SecurityThreats and vulnerabilitiesIntermediate25 min read

What Is Impersonation? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Impersonation happens when someone fakes their identity to trick a system or a person. This can be done by using a stolen password, spoofing an email address, or pretending to be a trusted employee. The goal is to bypass security controls and gain access to sensitive information. It is a common tactic in phishing, social engineering, and network attacks.

Commonly Confused With

ImpersonationvsMan-in-the-Middle (MITM)

Impersonation is the goal, while MITM is a method. An MITM attacker places themselves between two parties and may also impersonate both sides, but the key difference is that impersonation can occur without intercepting traffic, such as via phone or email. MITM always involves intercepting and potentially modifying communications.

An impersonator calls you pretending to be your boss. This is impersonation but not MITM. An attacker who intercepts your Wi-Fi and modifies the banking website you visit is performing MITM, and they are also impersonating the bank.

ImpersonationvsPhishing

Phishing is a subset of social engineering that uses deceptive messages (usually email) to trick victims into revealing information or clicking links. Impersonation is often a part of phishing, but not all phishing involves impersonation. For example, a phishing email that says 'Your account has been compromised' does not necessarily pretend to be a specific person.

An email from 'security@yourbank.com' asking for your password is phishing. An email that appears to come from your actual boss, with her real name and signature, and asks for a favor, is both phishing and impersonation.

ImpersonationvsSpoofing

Spoofing is the technical act of forging data, such as an IP address, email header, or MAC address. Impersonation is the broader concept of masquerading as someone else. Spoofing is a technique used to achieve impersonation. All spoofing leads to impersonation, but impersonation can also happen without technical spoofing (e.g., using a fake name on the phone).

Faking your caller ID to show 'IRS' is spoofing (technical). Picking up the phone and saying 'Hello, I'm Agent Smith from the IRS' without altering caller ID is still impersonation, but not spoofing.

Must Know for Exams

Impersonation is a recurring topic across many IT certification exams, including CompTIA Security+, CompTIA CySA+, CISSP, CEH, and Microsoft Security certifications. It appears in objectives related to social engineering, authentication attacks, network attacks, and identity management. Exam candidates should be prepared to answer questions about how impersonation works, how to detect it, and how to prevent it.

In CompTIA Security+ (SY0-701), impersonation falls under threats and vulnerabilities, specifically social engineering and network attacks. Questions might present a scenario where an attacker calls the help desk pretending to be a manager. The correct answer often involves verifying identity through a callback or a pre-known code. Another question might show a log where an email from the CEO's address asks for a wire transfer, and the candidate must identify the attack as business email compromise (BEC) or impersonation.

For CEH (Certified Ethical Hacker), impersonation is covered in the reconnaissance and social engineering phases. Candidates must know how tools like SET (Social Engineering Toolkit) are used to craft impersonation attacks. Exam questions might ask about the most effective defense against chairman fraud (a type of impersonation), which is voice verification or dual approval.

In CISSP, impersonation is addressed in domain 2 (Asset Security) and domain 3 (Security Architecture and Engineering). The concept ties to authentication and identity management. Questions may focus on the difference between identification, authentication, and authorization, and how impersonation exploits gaps in these processes. For example, a question might describe a pass-the-ticket attack and ask which control would prevent it, with the answer being Kerberos policies that enforce ticket lifetime and prevent delegation.

Microsoft Security exams (like SC-900 or MS-500) include impersonation in the context of Azure AD identity protection and Microsoft Defender. Candidates should understand how conditional access policies, risk-based sign-ins, and privileged identity management help detect and block impersonation attempts.

In all exams, the pattern is consistent: the test wants you to identify the attack, choose the best defense, and sometimes order the steps of an attack. Multiple-choice questions often include distractor options like brute force or man-in-the-middle, so you must discern which specific attack involves an attacker assuming an identity. The best preparation is to study real-world impersonation examples and practice applying the relevant controls.

Memorizing acronyms like SPF, DKIM, DMARC, and knowing they combat email impersonation is a common exam topic. Similarly, understanding that MFA defeats password-based impersonation is a classic correct answer. Exam questions rarely ask for deep configuration details but frequently test conceptual understanding of why and how impersonation works.

