Impersonation attacks are on the rise and medium-sized firms are the most common targets, according to a recent threat intelligence report. Impersonation attacks often take the form of emails that contain malicious links or content, but they can also operate via SMS and even traditional phone calls. The goal of these attacks are typically for cybercriminals to gain access to the personal information of others or to have others send them money (under false pretenses).
For companies, impersonation attacks pose a significant risk since breaching an employee’s defenses often means that hackers can gain access to a larger portion of company information.
Types of Impersonation Attacks
Malicious actors have become creative in the way they perpetrate their crimes. They have come up with several ways to carry out impersonation attacks.
- Email impersonation: When hackers create a fake email address and pretend to be a person/company you know. But if you look closely, you will see that the email address is not actually correct. There are several types of corporate email impersonation:
- Business email compromise (BEC): When cybercriminals impersonate a business or company. In August 2023, a study found that Microsoft was the number one company being impersonated by malicious actors, followed by PayPal and Facebook. In October 2023, Walmart took over in first place.
- CEO fraud: When cybercriminals impersonate a CEO. According to the Phishing Activity Trends Report from APWG, the biggest risk of social media phishing is the impersonation of corporate executives.
- Whaling: When hackers target C-suite executives.
- Email spoofing: When hackers use a fake header or email address to cover the true email address. Often, if you look closely, you will notice a discrepancy between the header and the actual email address, or between the email domain and the company domain.
- Account takeover: When hackers gain access to a real person’s email account and send malicious emails as that person.
- Man-in-the-middle attack: When cybercriminals intercept an email conversation and send their own malicious message to the communication (usually an attempt to steal sensitive data).
- Smishing and vishing: Cybercriminals carry out SMS-phishing (smishing) and voice-phishing (vishing) via cell phones. In the former, they try to get users to click on a malicious link that may download spyware or other viruses to their phone, and in the latter, users receive phone calls (usually automated) requesting personal information.
How Companies Can Protect Themselves Against Email Impersonation
The danger of impersonation attacks is that they tend to use recognizable names, either of brand or a person. For example, if you receive an email that looks like it’s from Microsoft, you are likely to open it without much thought. The same is true for an email with your boss’s name in the header.
For this reason, awareness is the main way businesses can protect themselves against impersonation attacks.
Companies should offer regular security awareness training sessions to ensure that all employees can recognize the signs of an impersonation attack. The signs include:
- A sender address that looks similar (but not identical) to an address you know
- Misspelled words or grammar mistakes
- Messages marked “Urgent”
- Messages that request financial information
- Messages that offer something for free
While these factors don’t guarantee that a message you receive is fraudulent, they are warning signs that every employee should look for before clicking on any unknown links.
Additionally, employees that work with company finances should follow all bank guidelines to ensure dual authorization for ACH and wire transfers, especially for one-time and non-routine transfers. Additionally, they should note the bank’s procedure for initiating a change in payment information — this way, they will be able to spot a fake request.
Of course, having a sturdy antivirus program in place is a given. Some IT departments test employee awareness and compliance by sending out their own mock-malicious emails to see who falls for it (and sometimes name-and-shame those who fall for it to create awareness within the staff).
Armed with knowledge and technology, employees will be empowered to recognize impersonation attacks and avoid revealing any sensitive company information.