What Are Impersonation Attacks?

According to the FBI’s Internet Crime Report 2022, a common type of impersonation attack, Business Email Compromise (BEC) (or Email Account Compromise (EAC)) cost businesses a whopping $2.7 Billion. 

While staggering, impersonation attacks don’t only damage businesses financially—they can also affect an organization’s reputation, its customers, and business partners. 

An impersonation attack is a method used by criminals who will pose as trusted individuals such as business executives, company leaders, and general superiors to solicit financial and personal information. Impersonation attacks rely on a cognitive bias that influences how employees respond to persons with authority, such as CXOs, directors, and managers. Oftentimes impersonation attacks can also come from a member of the HR of finance team, because of their relation to money and company data. 

As an example, consider an employee who receives an email, which appears to be from the CEO or the CFO, asking for information or a money transfer. The request is urgent, and the situation described in the email is out of the ordinary. The sense of urgency drives the employee to comply with the request. Only later the employee starts to think rationally and regrets their actions. 

In addition to email, criminals can use several methods to impersonate, such as fake social media accounts and job posts. 

So, even though this bias is desired in business settings (organizations cannot function without deference to authority) one can see how it can have its disadvantages. 

That said, you can use different methods to protect your business from executive impersonation attacks. 

The Increase in Impersonation Attacks

Several factors are driving the increase in impersonation attacks happening to businesses around the world. 

Information available on the web 

Criminals use the wealth of personal and business data available on the Internet and social media to learn about businesses, their employees, and business partners. They use this information to plan their attacks and to convince their targets about their legitimacy and authenticity. 

Remote work 

The pandemic changed the world of remote work forever. With reduced in-office presence, many employees only communicate through electronic means. Cybercriminals use this as an opportunity to target businesses with executive impersonation attacks. 

The same holds true for the job application process. It’s now common for an entire job application, interviewing, and onboarding process to be digital, allowing for job opportunities to expand, but also giving way for hackers to target each part of the process.  

Even though the pandemic is over and employees are returning to offices, remote work is still popular and will remain so. Therefore, businesses must guard themselves from all existing and emerging cyber threats. 

Low-risk crime 

Impersonation carries a very low risk for the perpetrator: it is based on unexpected attacks that demand urgency. In most cases, victims comply with the request for information or money within an hour, after which the criminal can quickly “disappear.” 

Authority bias 

Humans have several cognitive biases, which are systematic errors of thinking or tendencies that drive people to make decisions or act irrationally. 

One such cognitive bias is Authority Bias, a tendency to follow the instructions, suggestions, or advice of persons in positions of authority, such as senior management, teachers, doctors, policemen, or government officials. 

Most business employees are unlikely to question requests or instructions from someone who is or is perceived as part of senior management. This is especially true when perpetrators use emotive language, promise future rewards, and request urgent action under “exceptional” circumstances. 

Impersonation Attack Methods Used by Criminals

With the above in mind, cybercriminals use multiple methods to impersonate business executives and gain sensitive data, making it hard to defend against the onslaught of impersonation attacks.

In order to arm your workforce – and business – against impersonation attacks, the first step is identifying the different types of attacks.  

Business email compromise (BEC) 

Despite its many shortcomings, email is still the workhorse of corporate communications. 

Criminals use BEC, or email phishing, by spoofing or hacking an executive’s email account to trick employees into revealing sensitive information or transfer payments. 

BEC often targets specific individuals with emails that are highly convincing and can contain attachments infected with viruses or links to malicious websites. 

Fake social media accounts 

In today’s world, nothing matches social media’s global reach and influence. Billions use social media daily for information sharing, education, entertainment, and network and relationship building. 

Business executives use social media to network and promote their businesses. But, criminals also use social media for scams, and to impersonate respected and well-known business leaders, reach large audiences, and spread fake news that damages businesses financially and harms their reputations. 

Fake job scams 

Challenging economic conditions often cause people to act irrationally and impulsively. Bad actors use such human frailties to their advantage and gain at the expense of their victims. 

Criminals use fake social media profiles or email accounts – that seemingly belong to reputable companies or their executives – to contact vulnerable workers into revealing personal information such as bank account numbers, date of birth, and social security numbers. They also often ask for a one-time upfront fee, such as an application or job training fee. 

Real-World Examples of Impersonation Attacks 

Security and IT teams can proactively create defenses against executive impersonation attacks by analyzing how businesses have been scammed in the past. 

Let’s take a look at some real-world executive impersonation attacks targeting major corporations: 

• Toyota: In 2019, Toyota Boshoku Corporation, a European subsidiary of the Japanese giant, fell victim to a $37 million BEC scam. While Toyota did not reveal details about the exact method used by the scammers, it is evident that the scammers used social engineering to impersonate executives and targeted specific individuals to comply with their requests.
• Google and Facebook: Between 2013 and 2015, the two tech behemoths lost $121 million to a Vendor Email Compromise (VEC) attack. The perpetrator set up a fake company with the same name as an actual hardware supplier and created fake contracts and legal letters to get banks to accept payments. They then sent invoices to Facebook and Google, which were duly honored.
• Unnamed European corporate victim: In March 2019, criminals used AI-based Deepfake Voice technology to impersonate a company’s CEO’s voice. A phone call was made to the CEO of a British subsidiary, demanding an urgent €220,000 payment. The victims’ insurance provider declined to name the victims. 

How Impersonation Attacks Damage a Business

To help summarize, impersonation attacks pose a multi-faceted threat to businesses and can cause significant damage: 

1. Financial loss: Impersonation attacks often lead to substantial financial losses. Once the funds are transferred, they are difficult to recover. 
2. Reputation damage: Business reputation can suffer if customers and business partners perceive a targeted organization as vulnerable to cyber threats. 
3. Data breaches: Leakage of sensitive data such as login credentials or proprietary information can lead to data breaches and the potential for further legal and regulatory consequences. 
4. Operational disruption: It can disrupt business operations if the attack involves manipulating employees into taking specific actions—such as altering payment processes, diverting shipments, or disclosing sensitive information. 
5. Legal and regulatory consequences: Failure to protect sensitive information can result in fines and legal and regulatory repercussions. 
6. Loss of productivity: In the aftermath of an attack, businesses must spend time and resources to provide cybersecurity training for employees, investigate the attack, and regain customer trust, leading to losses in productivity. 
7. Supply chain compromises: Attackers can use compromised credentials to send fraudulent requests to business partners, suppliers, or customers, affecting multiple entities. 
8. Emotional and psychological impact: Employees who fall victim to impersonation attacks can experience several emotions, including stress, guilt, and anxiety. This can harm their well-being and job performance. 
9. Loss of competitive advantage: Competitors can exploit sensitive business information or intellectual property disclosed during an attack, leading to a loss of competitive advantage. 

How to Prevent Impersonation Attacks

To protect against executive impersonation attacks, businesses must implement systems for:

• Training: Cyber threats are evolving daily. Regular employee training is mandatory to keep them informed about existing and emerging threats and standard operating procedures (SOPs) for responding to attacks. 
• Financial control: Appropriate financial controls must be implemented that require authorization from multiple executives/nominees before any financial transaction can be completed. 
• Cyber-security: Businesses must implement the latest technology that deals with traditional cyber threats, as well as emerging methods that use AI and machine learning (ML) to disguise, speed up, and automate attacks.  

At Bolster, we help organizations defend against executive impersonation attacks by monitoring for misuses of your brand, and your executive’s digital assets. When potential threats are detected, we will alert your team and initiate takedowns automatically.  

To learn more how Bolster can help you business defend against impersonation attacks, request a demo with our team today.