Simple Meaning

Impersonation is like someone wearing a fake uniform to get into a restricted building. Imagine you work at a company and a person shows up in a delivery driver outfit. They knock on the back door claiming to have a package for the CEO. The receptionist lets them in because they look official. Once inside, they walk around freely, maybe even into the server room, and steal confidential files or plant a listening device. In the digital world, impersonation works the same way but with logins, emails, and network traffic. An attacker might send you an email that looks exactly like it came from your boss, asking you to urgently wire money to a vendor. Because the email looks real, you follow the instructions, and the money ends up in the attacker's account. Another example is someone calling your IT help desk, pretending to be a remote employee who forgot their password. They provide enough fake details to convince the technician to reset the password, giving them full access to that employee's account. Impersonation is dangerous because it exploits trust and human error. It bypasses even the strongest technical defenses if a person is fooled. That is why security training often focuses on verifying identity through multiple methods, like calling back a known number or using two-factor authentication. In IT, impersonation is not just about people; it can also be about devices or software pretending to be something they are not. For example, a fake Wi-Fi hotspot might mimic a coffee shop's network, capturing all the data you send while you think you are connected safely.

In simple terms, impersonation is the art of trickery in the digital world. It relies on the fact that systems and people generally trust inputs that match expected patterns. Once that trust is broken, the attacker can move around with the privileges of the person or device they are pretending to be. The key takeaway is that impersonation attacks are successful because the target does not verify identity thoroughly enough. The solution is always to authenticate: make sure the person, email, or device is who they claim to be before granting access or taking action.

Full Technical Definition

Impersonation in IT security refers to the act of assuming the identity of another user, system, or service to bypass authentication mechanisms and gain unauthorized privileges or access. It is a core tactic in many cyber attacks, including phishing, man-in-the-middle (MITM) attacks, session hijacking, and privilege escalation. From a technical perspective, impersonation exploits weaknesses in authentication protocols, trust relationships, and identity verification processes.

One of the most common technical forms of impersonation is email spoofing. This involves forging the 'From' address in an email to make it appear as though it originated from a trusted source. Protocols like SMTP (Simple Mail Transfer Protocol) do not inherently verify sender identities, making spoofing trivially easy without additional protections like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). SPF checks that the sending server's IP is authorized by the domain, DKIM adds a digital signature to the email headers, and DMARC tells the receiving server what to do if SPF or DKIM checks fail. Without these, any attacker can send an email that appears to be from CEO@company.com.

Another technical vector is password-based impersonation. If an attacker obtains a user's password through phishing, keylogging, or a data breach, they can log in as that user. This is why multi-factor authentication (MFA) is critical; even with the password, the attacker cannot complete the second factor like a one-time code from an authenticator app. However, there are also attack variants like MFA fatigue, where the attacker repeatedly sends push notifications until the user accidentally approves.

On the network level, impersonation appears in ARP spoofing and DNS spoofing. In ARP spoofing, the attacker sends forged Address Resolution Protocol messages to associate their MAC address with the IP address of a legitimate device, such as a default gateway. All traffic intended for that gateway is then routed through the attacker's machine, allowing them to intercept, modify, or block data. DNS spoofing (or cache poisoning) involves corrupting a DNS resolver's cache so that a domain name resolves to an attacker-controlled IP address, redirecting users to fake websites where credentials can be harvested.

In more advanced scenarios, impersonation occurs at the application layer through token theft or session hijacking. If an attacker can steal a user's session cookie (for example, via cross-site scripting or a man-in-the-browser attack), they can present that cookie to a web application and the server will treat them as the authenticated user. Similarly, in Kerberos authentication, an attacker can attempt a pass-the-ticket attack by stealing a Kerberos ticket-granting ticket (TGT) and using it to request service tickets for any resource the user has access to.

In directory services like Microsoft Active Directory, impersonation is often associated with administrative privilege escalation. Techniques like Pass-the-Hash allow an attacker to use a hashed password instead of the plaintext password to authenticate to other systems. If an attacker gains access to a domain controller, they can impersonate any user, including domain administrators, by extracting password hashes from the NTDS.dit database.

