Impersonation Fraud

Is impersonation a form of Social Engineering? It sure is. As one of the four vectors used in Social Engineering, impersonation is one of the more powerful vectors because it plays on the trust element, which we all have built into a part of our brain called the prefrontal cortex or the amygdala. Trust is an essential component of human social life. Within the brain, the function in the neural network is associated with the way trust-based decisions are made. I am by no means a doctor; however, as a child, I was taught, like others, to put my faith in people. In the early part of our lives, some of us are taught to trust our parents, family, doctors, law enforcement, teachers, and so forth. So why does impersonation pose such a threat?

I would like to pull a quote from the Book "The Art of Deception" by Kevin Mitnick, the world's authority on hacking, social engineering, and security awareness. "Manipulative people usually have very attractive and creative personalities. They are typically fast on their feet and quite articulate. Social engineers are also skilled at distracting people's thought processes to get them to cooperate". To think that any particular person is not vulnerable to this manipulation is to underestimate the skill and the killer instinct of an experienced social engineer.?

?To begin this story, I would like to talk about impersonation scams. The reality is impersonation scams have been happening for years, and the art of persuasion is a powerful tool if used correctly. We see it in the movies and hear it in the news; impersonation is real and affects all of us. Most of us know about Frank Abagnale, one of the greatest impersonators of all time. His crimes were chronicled in the Spielberg movie Catch Me If You Can, where Leonardo DiCaprio portrays him. Just think he played an airline pilot and boarded a plane with hundreds of soles on board. He also made millions as a white-collar criminal until he was eventually caught and became a consultant for the FBI. Imagine that!

Let's get to some facts before we dive in. This past month, the Federal Trade Commission (FTC) released a statement detailing the fraud reports they had received throughout 2021; let me tell you, it is eye-opening. Fraud losses totaled a staggering $5.8B in the U.S. alone, an increase of more than?70 percent?compared to 2020. Of the reports received by the FTC, most losses were the result of?imposter scams?($2.8B). In New Jersey alone, there were?54,494 comprehensive reports?that accounted for $122.2M in losses, with a?median loss of $508 per person. The sad truth is most reports were related to?imposter scams, people claiming to be someone they are not.?These scams included Social Security/IRS, romance, tech support, and many others.

?So, what is the job of an impersonator? Their objective is to lure their victims in with different personalized tactics. They spend time researching their targets, pretending to be a trusted person or entity before moving in for the kill. Bad actors/fraudsters, whatever your choice description, may also exploit the use of current events such as tax payment time. (i.e., April 15th in the United States), unemployment benefits, COVID-19 vaccines, and COVID-19 stimulus relief to arouse curiosity and get the victim to act. Our imposter needs to be on top of their game, whatever the method.

?So, what vector methods do we have in the world of the Social Engineer/Imposter? There are a few methods, but the four that come to mind are?Phishing, Vishing, Smishing, and Impersonation.?Either one of these can be used as extraction tools to help the Social Engineer/Imposter get what they need. Additionally, other information is also crucial. It can be anything from bank account numbers, Personally Identifiable Information (PII), Social Security or medical info, corporate (I.P.) Intellectual Property and the list goes on. In today's environment, bad actors target us with the intent to defraud us by separating us from our assets. In other cases, there are more malicious intentions to harm, but let's stay with the defrauding part first. Whether to persuade us into sharing information, transferring money, or gaining access, to unknowingly installing malware for a later attack, the classic Social Engineer's (S.E.) methods, among others, are used.??

Let's briefly infuse Deepfakes as part of the imposter's tool set. I was privileged to attend a seminar on?Synthetic Data and Deepfakes?with the InfraGard/FBI group I belong to. It was fascinating. Do you like TikTok? I can watch some of the short videos for hours. Some videos are downright hysterical, but on the other hand, much of what you see is not accurate. Some videos show an individual with a superimposed face of an actor making their best impression, all in good fun. However, if you think you can't be fooled into believing something is real or not, you better do your homework before passing judgment. Some people get their news from TikTok. Think of an imposter posing as Tom Cruise going on TikTok to raise money for a cause; by the time he is discovered, he can be long gone with the money, just like Frank Abagnale did in the catch me if you can movie.

