Today’s most successful attackers aren’t brute-forcing passwords or writing malware. They’re impersonating someone your employees trust.

Rachel Tobac, CEO of SocialProof Security, is one of the world’s most well-known ethical hackers. Fortune 500 companies hire her to break into their systems exactly the way real criminals would—just without the criminal record. And in a recent hacking demo with Trustmi, Tobac let us in on a secret. Nearly every test she runs, she starts the same way: impersonation.

“Attackers in the wild choose specific people to impersonate, focusing on those with existing trusted relationships,” Tobac explains.

Why? Because impersonation hacks works—and because companies focused only on phishing filters or security training are missing the real battleground: human relationships.

Why Impersonation Attacks Work So Well

1. Cheap and Easy to Launch

Impersonation attacks cost mere pennies on the dollar to execute.  

“When you’re doing a phone call-based attack, and changing the caller ID, these spoofing tools are available on the App Store. . . and it costs less than $1 per call,” Tobac says.

With open-source tools, an attacker can falsify caller ID, mimic internal extensions, or even clone voices—without malware or system access. This low barrier to entry makes impersonation fast, frequent, and scalable.

2. Built on Human Trust—Not Tech

Attackers aren’t breaking into systems; they’re posing as people who already have access. 

These attacks all hinge on exploiting human emotion and trust. The attackers will identify interpersonal relationships between individuals within the target organization, and then slip in, posing as a trusted party to lower the victim’s guard or create urgency.

They might pretend to be a vendor requesting a payment update, a CFO asking for a wire transfer, or IT “helping” reset a password. It all sounds routine—until it’s not.

In one real case, fraudsters joined a live video call posing as a CFO and finance staff, then instructed a payment to a “verified” account they controlled. The finance team wired $25 million—because they thought they were following orders from the real CFO. “It looked like the CFO, it sounded like the CFO—but it wasn’t,” Tobac says. 

3. Bypasses Email Filters and Employee Training

Most companies have invested in phishing training and email security tools. That’s good, but attackers have moved on.

“Bad actors are very much trained on email-based attacks,” Tobac says. “Their email filters catch many attacks. They are aware of text message based attacks, but when it comes to phone calls, social media, or DMS—those are a lot softer targets.”

A well-crafted voice note, or an urgent AI- written slack or Teams message, especially one from a superior, can sail through without triggering any alarms or skepticism.

4. Supercharged by AI

With the help of generative AI, social engineering has gone from a manually executed and drawn-out attack to an autonomous industry.

“AI has automated that process from A to Z so now I can do all of that in a 10th of the time . . .I can programmatically have an AI agent.”

Voice cloning, data mining, and identity spoofing, AI does all of it at scale in a fraction of the time it used to take. This means that organizations are being bombarded with numerous attacks, making them harder to defend against. 

Common Impersonation Attack Misconceptions

“Our email security will catch it.”

Only if your attacker is stuck in 2015.

“Attackers are getting bored of email,” Tobac says. “They’re thinking: how can I get in the middle of a trusted interaction and trick people?”

“We trained our employees.”

Training can’t override urgency and trust.

“If you get a phone call from someone you know, it sounds like them, and they say it’s an emergency—why would you not act?” Tobac notes. “Unless you have a protocol to verify, you’ll probably just do your job.”

Why This Requires a New Kind of Defense

If attackers can bypass email filters, training, and even deepfake detection, what’s left?

Rachel says the key is spotting when something that looks normal . . . isn’t.

“We need to understand: what are the right behaviors? Are people doing them in the right order? Are we verifying our identity before we send the wire transfer?”

That’s where behavioral AI comes in. Unlike phishing filters or training programs, it detects anomalies in real time—before the money moves.

Tobac has seen it stop attacks mid-hack:

“It’s scary as a hacker. . . I just hacked this bank account—I was about to steal everything. And then it’s gone. Because of anomalous behavior detection.”

See Impersonation Attacks in Real Time

If you want to see how impersonation attacks play out live, watch the full webinar with Rachel Tobac — including a live voice clone and deepfake demo.

Then, book a short demo to explore behavioral AI built to detect impersonation before the money moves. Because trust is easy to exploit—and much harder to verify.