To defend against impersonation, IT professionals implement strong authentication mechanisms, regular patching, network segmentation, and rigorous identity verification processes. Controls include mutual authentication (where both parties verify each other), digital certificates, time-based one-time passwords (TOTP), and conditional access policies that evaluate device health and location before granting access. Understanding impersonation is fundamental for any IT certification candidate because it underpins many real-world threat scenarios and security controls.

Real-Life Example

Think about a high-security office building where employees use keycards to enter. Now imagine a person named Alex, who is not an employee, wants to get inside. Alex finds a used employee badge on the street that belongs to someone named Sarah. Sarah has long brown hair and a friendly smile, and the badge photo matches Alex's general appearance. Alex walks up to the front door and swipes the badge. The electronic lock reads the badge as valid and opens the door. A security guard glances at Alex's face, sees it loosely matches the photo, and waves them through. That is impersonation in the physical world. Alex is masquerading as Sarah and gaining access to areas where an unauthorized person should not be allowed.

Now map that to the digital world. The badge is like a username and password combination. The electronic lock is the authentication system, such as a login page on a corporate VPN. The security guard is like a secondary check, maybe a simple IP whitelist or a basic firewall rule that does not scrutinize deeply. When Alex swipes the badge, the system sees the legitimate credentials and grants access. The guard might represent a weak security culture where no one challenges an unfamiliar face. In IT, the attacker might use a stolen password to log into a company's email system. The system validates the password and grants access without verifying anything else about the user's current location or device.

In this analogy, the building also has secure rooms like the server room or CEO's office, which require a second keycard scan or a code. Even though Alex got through the front door, they would not be able to access those high-value areas without additional authentication. That is similar to multi-factor authentication in IT. Even if an attacker has the password (the first keycard), they cannot proceed without the second factor (the PIN or biometric). The security measure that stops Alex from accessing the server room is exactly what makes MFA so effective: it prevents impersonation from granting full access. The building might also have cameras that record everyone who enters, which is like audit logs that can trace a compromised account's actions. If Alex's impersonation goes further, those logs become critical for forensic analysis.

This example shows that impersonation exploits the gap between a presented credential and the actual person. The fix is to close that gap with additional verification steps, both technologically and through human vigilance.

Why This Term Matters

Impersonation matters in IT because it is often the first step in a chain of destructive events. A successful impersonation can lead to data breaches, financial loss, legal liability, and permanent damage to an organization's reputation. For IT professionals, understanding impersonation is not just about theory; it directly affects the design and operation of secure systems.

In practice, impersonation attacks are very common. According to industry reports, business email compromise (BEC) attacks, which heavily rely on impersonation, caused billions of dollars in losses annually. IT support desks are frequently targeted. An attacker calls the help desk, impersonates a senior executive, and requests an emergency password reset. If the technician does not follow proper verification procedures, the attacker immediately gains elevated access. This incident shows that technical defenses alone are not enough; people and processes must be hardened too.

For network administrators, impersonation threats like ARP spoofing and DNS spoofing require constant vigilance. They must configure switches with port security and dynamic ARP inspection, and deploy DNSSEC to protect DNS integrity. Without these measures, a single compromised device on the internal network can allow an attacker to impersonate any other device, sniff traffic, and pivot deeper into the infrastructure.

compliance frameworks like PCI DSS, HIPAA, and GDPR explicitly require strong identity verification to prevent impersonation. Failing to prevent impersonation can result in regulatory fines, mandatory breach notifications, and loss of customer trust. IT professionals must be able to implement and audit controls like MFA, certificate-based authentication, and session management to meet these requirements.

In essence, impersonation matters because it is the enabler for almost every other attack. If an attacker cannot impersonate someone with privileges, many attack paths are blocked. Therefore, securing against impersonation should be a top priority in any organization's security strategy. For certification candidates, it is a core topic that ties together authentication, authorization, network security, and human factors.

How It Appears in Exam Questions

In IT certification exams, impersonation appears in several distinct question formats. The most common is the scenario-based question. For example: 'A user receives an email that appears to come from the company's CFO, requesting an urgent wire transfer to a new vendor. The email domain looks correct, but the language is slightly off. What type of attack is this?' The correct answer is impersonation (or business email compromise). The distractor options might include phishing, vishing, or whaling, but the key detail is that the attacker is pretending to be a specific person rather than using a generic lure.

