Addressing Military Impersonation Scams in Compliance with the DoD’s 1st Social Media Policy, DoDI 5400.17

The U.S. Military has a massive footprint on social and digital channels, all of which are ungoverned, unmonitored, and unprotected by the existing security perimeter. 

Romance or Coordinated Cyber Attack?

World events have introduced unique threats and exposed new cyber vulnerabilities that have a significant impact on the military. The extended war between Russia and Ukraine, increasing economic instability, a widening political divide, and an evolving and prolonged pandemic response have all helped to shape the threat landscape of today.

Over the past year, ZeroFox threat analysts noticed a significant uptick in both the number of targets and financial losses due to what the FBI has coined “Confidence/Romance” scams – a type of threat within the broader category of “Disinformation.” These scammers use the military uniform as an emblem of trust to play on human emotions, either to develop a romantic relationship with civilian victims or to lure service members into a relationship using fake dating profiles.

Romance scam impersonations targeting U.S. military service members and their families are growing at an exponential rate:

• Service members (including veterans, active duty, reservists, and their families) filed more than 700,000 reports with FTC’s 2021 Consumer Sentinel Network Data Book since 2018.
• Total losses tallied up to $718.7M, nearly twice the amount reported over a four year period in the 2020 Data Book, and likely just a portion of actual losses given how many incidents go unreported.
• Among broader targets, the Federal Bureau of Investigation’s 2021 IC3 data suggests that 24,299 victims filed reports of more than $956M in losses to “Confidence/Romance” scams, up from $600M loss in 2020. 

From a national security perspective, these statistics should be a wake-up call to the increase in coordinated cyberattacks by threat actors and organized crime groups attempting to diminish confidence in U.S. military operations and personnel and to harm the public.

Impersonators Have Stepped Up Their Game

How can we account for the significant increase in impersonations over the past year? Threat actors have stepped up their game in order to yield a greater return on their scamming investment. New impersonation tactics include:

• Scams have become more sophisticated in how they can be customized, evolving from a romantic relationship to different types of relationships based on what the threat actor is able to establish with the victim.
• Impersonation accounts are being used to perpetrate larger scams such as cryptocurrency or “grant” scams. 
• Impersonators are using more sophisticated technical tools such as elaborate photo-collaging of a victim or Photoshopping images in order to increase the impersonator’s credibility. 
• Threat actors are using more sophisticated communications tools in addition to text messaging and email. We should expect to see the use of more advanced technologies such as voice synthesis and deep fake capabilities.

In many cases, an impersonator’s skill has produced a more believable/credible online profile than the actual service member’s profile. The more detailed a profile is, the more credible it is perceived. Due to the fact that military culture traditionally has discouraged detailed online personas, impersonator profiles often include more details and appear more credible.

More Training, More Policy

Finding skilled personnel with the technical expertise to identify and avert threats online requires different sources of funding and operational considerations than the funding allocated to other standard protective measures. And, while there are clear-cut policies in place for physically protecting a government leader, there is very little direction for identifying and reacting to threats that emanate from the digital sphere.

Fortunately, the Department of Defense just outlined its requirements for establishing external official presence(s) (EOP) and addressing these impersonations in its first-ever social media policy, DoDI 5400.17. Regarding imposter social media accounts, it instructs Public Affairs (PA) and social media managers to report fake or imposter accounts through the social media’s reporting platform. It also advises on how to identify such accounts using common identifiers:

(a) The account is not registered as an official DoD account.

(b) The account has very few photos that were recently uploaded and reflect the same

date range.

(c) The account has very few followers and comments.

(d) The account sends friend requests to individual users on the platform.

(e) The account name and photos do not match.

(f) There are obvious grammatical or spelling errors.

(g) Key information is missing.

To assist further, ZeroFox has provided below specific examples of those identifiers and more. 

Constructing an Impersonation 

The more that individuals can recognize impersonated accounts and the better organizations are at understanding and monitoring a threat actor’s tactics, the better chance it has of reducing that risk organization-wide. What specifically can organizations (and individuals) look for in determining the credibility of an online military persona?

A cursory review of approximately 300 active accounts on Facebook impersonating General Matthew Jones Miller (anonymized for privacy) identified several patterns of activity, to include:

• 1. There are commonly used job titles showing affiliation to the U.S. Military such as “Commander of NATO's Resolute Support Mission and United States Forces – Afghanistan” (Origin: NATO About Us)
• 2. The relationship status is used to enable the romance scam. The most commonly used relationship status is “widowed”.
• 3. They use patriotic sayings as biographical information. The most commonly used biographical statement: “I'm the United States Army general who currently serves as the commander of NATO's Resolute Support Mission and United States Forces – Afghanistan.”
• 4. In a few cases where email ID is provided, it is to a personal email address rather than .mil or .gov.
• 5. Often, there is reposting of potential victims' profiles which allows threat actors to increase engagement on their page.
• 6. They attempt to solicit emotional connection with victims by engaging in topics such as war zones, relationship status (widowed, divorced), etc.
• 7. There is often a pattern in account activity and certain trends of biographical data usage.
• 8. There is almost always a volume increase of impersonations surrounding press coverage of current events.

The retired government official in the example above was ultimately impersonated over 52,000 times – the most impersonations of a single individual tracked by ZeroFox to date. Only 15,000 of those times occurred while the individual was on active duty. 

Steps to Protect Against Military Impersonation Scams

While DoDI 5400.17 is a step in the right direction of establishing policies to address impersonations. The challenge is in determining how agencies will effectively address the magnitude of impersonations using a manual identification and takedown process with a limited number of public affairs personnel dedicated to managing the military’s online personas or EOPs. 

Military personnel and their family members must increase their ability to identify fake personas and increase their vigilance to report fake profiles quickly. Government funding and policy must also evolve in order to keep pace with the technologies used to do harm to military personnel in the digital realm. 

For a further assessment of the increasing threat, download ZeroFox’s recently updated resource, “Impersonation Warfare: Top Military Scams and How to Avoid Getting Caught in the Line of Fire” which details the military threat landscape, why service members are a prime target for romance scams, and what individuals, organizations and policy-makers can do to combat this increasing threat.