Digital adversaries employ a myriad of cyber attacks to steal valuable proprietary and sensitive data from target organizations and businesses. But, few attacks are as potentially damaging as an impersonation attack.
Impersonation attacks can feel more invasive than other kinds of cyber attacks because they rely on your personal relationships – be they with a person or a brand– to callously steal money or fraudulently gain access to sensitive data.
In this post, we’ve got a few tips and tricks that can help protect your organization against impersonation attacks. We’ll provide an overview of impersonation attacks, highlight three impersonation attack examples you should know, and share strategies for detecting and preventing impersonation attacks against your organization.
What is an Impersonation Attack?
An impersonation attack is when a digital adversary fraudulently poses as a trusted associate of the target – often as a friend, work colleague, or an executive leader at the target’s company – in hopes of convincing the target to divulge sensitive information or to execute a fraudulent financial transaction.
Impersonation attacks can be executed over virtually any communication medium, including social media, email, telephone, voicemail, and even SMS text messaging. Impersonation attacks also include brand impersonation scams that leverage fraudulent digital infrastructure (like spoofed domains, fake social media accounts, or fake mobile apps) to mislead targets.
As organizations expand their digital presence and adopt a growing number of social, communication, and business collaboration applications, digital adversaries are continually finding new ways to infiltrate and defraud target organizations with impersonation attacks.
How Do Impersonation Attacks Work?
When they are successful, impersonation attacks can be extremely dangerous for the targeted organization. This is especially true when a digital adversary can successfully assume the identity of a top executive – even if it’s just for a handful of interactions.
There are several different kinds of impersonation attacks, each with their own unique characteristics and attack vectors. However, we can summarize the basic steps of an impersonation attack as follows:
- Victim Targeting and Research
Impersonation attacks usually target a specific company, with digital threat actors choosing to either impersonate an executive/employee of a specific enterprise, or to fraudulently replicate its digital infrastructure. To successfully execute the ruse, threat actors begin each impersonation attack with careful research and victim selection. The most highly targeted enterprises are those with valuable data assets and comparatively underdeveloped IT security infrastructure.
- Preparing Fake and Fraudulent Assets
Once a threat actor has selected a target and attack vector, the next step is to prepare fake and fraudulent assets to support the attack. These assets may include things like a spoofed domain, spoofed email addresses, fake social media accounts, a spoofed phone number, or a fraudulent mobile application. Threat actors take special care in this step to convincingly replicate the original asset in a way that can deceive employees or customers of the target enterprise.
- Deploying the Attack
After preparing the chosen fraudulent assets, the digital adversary will deploy those assets online and initiate communication with targets in an attempt to commit fraud. The attacker might use email, social media, or another communication channel to divert targets away from legitimate sources to a spoofed web page or fraudulent app download.
When the target interacts with malicious infrastructure, their data may be stolen or spyware may be installed on their machine and used to steal their access credentials for secure systems.
3 Impersonation Attack Examples You Should Know
Now that we’ve discussed the basic process, let’s take a look at three kinds of impersonation attacks you should know: spoofed domain attacks, fake social media accounts, and fraudulent mobile apps. These three attacks leverage content and digital assets from legitimate webpages, social media accounts, and apps to trick victims and steal private or personal information.
- The Spoofed Domain
Domain spoofing is a type of impersonation attack where a digital adversary purchases a domain name similar to that of his/her target, then uses it to host a replica of the target’s website. Cyber criminals can use any of several techniques to spoof the domain name, including domain masking, registering look-alike domains, typosquatting, or leveraging a URL shortener tool to hide the real domain name.
A spoofed domain impersonates the target organization’s website, but when victims of the scam interact with the page, they’re really sending their data to cyber criminals.
- The Fake Social Media Account
Fake social media accounts are an increasingly popular strategy for impersonating a variety of targets. In just a few minutes, a digital threat actor can set up a fraudulent account to impersonate a high-level executive within a successful business or financial institution. Once configured, a fake social media account can be used to execute phishing attacks, steal sensitive data, or manipulate victims into disclosing their access credentials for secure systems. This can damage the executive’s (and company’s) credibility and cause ongoing reputational damage.
- The Fraudulent App
Mobile apps are one of the main ways that customers interact with brands, especially those that require specific login information (like banks). Bad actors are counting on a lack of regulation, or slow regulation, of online app stores and often create lookalike apps to dupe victims. For example, digital adversaries often target the financial services industry by creating fake mobile applications that resemble the genuine apps of known financial services providers. These apps are typically marketed in poorly regulated app stores.
When a target downloads the fraudulent app and tries to log in with their secure access credentials, they’re really submitting those details to cyber criminals who will use them to steal money from the unsuspecting victim.
4 Ways to Detect an Impersonation Attack
When it comes to defending your organization from impersonation attacks, there are two important strategies: detection and prevention.
Detection is all about recognizing an impersonation attack on progress. Both humans and AI-driven software can be trained to detect an impersonation attack. Below, we highlight five strategies that enterprise organizations can use to detect impersonation attacks before they damage the business:
- Conduct Periodic Team Training Sessions on Social Engineering Techniques
Social engineering involves the use of deception to manipulate a target victim into divulging sensitive data, sending a fraudulent payment, or revealing their access credentials for a targeted database. Social engineering exploits human nature, using techniques like pretexting, false urgency, and authority to deceive victims into performing the desired actions.
Training employees to recognize the most common social engineering techniques used by hackers and scammers can empower them to detect impersonation attacks and avoid falling victim. For example, phishing training and tests, which we will dive into later in the post, can teach your team members to use caution when opening emails or texts.