Another frequent format is the defense selection question. Example: 'An organization wants to prevent attackers from impersonating employees via email. Which set of technologies should they implement?' Candidates must choose SPF, DKIM, and DMARC. A variation might ask about preventing caller ID spoofing on phone calls, where the answer would be STIR/SHAKEN (for telecom exams).

Configuration-based questions also appear. For instance: 'You are reviewing Exchange Online settings. Which DNS record must be created to help prevent email impersonation?' The answer is an SPF record (TXT record with ip4: authorized server IP). Or: 'You notice unusual ARP traffic. Which switch feature can prevent ARP spoofing?' The answer is Dynamic ARP Inspection (DAI).

Some exams include troubleshooting questions: 'A company implements MFA, but users still report receiving fake calls from IT asking for their credentials. What is the most likely issue?' The answer is that the training did not cover social engineering, and the technical control (MFA) does not protect against an attacker tricking users over the phone.

In more advanced exams like CISSP, a question might describe a Kerberos environment with a compromised TGT and ask which attack is being performed. The answer is pass-the-ticket, which is a form of impersonation. Another CISSP question: 'What is the primary threat that Kerberos policies protecting ticket lifetimes mitigate?' The answer is impersonation through ticket replay.

Finally, practical exam labs (like in CEH or CompTIA Pentest+) may ask you to simulate an impersonation attack using SET. The question might be: 'Which payload in SET allows you to create a cloned website to capture credentials?' The answer is the credential harvester. Being familiar with these tools and scenarios will help you answer correctly.

Practise Impersonation Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a junior IT administrator at a mid-sized company. One morning, you get a phone call. The person on the line says, 'Hi, this is David Chen from the finance department. I'm on a business trip and I'm locked out of my email. I need you to reset my password right now because I have to send a critical payment to a vendor before noon.' The caller sounds professional and knows David's full name and department. You feel pressured because the request seems urgent and legitimate.

Now, think about what you do. If you reset the password without verifying the caller's identity, you have just handed over control of David's email to an impersonator. The attacker can now read all of David's emails, send messages as him, and potentially initiate fraudulent wire transfers. This is a classic impersonation attack targeting the IT help desk.

A safe response would be: 'Thank you for reaching out, David. For security purposes, I need to verify your identity first. Could you please provide your employee ID? Also, I will call you back on the phone number we have on file in the HR system.' The attacker likely does not know David's employee ID and cannot answer a callback to David's official work number. By following a verification procedure, you stop the impersonation cold.

This example underscores why help desk impersonation is a top attack vector. Organizations should implement strict identity verification protocols, such as requiring a one-time passcode sent to a registered mobile device, or using a pre-arranged verbal passphrase. It also shows that urgency and authority are emotional triggers that attackers exploit. The scenario is exam-relevant because certifications like Security+ often present similar situations and ask for the best course of action. The correct answer is almost always to verify identity through secondary channels before making any changes.

In a broader context, this scenario mirrors larger impersonation attacks like the 2016 incident where an attacker impersonated a CEO and tricked an employee into transferring over $60 million. That real-world case demonstrates that the same simple attack can have catastrophic consequences if defenses are weak.

Common Mistakes

Confusing impersonation with brute force attacks.

Brute force involves repeatedly trying many passwords until one works, but it does not involve pretending to be a specific user's identity or authority.

Think of impersonation as identity deception. Brute force is a guessing technique, while impersonation is about assuming a false identity to manipulate trust.

Believing that email spoofing is stopped by passwords.

Passwords protect the email account itself, but spoofing fakes the 'From' address in the email headers, which does not require accessing any account.

Use SPF, DKIM, and DMARC records to authenticate email senders. Passwords alone cannot prevent spoofing.

Thinking that MFA makes all impersonation impossible.

MFA prevents password-based impersonation, but it does not stop social engineering attacks where an attacker tricks the user into approving a fake MFA prompt or reveals their credentials.

Combine MFA with user awareness training and policies like 'never approve an MFA prompt you did not initiate.'

Assuming that an internal IP address guarantees a trusted source.

Internal IPs can be spoofed if the network allows IP spoofing. Also, a compromised internal device can initiate impersonation attacks like ARP spoofing.