?Many applications of synthetic media represent innocent forms of entertainment, but others carry risks. Deepfakes, a growing type of threat falling under the more significant and pervasive umbrella of synthetic media, utilize a form of artificial intelligence/machine learning (AI/ML) to create believable, realistic videos, pictures, audio, and text of events that never happened. The threat of Deepfakes and synthetic media comes not from the technology used to create them but from people's natural inclination to believe what they see. This is where it starts; see where I am going here? As a result, Deepfakes and synthetic media do not need to be particularly advanced or believable to spread misinformation effectively. Based on numerous interviews conducted with experts in the field, it is apparent that the severity and urgency of the current threats from synthetic media depend on the exposure, perspective, and position of who you ask. The concerns ranged from "an urgent threat" to "don't panic, just be prepared." The Department of Homeland Security and the FBI considered several scenarios specific to commerce, society, and national security to help individuals understand how a potential threat might arise and what that might be. The likelihood of any of these scenarios occurring and succeeding will undoubtedly increase as the cost and other resources needed to produce usable Deepfakes simultaneously decrease. Many apps are available; just visit the app marketplace you will find them. Just as synthetic media became easier to create, non-AI/ML techniques became more readily available, especially with all of it out there and on the internet.

?Deepfake and Synthetic?

Media Example Links for More Information. Information was obtained from Homeland Security.

?Jim Acosta Doctored Video:?https://apnews.com/article/entertainment-north-america-donaldtrump-us-news-ap-top-news-c575bd1cc3b1456cb3057ef670c7fe2a

?Jennifer Lawrence- Steve Buscemi:?https://fortune.com/2019/01/31/what-is-deep-fake-video/

?David Beckham Anti-Malaria PSA:?https://www.campaignlive.com/article/deepfake-voice-tech-usedgood-david-beckham-malaria-campaign/1581378

?World Leaders Sing "Imagine":?https://scifi.radio/2019/05/29/watch-world-leaders-sing-for-peacein-canny-ais-imagine-video/.

?Bill Hader Impressions:?https://www.fastcompany.com/90353902/bill-haders-al-pacinoimpression-gets-even-more-real-and-creepy-with-the-help-of-deepfakes

?Nancy Pelosi Doctored Video:?https://www.usatoday.com/story/news/factcheck/2020/08/11/factcheck-video-pelosi-altered-and-selectively-edited/3332920001/

?Tom Cruise TikToks:?https://www.theverge.com/22303756/tiktok-tom-cruise-impersonatordeepfake

?As I researched more on the topic, I found some helpful material that continues to observe and receive reports of impersonation scams worldwide. I also found some interesting information on NJCCIC,?The New Jersey Cybersecurity & Communications Integration Cell?website, to be beneficial in relating to this topic. They provide information and recommendations to educate users and organizations to reduce the likelihood of victimization in the Garden State; however, this information can be used anywhere.

?In the grand scheme of things, acts of fraud have been a constant in our lives. We have to be on the lookout for scammers all the time. Here is a personal experience; I will explode if I get one more call from the Police Benevolent League asking for a contribution. The people calling me are scammers. They are not real. I called the number back, and it was a deadline.?

?Unfortunately, like so many unsuspecting victims who click on links, believe the people in the video link, the phone call they received, or the site from where the content came. Here is yet another example of a scam that you might find creative. After a Deepfake or an imposter was viewed in a video link, the "mark" or victim gets caught up in part of the scam after being directed to a phone number, probably a burner phone they got caught in a vishing scheme. As they dialed the phone number shown in the video as part of the plan, the person on the other end of the line coerced them to give up something of value. Maybe there is a little small talk or interest shown the victim falls for this. For those unfamiliar, vishing is a form of phishing done in the voice world. Here is a video you should watch. These examples are genuine.?

?Federal Trade Commission Imposter Scams?https://consumer.ftc.gov/articles/how-avoid-government-impersonator-scam

?Moving forward, the simple act of visiting a website or answering an email exposes us to these impersonators all the time. As mentioned earlier, these offenders may impersonate trusted sources, such as family, friends, colleagues, and legitimate businesses, including executives, vendors, and customers, people we might trust. They may also impersonate government agencies—such as the Internal Revenue Service (IRS), Social Security Administration (SSA), and the Federal Bureau of Investigation (FBI), which we have witnessed many times. The elderly are exceptionally vulnerable to this. Like getting old isn't challenging enough, these miscreants come along and manipulate these folks. They attempt to convince their target to divulge sensitive information or perform an action, such as wiring funds.?

