Tactic or Technique: Impersonation: VIP

VIP impersonation is a tactic where attackers pretend to be an executive or senior leader at your company to pressure you into acting quickly. These messages are designed to feel urgent and important, often asking for wire transfers, sensitive documents, or immediate help without following the usual process.
To pull this off, attackers use display name spoofing, fake domains that look nearly identical to your company’s, or freemail accounts that match the executive’s name. The message might look like it’s from your CEO or CFO and may reference real company details to make it feel more authentic.
These attacks work by taking advantage of authority and urgency. You’re more likely to act fast when you think a leader is asking.Responding can lead to real damage, including financial loss, data leaks, and reputation damage.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
Unmasking BEC attacks using Natural Language Understanding + MQL · Blog · Sublime Security
Unmasking BEC attacks using Natural Language Understanding + MQL · Blog · Sublime Security
Attack Types (3):
BEC/Fraud
Credential Phishing
Callback Phishing
Detection Methods (8):
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
HTML analysis
File analysis
URL analysis
Whois
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
VIP impersonation with charitable donation fraud
3h ago
Nov 12th, 2025
Sublime Security
BEC/Fraud
Impersonation: Employee
Impersonation: VIP
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/vip-impersonation-with-charitable-donation-fraud-35a56b8e
Suspicious request for financial information
1mo ago
Oct 6th, 2025
Sublime Security
BEC/Fraud
Free email provider
Impersonation: Employee
Impersonation: VIP
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/suspicious-request-for-financial-information-4ebdaa4d
VIP / Executive impersonation (strict match, untrusted)
1mo ago
Sep 29th, 2025
Sublime Security
BEC/Fraud
Impersonation: VIP
Header analysis
Sender analysis
/feeds/core/detection-rules/vip-executive-impersonation-strict-match-untrusted-e42c84b7
Service abuse: Trello board invitation with VIP impersonation
1mo ago
Sep 17th, 2025
Sublime Security
Credential Phishing
Impersonation: VIP
Social engineering
Content analysis
Header analysis
HTML analysis
Sender analysis
/feeds/core/detection-rules/service-abuse-trello-board-invitation-with-vip-impersonation-fedfc94b
Service Abuse: Box file sharing with credential phishing intent
2mo ago
Sep 4th, 2025
Sublime Security
Credential Phishing
BEC/Fraud
Callback Phishing
Evasion
Social engineering
Impersonation: Employee
Impersonation: VIP
Content analysis
Natural Language Understanding
Sender analysis
Header analysis
/feeds/core/detection-rules/service-abuse-box-file-sharing-with-credential-phishing-intent-5bd0cb25
VIP / Executive impersonation in subject (untrusted)
2mo ago
Aug 14th, 2025
Sublime Security
BEC/Fraud
Impersonation: VIP
Header analysis
Sender analysis
/feeds/core/detection-rules/vip-executive-impersonation-in-subject-untrusted-0a641fe5
VIP local_part impersonation from unsolicited sender
3mo ago
Aug 12th, 2025
Sublime Security
Impersonation: VIP
Spoofing
Header analysis
Sender analysis
/feeds/core/detection-rules/vip-localpart-impersonation-from-unsolicited-sender-74035fdc
Google share notification with suspicious comments
3mo ago
Aug 5th, 2025
Sublime Security
Credential Phishing
Impersonation: VIP
Free file host
HTML analysis
Header analysis
Sender analysis
Content analysis
/feeds/core/detection-rules/google-share-notification-with-suspicious-comments-c69c9924
VIP impersonation with BEC language (near match, untrusted sender)
3mo ago
Jul 16th, 2025
Sublime Security
BEC/Fraud
Impersonation: VIP
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/vip-impersonation-with-bec-language-near-match-untrusted-sender-303081da
VIP impersonation with urgent request (strict match, untrusted sender)
3mo ago
Jul 16th, 2025
Sublime Security
BEC/Fraud
Impersonation: VIP
Social engineering
Content analysis
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/vip-impersonation-with-urgent-request-strict-match-untrusted-sender-0dd1fa60
Suspicious attachment with unscannable Cloudflare link
3mo ago
Jul 16th, 2025
Sublime Security
Credential Phishing
Evasion
PDF
Social engineering
Impersonation: Employee
Impersonation: VIP
File analysis
URL analysis
Sender analysis
Content analysis
Header analysis
Natural Language Understanding
/feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f
VIP impersonation: Fake thread with display name match, email mismatch
1y ago
Jul 29th, 2024
Sublime Security
BEC/Fraud
Evasion
Impersonation: VIP
Social engineering
Spoofing
Content analysis
Header analysis
Sender analysis
Whois
/feeds/core/detection-rules/vip-impersonation-fake-thread-with-display-name-match-email-mismatch-11cc3e28
VIP impersonation with invoicing request
1y ago
Apr 23rd, 2024
Sublime Security
BEC/Fraud
Impersonation: VIP
Content analysis
Header analysis
Natural Language Understanding
/feeds/core/detection-rules/vip-impersonation-with-invoicing-request-a60f89a0