- Double-check Sender Email Addresses and URLs
Another way to detect impersonation attacks is by double-checking the sender’s email address when a suspicious email is received.. Before responding to any sensitive request, employees should verify the identity of the sender by ensuring that their email address matches the email address on file for that contact.
Digital adversaries can sometimes create spoofed domains with URLs that look exactly like the real website. Employees should be aware that the safest way to access a known website is by typing it directly into the address bar of your web browser – not by clicking through an email link. Always double check the destination URL before clicking on an embedded link, and as a best practice, if you’re concerned you should report this email to your company’s internal IT department to vet whether it is safe or not.
- Automate Detection of Email Impersonation Attacks
Enterprises can implement software tools to scan emails as they arrive in company inboxes and automatically detect potential impersonation attacks. AI-driven software can verify the sender by cross-referencing the sender’s email address with your company’s internal address book, or detect an impersonation attack by comparing the email contents with known phishing or spear phishing scripts.
The ability to monitor incoming emails for possible impersonation attacks is a key component of proactive threat intelligence for modern organizations.
- Monitor the Public Attack Surface
The public attack surface includes all publicly available digital platforms that your organization uses to connect with customers. This includes social media, websites, business collaboration apps, email, mobile app stores, and more. These are all part of what is called the “Gray Space” which are online places where businesses and customers interact but are not owned by either party.
Traditional security tools like antivirus and IDS can be effective at detecting threats within your network, but they aren’t designed to detect external threats that originate across the public attack surface. That’s where an external cybersecurity strategy comes in.
Modern SecOps teams can leverage AI-driven software solutions to monitor the public attack surface at scale and detect fake social media accounts, spoofed websites, and other fraudulent infrastructure created by digital adversaries to carry out impersonation attacks.
5 Strategies for Preventing a Successful Impersonation Attack
The strategies we described above can help your organization recognize impersonation attacks as they’re happening, which is a great start.
The next step is developing capabilities to shut down an attack in progress and proactively safeguard your organization, employees, and customers against impersonation attacks. To help you get started, we’re sharing five strategies that can shore up your organization’s defenses against impersonation attacks.
- Deploy a Dual Control Payment System
A common strategy for digital adversaries is to request a fraudulent transfer of funds from an organization’s accounting department while impersonating a CEO or business executive from the company. Organizations can strengthen their defenses against this type of attack by implementing a dual control payment system.
A dual control payment system separates the responsibility for initiating and approving outgoing payments across two separate job roles, ensuring that no single person has full control of the payment system. The person responsible for approving a payment may also be required to perform some due diligence, such as independently verifying the authenticity of the invoice.
Having more than one employee involved in payment processing makes it more difficult for a scammer to successfully steal money.
- Implement Multi-Factor Authentication
Implementing multi-factor authentication means that users will need to verify their identity more than once before accessing a secure system or database. For example, two-factor authentication requires the user to receive a special code by email or text message and enter this code after providing their username and password. Biometrics and hardware tokens, like finger print scanners, are even more personalized and effective modes of user authentication.
Enabling multi-factor authentication makes it more challenging for digital adversaries to obtain unauthorized access to your data. You’ll be able to detect when a digital adversary tries to login with your stolen user credentials, but fails because they can’t complete the next authentication step.
- Perform Regular Phishing Tests
In a phishing test, SecOps teams send fake emails to employees in other departments, encouraging them to click on a link or download a file. These emails aren’t harmful, but they’re meant to mimic the attack pattern of a real phishing email that could potentially contain malicious links or downloads.
When an employee fails the test (by clicking the link or downloading the file instead of reporting the suspicious email to IT), they may be flagged for additional cybersecurity training that will prepare them to better detect suspicious emails in the future.
An added benefit of phishing tests is that they empower your employees to stay on high alert for potential phishing and impersonation emails that could hit their inbox at any time.
- Alert Employees of Impersonation Attacks in Real Time
Enterprise SecOps can use AI-driven software tools to monitor employee inboxes for impersonating emails and generate alerts in real-time. Email protection of this kind covers more than just impersonation attacks – it can also safeguard against business email compromise (BEC) and phishing attacks that threaten the security of your organization.
Automated detection and real-time alerting on suspicious emails makes it easy for employees of your business to identify and report these malicious communications without falling victim to an impersonation scam. Further, if one of these attack attempts is detected, the information should be broadly shared with your team members and employees to help them avoid the potential danger and be on alert for similar activities.
- Proactively Take Down Fraudulent Infrastructure
The best way to prevent digital adversaries from targeting your business with impersonation attacks is to proactively take down fraudulent infrastructure. But, without the right tools that’s easier said than done.
Removing fraudulent infrastructure can be time-consuming and generally requires direct and timely communication with domain hosting providers or social media compliance teams. You’d need to not only locate the impersonations but report them and submit a takedown request to the social media platform and/or email host, which humans then need to continually follow up on until the action is complete. To expedite the process, enterprise SecOps teams can partner with vendors like ZeroFox for digital risk protection capabilities, including automated takedowns-as-a-service.
When successful, a proactive take-down eliminates a spoofed domain, fraudulent mobile application, or fake social media account – before it can be used to launch impersonation attacks against your employees and customers.
Protect Your Company from Impersonation Attacks with ZeroFox
ZeroFox provides enterprises protection, intelligence, and disruption to detect and prevent impersonation attacks from across the public attack surface.
With ZeroFox, enterprise SecOps teams can automatically detect and alert on suspicious emails, as well as Slack and Zoom messages that contain impersonation attempts and other forms of malicious content.
ZeroFox leverages an AI-driven analysis engine to monitor the public attack surface at scale, detecting and remediating spoofed domains, fake social media accounts, and fraudulent apps to safeguard your organization against impersonation attacks.
Ready to learn more?