Implement network-level protections like dynamic ARP inspection, DHCP snooping, and IP source guard to prevent spoofing.

Overlooking the risk of impersonation via phone calls (vishing).

Many IT professionals focus solely on electronic impersonation and forget that attackers can call and use social engineering to gain access.

Enforce verification procedures for all phone-based requests, such as callbacks to known numbers or identity confirmation using a shared secret.

Exam Trap — Don't Get Fooled

{"trap":"A question states: 'An attacker intercepts an unencrypted login session and uses the captured credentials to access a system. This attack is an example of impersonation.' The candidate might think this is correct because captured credentials can be reused."

,"why_learners_choose_it":"Learners confuse credential theft with impersonation. They think that using stolen credentials is a form of impersonation, which technically it is, but the trap is that the question describes a man-in-the-middle (MITM) attack or session hijacking, not impersonation as a distinct attack category.","how_to_avoid_it":"Exams often distinguish between the method (MITM, phishing, etc.

) and the objective (impersonation). If the attack involves stealing credentials in transit, the best answer is usually session hijacking or MITM, not impersonation. Impersonation is the act itself, while the question may ask for the technique.

Read carefully: 'What attack technique is being used?' vs. 'What is the attacker ultimately doing?'

Step-by-Step Breakdown

1

Step 1: Reconnaissance

The attacker gathers information about the target. This may include names of employees, organizational structure, job titles, email addresses, and even personal details from social media. The more real the details, the more convincing the impersonation. For example, the attacker learns that the CFO is on vacation and uses that knowledge to exploit the lack of direct oversight.

2

Step 2: Establish Contact

The attacker reaches out to the victim through a chosen channel, such as email, phone, or in-person. They assume the identity of a trusted individual, often a superior, a colleague, or a service provider. The contact is designed to create urgency or authority to reduce the victim's skepticism.

3

Step 3: Exploit Trust

The attacker uses the established identity to make a request. This could be asking for sensitive information (credentials, account numbers), requesting an action (wire transfer, password reset), or gaining physical access. The victim complies because they believe the request is legitimate and from a trusted source.

4

Step 4: Achieve Unauthorized Access

Using the information or access gained in step 3, the attacker enters a system or obtains data they should not have. For example, if they reset a password, they log in as that user. If they tricked someone into installing malware, they now have remote control.

5

Step 5: Escalate Privileges or Move Laterally

Once inside, the attacker uses the initial foothold to impersonate other accounts or systems to reach higher-value targets. For instance, from a standard user account, they might find password hashes or use token theft to impersonate an administrator. This step often involves techniques like pass-the-hash or token impersonation.

6

Step 6: Execute the Mission

The attacker carries out the final goal, which could be data exfiltration, financial theft, ransomware deployment, or espionage. The impersonation path allows them to remain undetected because their actions appear to come from a legitimate user.

7

Step 7: Cover Tracks

To avoid detection, the attacker may delete logs, use the impersonated user's credentials to disable auditing, or create backdoors. They maintain persistence so they can return under the same assumed identity if needed.

Practical Mini-Lesson

Impersonation is an attack that every IT professional must master because it cuts across all domains of security. In practice, defending against impersonation requires a multi-layered approach that combines technology, policy, and human training.

First, let's talk about technology. The most effective technical control against impersonation is strong authentication. This means moving beyond simple passwords and implementing multi-factor authentication (MFA) wherever possible. MFA ensures that even if an attacker obtains a password, they cannot complete the login without the second factor. However, MFA is not foolproof. Attackers have developed MFA bypass techniques such as MFA fatigue attacks, where they repeatedly send push notifications until the user approves. To mitigate this, organizations should implement number matching in push notifications, require location-based policies, or use hardware tokens. Another important technical control is email authentication. Configuring SPF, DKIM, and DMARC records prevents attackers from spoofing your organization's domain in emails. This is a must for any company that uses email for business communication.

On the network side, dynamic ARP inspection (DAI) and DHCP snooping should be enabled on switches to prevent ARP spoofing. For DNS security, implement DNSSEC to ensure that DNS responses are authentic and not tampered with. Network segmentation also limits the damage: if an attacker impersonates one user, they should not be able to access all systems. Using VLANs, firewalls, and least privilege principles restricts lateral movement.

