Impersonation

The subject obtains, clones, fabricates, or otherwise manipulates physical access credentials—such as RFID cards, NFC badges, magnetic stripes, or printed ID cards—to gain unauthorized access to secure areas. This behavior typically occurs during early-stage preparation for insider activity and enables covert physical entry without triggering standard identity-based access controls.

Badge cloning can be performed using low-cost, widely available tools that can read and emulate access credentials. Forged ID cards are often visually convincing and used to bypass casual visual verification by staff or security personnel.

Example Scenarios:

• A subject uses a Flipper Zero device to clone the 125kHz RFID signal of a coworker's legacy access badge and uses it after hours to enter the data center undetected.
• A forged ID badge created with a common card printer and online templates is worn by a co-conspirator to impersonate an IT contractor and access a locked communications room.
• The subject photographs a single-use QR visitor code from a printed pass and shares it with an external party, who uses it to enter the premises before expiration.
• A magnetic stripe card is skimmed using a USB swipe reader and rewritten onto a blank hotel-style access card.

The subject leverages synthetic identity elements, AI-generated visuals, deepfake video, or falsified credentials to obtain employment or contractor status under a false identity. This tactic is commonly used to gain insider access to an organization while avoiding standard background checks, attribution mechanisms, or compliance controls.

Common methods include:

• Using AI-generated (GAN-based) profile photos that cannot be reverse-image searched.
• Employing real-time deepfake tools during video interviews to alter facial appearance or impersonate another individual.
• Substituting a more technically skilled individual to complete a remote hiring assessment or interview under a fabricated identity.
• Presenting credentials or documentation (e.g., CVs, diplomas, certifications) created using forgery tools or generative AI.

This tactic is particularly dangerous when used to embed individuals in sensitive roles such as DevOps, system administration, SOC analyst, or software engineering, where access to production systems and intellectual property is granted shortly after onboarding.

Example Scenarios:

• A subject uses a synthetic LinkedIn profile with AI-generated imagery and falsified work history to apply for a remote DevOps role. During the live video interview, they use a deepfake overlay to match their fabricated profile photo.
• A technically skilled individual conducts a coding interview using a deepfake of another person, allowing a less qualified "puppet" to be hired under false credentials. The qualified subject later assists or directs actions remotely.
• A malicious actor obtains employment under an assumed identity to infiltrate a target organization on behalf of a third party, using synthetic documents and deepfake liveness checks to pass onboarding.

The subject creates, modifies, or misuses digital identities within internal communication or collaboration environments—such as email, chat platforms (e.g., Slack, Microsoft Teams), or shared document spaces—to impersonate trusted individuals or roles. This tactic is used to gain access, issue instructions, extract sensitive data, or manipulate workflows under the guise of legitimacy.

Impersonation in this context can be achieved through:

• Lookalike email addresses (e.g., spoofed domains or typo squatting).
• Cloned display names in collaboration tools.
• Shared calendar invites or chats initiated under false authority.
• Use of compromised or unused accounts from real employees, contractors, or vendors.

The impersonation may be part of early-stage insider coordination, privilege escalation attempts, or subtle reconnaissance designed to map workflows, bypass controls, or test detection thresholds.

Example Scenarios:

• A subject registers a secondary internal email alias (john.smyth@corp-secure.com) closely resembling a senior executive and uses it to request financial data from junior employees.
• A subject joins a sensitive Slack channel using a display name that mimics another department member and quietly monitors ongoing discussions related to mergers and acquisitions activity.
• A compromised service account is used by an insider to initiate SharePoint document shares with external parties, appearing as a legitimate internal action.
• The subject impersonates an IT support contact via Teams or email to socially engineer MFA tokens or password resets.

The subject deliberately alters their physical appearance to resemble an authorized individual or category of personnel—such as employees, contractors, vendors, maintenance staff, or delivery personnel—in order to bypass physical security measures and gain access to restricted areas. This tactic relies on exploiting visual trust cues (e.g., uniforms, badges, company branding) and is often used during reconnaissance or access staging phases prior to an insider event.

Common methods include:

• Wearing uniforms or branded clothing associated with the target organization or a trusted third party.
• Mimicking attire patterns of specific departments (e.g., IT, facilities, catering).
• Carrying props such as tools, ID lanyards, or delivery equipment to reinforce the impersonated role.

Example Scenarios:

• A subject dresses in a facilities maintenance uniform to gain access to server rooms under the pretense of conducting HVAC repairs, with no scheduled work order.
• An insider recruits an accomplice who dresses as a delivery driver to stage equipment drops and tailgate into a secure loading dock.
• During an internal staff shift, the subject wears a borrowed lanyard and IT polo shirt to move through restricted floors without being challenged.
• A former contractor retains high-visibility branded clothing and uses it months later to re-enter a secure building undetected.

The subject deliberately impersonates a member of the organization—typically a colleague, manager, or IT representative—or otherwise misrepresents themselves in order to manipulate service desk staff into resetting a password, unlocking an account, or granting access to a system. These requests are framed to appear legitimate and urgent, often exploiting common support workflows or pressure tactics (e.g., deadline stress, executive impersonation).

This behavior is especially dangerous because it abuses internal trust pathways and bypasses traditional authentication, detection, or technical controls. It can occur via phone, email, chat, or in-person interaction and is frequently used in preparation for unauthorized data access, surveillance, or exfiltration.