webinar recap with Bolt and About Fraud.

  • Fight evolving business fraud with Persona’s new KYB solutions
    7 min

    Fight evolving business fraud with Persona’s new KYB solutions

    See how Persona’s new KYB solutions help organizations fight business impersonation, complex fraud rings, and more.