When Familiar Faces Become Cyber Threats
Recently, we worked with a small business that experienced an email impersonation attack. It didn’t start with malware alerts or a suspicious-looking email, because nothing malicious had technically happened yet.
It started with an invoice. One we have seen play out more than once recently with small businesses. In this case, the email came from a known vendor, a company the business had worked with for years. The tone was normal, and the timing made sense. The attachment looked exactly like what it claimed to be, an invoice that needed review.
No urgency. No broken grammar. No obvious red flags.
Someone clicked, and within minutes, that single click was used to turn something ordinary into something much bigger. The attacker gained access to the employee’s email account and immediately used it to send the same message to more than 30 trusted contacts. Clients, partners, and vendors who recognized the sender’s name and had no reason to question it.
We were alerted quickly and stepped in to contain the activity, limiting how far it could spread. Access was shut down, the account was secured, and the spread was stopped before it could go further. But by the time everything was under control, the reality was clear. The damage was no longer limited to a single inbox.
Trust did not just open the door; it multiplied the impact.
This Is What Modern Cyberattacks Actually Look Like. For a long time, businesses were taught to look for obvious warning signs: strange sender addresses, poor spelling, generic greetings, messages that felt off the moment you opened them. Those attacks still exist, but they are no longer the ones causing the most damage.
What we are seeing now, especially with small businesses, are attacks built around familiarity, not mistakes. Instead of trying to trick someone with something that looks suspicious, attackers are inserting themselves into normal business workflows. Invoices, file reviews, payment questions, vendor communications…things employees handle every day without thinking twice.
In many cases, the attacker does not even need to create a fake message from scratch. They gain access to a real email account and simply reuse what already works. Same language, formatting, and timing. From the employee’s perspective, nothing feels wrong because nothing looks wrong. That is what makes these attacks so effective.
Check out this infographic to visually see how a socially engineered cyberattack unfolds→
Let’s take a close look at three cyberthreats that exploit trust and are affecting small businesses.
Common Impersonation Attacks Targeting Small Businesses
Email Impersonation
Email impersonation attacks occur when an attacker poses as a person or organization the business already trusts. That may be a vendor, a customer, a partner, or even someone internal.
These messages are designed to blend into normal business communication. Invoices, shared documents, payment questions, or routine follow-ups are common entry points. The goal is not to raise suspicion, but to prompt a normal response.
In some cases, the sender’s email account has been compromised. In others, the attacker closely mimics a real address and writing style. Either way, familiarity lowers hesitation and increases the chance of engagement.
When an attacker gains access to a legitimate email account, the risk extends well beyond that one inbox.
With access, a cybercriminal can:
-
Read existing conversations to understand relationships, timing, and tone
-
Send messages from a trusted address to clients, vendors, or internal staff
-
Distribute malicious attachments or links that appear legitimate
-
Request payments, documents, or credentials under the guise of routine business
-
Use the account to move laterally, targeting additional contacts without raising suspicion
Because the activity comes from a real account, it often blends into normal email traffic. The attacker’s advantage is not stealth, but credibility.
The longer an account remains compromised, the more trust can be leveraged and the harder it becomes to contain the downstream impact.
Voice Impersonation and Vishing
Voice-based impersonation, often referred to as vishing, uses phone calls instead of email to exploit trust.
Attackers pose as vendors, IT support, financial contacts, or leadership and rely on urgency and authority to drive quick action. These calls often reference real projects, known names, or recent activity to sound legitimate.
Because the interaction is live, there is less time to pause or verify. When the voice sounds right and the request feels routine, trust can override caution.
Information gathered during a vishing call is rarely the end goal. Attackers use it to add context and credibility to whatever comes next. Names, processes, current projects, or confirmation of how things are normally handled can all be leveraged to make future emails or calls sound informed and routine. When follow-up communication references real details, it feels legitimate, which lowers hesitation and increases the chance of action. In many cases, the phone call is simply a way to prepare a more convincing impersonation across email or other channels.
Deepfakes and AI-Driven Impersonation
Deepfakes and AI-generated impersonation represent the next evolution of trust-based attacks. Using artificial intelligence, attackers can generate realistic voices, emails, and messages that closely match how a real person communicates. These techniques are often used to impersonate executives or key decision-makers, but they can also be applied to vendors, partners, or internal staff.
Rather than introducing something obviously suspicious, AI-driven impersonation is used to reinforce existing requests and conversations. Messages sound informed, consistent, and believable because they are modeled on real communication patterns. As these tools become more accessible, impersonation no longer requires direct access to a person or their account, only enough data to convincingly replicate them.
How Businesses Can Reduce the Risk of Trust-Based Attacks
Trust-based attacks cannot be eliminated entirely, but their impact can be significantly reduced. Layered security helps limit how far an incident can spread by monitoring for abnormal behavior, protecting email and endpoints, and securing access to critical systems. Strong identity and authentication controls reduce the likelihood that impersonation, whether through email, phone calls, or AI-driven techniques, leads to unauthorized access. Monitoring for exposed credentials and compromised information outside the network provides early warning before those details are misused. Combined with practical security awareness training and continuous monitoring by experienced security teams, these measures work together to identify issues quickly and contain them before trust is leveraged across an entire organization.
Trust will always be part of how small businesses operate, and it should not disappear. The goal is not to remove trust from everyday work, but to protect it. As impersonation attacks continue to evolve, businesses that combine awareness, layered security, and experienced support are better positioned to respond quickly and limit impact when something goes wrong. With the right approach, trust does not have to be a vulnerability. It can remain a strength, even in a changing threat landscape.
