What is brand impersonation?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email from PayPal about a suspicious login. The logo looks right, the colors match, even the sender name says "PayPal Security". But it's not actually PayPal. That's brand impersonation, when attackers fake a trusted company's visual identity to trick you into acting.
They copy everything that makes a brand recognizable: logos, color schemes, layouts, tone of voice, even the phrasing in support emails. The goal is to bypass your mental spam filter by looking exactly like something you'd expect to receive. Brand impersonation emails usually ask you to click a link (leading to a fake login page), download an attachment (malware), or reply with sensitive information.
The attack works because most people skim emails quickly. If the visual cues match what you'd expect from your bank, your health insurance, or your company's IT department, you're less likely to pause and check the actual sender address.
Common targets for impersonation: financial services (banks, PayPal, Stripe), shipping companies (FedEx, UPS, DHL), tech companies (Microsoft, Google, Apple), government agencies (IRS, USPS), and internal company brands (your own IT or HR department). Attackers pick brands with large user bases so the odds of hitting someone who actually uses that service are higher.
Brand impersonation overlaps with spear phishing when attackers research specific targets and craft personalized fake emails from brands those targets trust. A generic fake PayPal email sent to millions is brand impersonation. A fake DocuSign request sent specifically to your CFO pretending to be from your law firm is spear phishing with brand impersonation layered in.
How to defend against it as a sender (protecting YOUR brand from being impersonated): DMARC is the main defense. It tells mailboxes what to do with emails claiming to be from your domain that fail authentication checks. Set your DMARC policy to "quarantine" or "reject" and attackers can't successfully spoof your exact domain. BIMI (Brand Indicators for Message Identification) takes it further by displaying your verified logo next to emails that pass DMARC, making real emails easier to recognize and fakes easier to spot.
As a recipient, the tell is always in the sender address. Hover over the sender name before you click anything. "security@paypa1.com" (with a number 1 instead of the letter L) or "paypal-security@notifications-service.com" are not PayPal. Legitimate companies don't send urgent security alerts from random subdomains or lookalike domains.
So if your brand gets impersonated often, you're not alone. It means attackers think your customers are worth targeting. Start with a strict DMARC policy, monitor your DMARC reports to see who's trying to spoof you, and consider BIMI if you want your logo to show up as a visual trust signal. Worth checking your current DMARC setup with our free DMARC parser, or just ask us if you're not sure where to start.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.