At Social-Engineer, we define impersonation as “the practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.”
In today’s digitally driven world, impersonation scams have become a growing concern, leaving countless individuals and organizations vulnerable to financial loss, identity theft, and reputational damage. Impersonation scams are deceptive tactics used by cybercriminals to pose as trusted entities or individuals to exploit victims. This blog will delve into the various types of impersonation scams, shed light on their insidious nature, and provide practical tips on how to protect yourself from falling prey to them.
Types of Impersonation Scams
Impersonation scams come in various forms, each designed to trick unsuspecting targets into divulging sensitive information or parting with their hard-earned money. Here are some common types:
1. Phishing Emails
What They Look Like:
These emails appear to come from legitimate sources, such as banks, social media platforms, or government agencies, requesting personal information like passwords or financial details. They may contain links to websites or login portals that mimic the real source, however they are designed to fool unsuspecting victims. They may also have attachments that contain malware.
Information They Try to Get:
Cybercriminals may aim to steal login credentials, credit card numbers, or personal identification information. The links they attach in the email may take the victim to a webpage that infects their system with malware.
How to Spot Them:
Phishing emails could contain spelling and grammatical errors. They could also have generic greetings, along with suspicious email addresses or links that have odd characters in them. They may contain artificial time constraints that evoke a sense of urgency or use fake social proof to give off the impression that “others” have participated and benefited.
2. CEO Fraud or Business Email Compromise (BEC)
What They Look Like:
Scammers impersonate high-ranking executives within a company to trick employees into making financial transactions or revealing confidential information. These emails can present a fake sense of authority that can very easily pressure an individual to take actions they normally wouldn’t. In some cases, an actual high-ranking employee’s account may have been compromised already. An attacker could then use the account to make out-of-the-ordinary requests from other staff members.
Information They Try to Get:
Cybercriminals may seek financial gains by convincing employees to transfer money or provide sensitive corporate data.
How to Spot Them:
Look for subtle changes in email addresses or domain names, unusual requests for wire transfers or sensitive data, and inconsistent communication style. It may also be an email coming from a legitimate internal source…however a bad actor may have compromised the account.
3. Tech Support Scams
What They Look Like:
Impersonators pose as tech support agents from reputable companies and request access to your computer, claiming to fix non-existent problems. They may even be impersonating internal tech support at your work, claiming they need to fix problems on your workstation.
Information They Try to Get:
These impersonators may aim to install malware, steal personal data, or extort money for alleged technical services.
How to Spot Them:
Be cautious of unsolicited calls or pop-up messages claiming technical issues on your device. Of course, there are legitimate system notifications we may get on our machines when problems do arise. However, illegitimate notifications or pop-ups typically pressure the user to call a number for “assistance.” They may also request the input of sensitive information. Remaining vigilant is the key here.
4. Social Media Impersonation
What They Look Like:
Scammers mimic the profiles of friends or acquaintances to solicit personal information or engage in fraudulent activities. They may attempt to evoke an emotional response, claiming that they are under difficult circumstances or that they require your assistance.
Information They Try to Get:
Cybercriminals may attempt to gather personal data, gain access to accounts, or spread malware. They may attempt to gain monetary “assistance” from relatives of the person they are impersonating.
How to Spot Them:
Check for fake profiles with limited activity, few connections, and suspicious content. Be wary of unsolicited messages from followers requesting personal information, especially if you rarely interact with these individuals.
The Best Defense
Protecting yourself from impersonation scams is crucial in today’s interconnected world. Here are some practical tips to safeguard against these threats both in the workplace and everyday life:
- Verify the Source: Always verify the identity of the person or organization requesting sensitive information. Contact them through trusted channels to confirm the request’s legitimacy. Simply using a different channel than the one you were reached through may also be effective.
- Exercise Caution with Emails: Be cautious when receiving unsolicited emails, especially those requesting personal information or financial transactions. Double-check the sender’s address for spelling errors, strange characters, or unrelated domains. Scrutinize email content for inconsistencies such as unofficial watermarks, mismatched sender, and signature names, etc.
- Educate Yourself: Stay informed about the latest impersonation scams and tactics. Awareness is a powerful tool in recognizing and avoiding these threats.
- Use Strong Passwords: Create strong, unique passwords for your online accounts and enable multi-factor authentication whenever possible to add an extra layer of security.
- Implement Security Software: Install reputable antivirus and anti-malware software on your devices and keep them updated regularly.
- Train Employees: In a corporate setting, provide cybersecurity training for employees to recognize and report impersonation attempts, especially BEC scams. The training should also involve testing the company’s population regularly to ensure that the education sticks. This provides a cyber-security conscious environment amongst all staff.
- Report Suspicious Activity: If you suspect an impersonation scam, report it to the relevant authorities, such as the Federal Trade Commission (FTC) in the United States, or your local law enforcement agency. In a corporate setting, immediately report suspicious activity to your security team.
The Takeaway
Impersonation scams are not merely nuisances; they pose significant risks to individuals and organizations alike. Ignoring or underestimating these threats can result in financial losses, reputational damage, and personal hardship. By understanding the various types of impersonation scams, learning to spot them, and implementing robust security measures, you can protect yourself and your loved ones from falling victim to these dangerous schemes. Always remember that vigilance and education are your best defenses against impersonation scams and taking them seriously is paramount in our digitally connected world.
Written by:
Josten Peña
Human Risk Analyst at Social-Engineer, LLC