Fake Microsoft Teams Profile Cloning Impersonation Scam
Scammers create Microsoft Teams accounts that clone the display name and profile photo of a company executive or IT contact to send fraudulent internal messages requesting urgent payments, data, or credential changes.
Part of: Profile Cloning & Impersonation Scams
Last reviewed: 8 June 2026
Microsoft Teams is a widely used corporate communication tool. Display names and profile pictures in Teams can be set freely, making it straightforward for a scammer who has researched a target organisation to create an account that visually impersonates a CFO, CEO, or IT administrator.
Organisational members are accustomed to receiving internal messages on Teams and may trust them more than external email. A message appearing to come from the CFO requesting an urgent bank transfer, or from IT requesting a password change before a system migration, can be highly convincing.
Cloned Teams profiles are often used in business email compromise (BEC) style attacks, targeting finance, HR, or executive assistants who have authority to take high-value actions.
How this scam works on the Microsoft brand
An attacker creates a Microsoft personal account or a guest account in a target's tenant using the same display name and a lookalike profile picture as the company's CFO. They send a Teams chat message to the accounts payable coordinator: 'I need you to process an urgent wire transfer today — I'm in meetings all day, please don't call. Here are the bank details.'
The coordinator, seeing the CFO's name and photo in Teams, does not question the message. The transfer is processed to a mule account before the real CFO is aware anything happened.
A credential-theft variant involves fake IT admin accounts messaging employees: 'Our security team has flagged your account — please click here to verify your identity before 5PM or your access will be suspended.' The link leads to a phishing page.
Common red flags
- Verify the account by checking the full UPN (email address) visible in the Teams profile — a cloned account will show an external or generic Microsoft email, not your company domain.
- Internal impersonation messages frequently use urgency and ask you to avoid normal verification channels ('don't call me').
- Unexpected requests for wire transfers, credential changes, or sensitive data via Teams from executives are a major red flag.
- Guest or external accounts in Teams are labelled as 'External' in the chat header — look for this indicator.
- The message arrives outside business hours or references an implausible travel or meeting scenario.
- The request bypasses normal approval workflows — real financial processes always have multi-step verification.
How to protect yourself
- Always verify unusual financial or credential requests via a second channel (phone call to a known number) before acting.
- Ask your IT team to configure Teams to clearly label external and guest accounts in all chat windows.
- Establish standing policies that financial transfers above a threshold require phone confirmation with the requester.
- Train staff to recognise the 'External' tag in Teams as a signal for extra scrutiny.
- If you processed a fraudulent transfer, contact your bank's wire recall team immediately — time is critical.
How to report it
- Report the cloned Teams account to your IT security or SOC team immediately.
- Report to Microsoft at microsoft.com/en-us/wdsi/support/report-unsafe-site.
- Report financial fraud to the FBI's IC3 at ic3.gov.
- In the UK, report to Action Fraud at actionfraud.police.uk and the NCSC at ncsc.gov.uk.
Frequently asked questions
How can I tell if a Teams message is from a real internal employee?
Click the sender's name to open their profile card and look at the email address listed. An internal employee will have your company's domain in their email. An external or guest account will show an external address or be labelled 'External.'
Can my company prevent external accounts from messaging employees on Teams?
Yes. Microsoft Teams administrators can restrict external access and configure policies that require approval before an external user can initiate contact with internal staff. Your IT team can configure this in the Teams admin centre.
We lost money to a fake Teams wire transfer request — is recovery possible?
Contact your bank's fraud team immediately to attempt a wire recall. File a report with the FBI IC3 and local law enforcement. Speed is critical — wire recalls are most successful within hours of the transfer.