From a policy perspective, organizations need clear identity verification protocols. For example, the IT help desk should never reset a password without verifying the caller's identity through a secondary channel. Procedures should include callbacks to a known number, asking a challenge question from HR records, or using a mobile app approval system. Similarly, any financial transaction requests via email should require voice confirmation with the requester using a known phone number. These policies are often covered in GDPR and SOX compliance requirements.

Human training is equally critical. Employees at all levels should be trained to recognize impersonation attempts. They should know that urgency is a red flag, that authority can be faked, and that they have the right to verify identity before acting. Simulated phishing exercises can help reinforce these lessons. IT professionals themselves must stay updated on new impersonation techniques, such as deepfake audio used to impersonate executives on the phone.

What can go wrong? If any layer of defense fails, impersonation can succeed. For instance, if email authentication is not configured, an attacker can spoof the CEO's email and trick finance into sending money. If MFA is not enforced, a stolen password from a breach can be used directly. If the help desk policy is lax, an attacker can call in and reset any password. The goal of a security professional is to make impersonation as difficult as possible by layering these defenses. In practice, no single control is adequate; only a combination of technology, policy, and education provides robust protection.

Finally, always consider the principle of least privilege and zero trust architecture. In a zero trust model, every request is verified regardless of its source. This means that even if an attacker successfully impersonates a user, the request is still evaluated for risk and may be blocked if it deviates from normal behavior. This approach is becoming the industry standard and is heavily emphasized in modern certification exams.

Memory Tip

I for Impersonation: 'I pretend to be you.' The letter I also stands for Identity, always verify identity before trusting.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the difference between impersonation and identity theft?

Impersonation is the act of pretending to be someone else to gain a specific advantage, often in a one-time attack. Identity theft is the broader crime of stealing someone's personal information and using it fraudulently over time, often for financial gain. Impersonation can be a component of identity theft.

Can two-factor authentication completely prevent impersonation?

No, two-factor authentication prevents password-based impersonation but does not protect against social engineering attacks where the user is tricked into revealing the second factor or approving a fake MFA prompt. It is a strong defense but not absolute.

How does an attacker impersonate someone on the phone?

Attackers use caller ID spoofing to display a trusted number, or they simply rely on their tone and knowledge of internal information. They may also use voice manipulation or deepfake technology to sound like the person they are impersonating.

What is DMARC and why does it matter for impersonation?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that tells receiving servers what to do if an email fails SPF or DKIM checks. It matters because it helps prevent email impersonation by blocking spoofed emails from reaching inboxes.

Is impersonation only a human-based attack?

No, impersonation can also involve machines and software. For example, a device can impersonate another device via ARP spoofing, or a fake Wi-Fi access point can impersonate a legitimate network. Technical impersonation does not require a human pretending to be another human.

Should I include impersonation in my penetration testing report?

Yes, if you successfully impersonated a user or system. Penetration testing often includes social engineering scenarios and network spoofing tests. Documenting these findings helps organizations understand their vulnerabilities and prioritize fixes.

Summary

Impersonation is a security attack where an attacker pretends to be a legitimate person, system, or service to gain unauthorized access or commit fraud. It is a fundamental threat that appears across a wide range of IT environments, from corporate networks to cloud services. The attack exploits trust relationships and often leverages social engineering, technical spoofing, or stolen credentials. Defending against impersonation requires a layered approach: technical controls like MFA, email authentication (SPF/DKIM/DMARC), and network protections (DAI, DNSSEC), combined with strong verification policies and ongoing user awareness training.

For IT certification candidates, impersonation is a critical topic. It appears in exam objectives for Security+, CISSP, CEH, and Microsoft security exams. You should be able to identify impersonation in scenarios, understand the appropriate defenses, and recognize common traps like confusing it with MITM or phishing. Remember that impersonation is the *objective* of many attacks, while the *method* may vary. By studying real-world examples and practicing with exam-style questions, you will be well-prepared.

The takeaway is clear: trust but verify. In a world where digital identities are easily faked, never assume that an email sender, a caller, or a device is legitimate just because they look the part. Always authenticate twice. This principle will protect both you and the organizations you serve, and it will help you pass your certification exams with confidence.