Impersonation Attacks

What Is an Impersonation Attack?

An impersonation attack is a type of cyber attack where an attacker pretends to be a trusted individual or organization to trick their target into divulging sensitive information, performing unauthorized actions, or gaining access to restricted systems.

These attacks often impersonate someone trusted, either by compromising their account or by simply creating a lookalike copy.

They then social engineer their victims into performing potentially sensitive but routine tasks like transferring funds, clicking a link, or sharing data.

Types of Impersonation Attacks

1. Business Email Compromise (BEC): Attackers impersonate a company executive or trusted vendor to request fraudulent wire transfers or access to confidential information.
2. CEO Fraud: A specific type of BEC where attackers impersonate the CEO or other high-ranking officials to authorize financial transactions or sensitive data sharing.
3. Technical Support Scams: Attackers pose as technical support personnel to gain access to a victim’s computer or network under the guise of fixing a non-existent problem.
4. Whaling: A form of phishing targeting high-profile individuals like executives, aiming for larger rewards.
5. Spear Phishing: Highly targeted phishing attacks directed at specific individuals or organizations, often involving personalized messages to increase the likelihood of success.

How Do Impersonation Attacks Work?

While there are several types of impersonation attacks, they all tend to share the following steps:

• Reconnaissance: Attackers gather details on the target’s communication patterns via social media or other sources.
• Establishing Credibility: They create a pretext to establish credibility, often using spoofed emails or phone numbers.
• Execution: Contact is initiated with the victim, usually via email, phone, or social media, to perform social engineering.
• Request for Action: Attackers then ask the target to transfer funds, share sensitive data, or click on a malicious link.

5. Exploitation and Consequences

• Financial Loss: Funds are fraudulently transferred or data compromised.
• Data Breach: Sensitive information can be exfiltrated for identity theft or sold on the dark web.
• Operational Disruption: Attacks disrupt business, damage reputation, and risk regulatory penalties.

Examples of Impersonation Attacks

1. Google and Facebook Spear Phishing (2013-2015): Lithuanian national Evaldas Rimasauskas orchestrated a fraudulent BEC (business email compromise) scheme, tricking Google and Facebook into wiring over $100 million to bank accounts he controlled. By creating a company with a name identical to a legitimate Asian-based hardware manufacturer, Rimasauskas sent phishing emails that appeared to be from the legitimate company, directing payments to his accounts.
2. Merseyrail Cyberattack by LockBit Ransomware (2021): In April 2021, the LockBit ransomware gang targeted the UK rail network Merseyrail. The attackers took control of the Director’s email account and impersonated him to email employees and journalists about the ransomware attack. The email leaked employees’ personal data and tried to downplay the attack.
3. $60 million lost to CEO Impersonation Fraud (2016): FACC, an Austrian aeronautics company, fell victim to a BEC scam in 2016. A Chinese national gained unauthorized access to the company’s email server and studied the CEO’s writing habits and quirks to make their phishing messages look legitimate. The attacker then impersonated the executive and sent emails instructing employees to transfer large sums of money to foreign bank accounts. After the attack, FACC fired their CEO and CFO and sued them for $10 million for not doing enough to prevent the attack.

How To Prevent Impersonation Attacks

1. Employee Awareness and Training: Regularly train employees to recognize phishing attempts, suspicious emails, and other social engineering tactics.
2. Email Security: Implement email authentication methods such as DMARC, SPF, and DKIM to prevent email spoofing. Use email filters to detect and block phishing emails.
3. Multi-Factor Authentication (MFA): To add an extra layer of security, require MFA for accessing sensitive accounts and systems.
4. Verification Protocols: Establish protocols for verifying the legitimacy of requests, especially those involving financial transactions or sensitive information. This can include callback verification or in-person confirmation.
5. Monitoring and Alerts: Use monitoring tools to detect unusual activities and set up alerts for potential security breaches.
6. Secure Communication Channels: Ensure secure communication channels for sensitive information, avoiding the use of unsecured email for critical transactions.
7. Regular Updates and Patching: Keep all software and systems updated to protect against vulnerabilities that attackers might exploit.
8. Data Breach Monitoring: Implement data breach monitoring to get alerted when your employees’, customers’, or vendors’ credentials have been compromised and are being leaked or sold on the dark web. Early detection enables your security team to reset the credentials and prevent further exploitation.