Impersonation is the act of pretending to be someone you are not. Many of the most effective social engineering attacks, especially phishing, usually include impersonation as a component. In that sense, impersonation is an element of an attack, rather than an attack itself.

Impersonation often relies on situations where a target cannot sufficiently establish the attacker's identity. A common example of impersonation is when an attacker pretends to be a help desk worker and calls an employee, asking them for their password so that they can reset an accounts database. If the target isn't familiar with the help desk employees or the phone number that they use, then they might not be suspicious of the request.

Impersonation can also be more effective in face-to-face interactions. Most people want to avoid appearing rude or dismissive when they're talking with another human being directly. So, they may be less likely to question the impostor than if they had been contacted through email or on the phone. Of course, face-to-face impersonation will only work if the target doesn't know what the impersonated individual looks like, or doesn't know them well enough to be suspicious of their appearance.