When we hear of “impersonation,” we think of the act of deceiving someone by pretending to be another person. In the context of social engineering and cyber security, impersonation has evolved into a dangerous form of cyberattack. Cyber criminals have been using it to gain access to networks and systems to commit fraud and identity theft and sell data to the highest bidder on the dark web.
Criminals known as “pretexters” use the art of impersonation in many ways, playing the role of a trusted individual to deceive their victims and gain access to sensitive information. The practice of “pretexting” is defined as presenting oneself as someone else to manipulate a recipient into providing sensitive data such as passwords, credit card numbers, or other confidential information.
Pretexting is also a common practice for gaining access to restricted systems or services. Impersonators can play many roles during their careers, such as fellow employees, technicians, IT support, auditors or managers. For a successful attack, the impersonator needs to carefully research his target. Impersonation attacks take many forms and can target both individuals and business entities.
Impersonating people online does not immediately classify as a criminal offence. For example, although there are no federal online impersonation laws established yet, nine out of the 50 states in the U.S. have legislation on the subject. In Texas, the act of using the name, online identity or persona of another individual to defraud, harass, intimidate or threaten can be considered a misdemeanor or third-degree felony punishable by a hefty fine, ban on using Internet-capable devices or prison.
Online impersonation does not necessarily lead to fraud. Victims can experience defamation or extreme embarrassment. More and more social media platforms see impersonation as a violation of their terms of service and policy. According to Twitter’s impersonation policy, “accounts that pose as another person, brand, or organization in a confusing or deceptive manner may be permanently suspended.” Facebook says it does not condone this type of behavior in the community and encourages users to report a profile or page that does not comply with their policy.
Email impersonation and vishing (voice phishing)
The act of sending phony emails that appear to come from a reputable source to gain personal information is known as email phishing. To convince recipients that the message is real, attackers can impersonate well-known institutions (public or private) or individuals such as a co-worker or boss.
Companies are a more profitable target for impersonation emails, in crimes such as business email compromise (BEC), CEO fraud and whaling attacks. Attackers use emails carefully tailored to look like they come from business owners, executives or human resources personnel, asking their target to carry out money transfers, pay invoices, or send important data.
In most cases, criminals rely on spoofing the email address and display name. The attacker chooses the name of a high-ranking individual from a business and sets up an email that looks similar to the victim’s. Impersonators can use publicly available information such as a name from LinkedIn to target people in an organization.
Commonly known as phone scams, vishing is also a popular attack vector among impersonators. The phone call can be from someone pretending to be represent a bank, credit card company, debt collector, healthcare provider and pretty much any other service or financial institution.
Tips to protect against impersonation attacks
Fighting online impersonation can be very difficult. Social media platforms and websites are riddled with personal identifiable information, and a threat actor only needs basic access to this information to impersonate you. A name or phone number will sometimes suffice. Constantly monitoring your digital footprint and social media accounts is necessary.
When it comes to email impersonation attacks, awareness is key. Perpetrators can play the role of a friend and send you an email asking you to click on a link, download an attachment or transfer money. If you see an email from a friend that fits the M.O., call your friend and ask if the message is legit. The same goes for emails or phone calls from ‘your bank’ or financial institution that ask you to provide sensitive information over the phone or via a ‘secure link’.
Be suspicious about unsolicited messages and keep in mind that banks will usually call you in the office to fill out any additional info. Double-check the email address before responding to any requests and immediately report or flag it if suspicious. Email security solutions that block spam or malicious attachments before reaching your computer have become a necessity.
Businesses and employees should always be vigilant and make sure that requests are verified with the appropriate department. The IT department will not call to ask for the username and password of your workstation to deliver a patch for your system. Workshops and training employees on email best practices can also help filter out malicious content. If in doubt of the validity of a request or unsure of authorization permission of an individual, contact a manager or report the situation to the security staff on premise.
Both organizations and average users rely on a security solution that can protect them from online phishing, fraud and malware attacks.
The ubiquity of social media complicates our ability to control our digital footprint, and our identity. We no longer have the luxury of data privacy. Most online data is now public by default and going private requires much effort.