?Around the time I was time putting this article together, the NJCCIC observed multiple email campaigns targeting N.J. State employees. When sent, they were a strange combination of initial emails or replies to earlier email conversation threads having subject lines referencing business names, notifications, invoices, or forms. This technique confused the subjects into believing they were involved in a prior conversation.?

?In other cases,?impersonation scams?posed as senior executives or employees of targeted businesses and organizations, and the threat actors sent unsolicited emails using the actual name of the senior executive or employee in the display name. The email signature is made to look like it was sent from them. Although the email appears legitimate, the threat actors spoof the email account by creating a fictitious email that resembles the actual name or email address, making it more challenging to identify its legitimacy. They solicit information or convince the target to take action, such as making purchases or performing tasks; classic manipulation. Pretty crafty if you think about it.

?Moreover, government agencies should use the .gov top-level domain for their official websites to reduce the success of impersonation scams, as the .gov domain requires validation to register. However, many government agencies utilize an alternative top-level domain, such as .com or .org, making them easier targets for impersonation scams. Anyone, including threat actors, could register similar-looking .com or .org domains to impersonate a government agency more convincingly and create spoofed email accounts or websites. So we have to be diligent when we are doing our research.

?Recommendations

Everyone should practice good cyber hygiene to protect themselves from these scams and help prevent future victimization.

• ?Be careful what you post online. Value and protect your information at all costs. Make informed decisions about sharing your information with particular individuals, businesses, services, and apps. Unfortunately, this is one of the most overlooked areas. Remember Cambridge Analytics, which bought many personal records from Facebook for use in a political campaign? I wouldn't go any further with that one.
• ?Exercise caution with communications. Users who receive unexpected or unsolicited emails from known senders should only respond to communications from an official business email account and confirm the legitimacy of the message or request via a different means of communication—such as telephone—before acting.
• ?Navigate directly to websites. If unsure, go directly to the official websites by typing the URL into the browser instead of clicking on links in messages. Refrain from entering login credentials on websites visited via links delivered in messages.
• ?Use secure websites. When sharing personal or financial information, ensure you use verified, safe, and encrypted websites.
• ?Reduce your digital footprint. Threat actors can search for and use information readily available online, including researching organizations to gather information about employees, vendors, or customers. Refrain from posting sensitive information online. If possible, businesses should minimize information published on official websites, including organizational structures and online directories. This is a common mistake made by some of the world's largest corporations, as pointed out in my article on LinkedIn called Is Your Digital Footprint Bigger Than It Needs To Be??https://www.dhirubhai.net/pulse/your-digital-footprint-bigger-than-needs-steven-crociata/
• ?Report email violations when you think you see them. Users who send unsolicited emails may violate account policies or terms of use. They should be reported to the email provider. For example, Canada has stringent anti-spam laws, but on the other hand, SPAM IS LEGAL in the United States. Whether a message is spam does not answer whether it is illegal. The bottom line is to watch who and where your emails are coming from. If you get the same one constantly and know it is not legit right, click on the message and block the sender.?
• ?Refrain from sharing login credentials or other sensitive information. Login credentials and additional sensitive information should not be shared with anyone. Look at the problem with Netflix. How many people are sharing their passwords? They think they are clever until they get hit with a breach.
• ?Update passwords immediately following a data breach or potential compromise. Change exposed passwords for every account that uses it to protect against account compromise. Use a resource such as?www.haveibeenpwned.com??to determine if your information, such as an account password, has been revealed in a public data breach.
• ?It is without saying you should always use unique, complex passwords for all accounts. Unique passwords for each account prevent password reuse attacks. Threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
• ?Enable multi-factor authentication (MFA) where available. MFA uses two or more factors to authenticate an account or service. This significantly reduces the risk of account compromise via credential theft in which your password was exposed. Even if a threat actor obtains a user's username and password, they cannot access that user's account without their second factor.?
• ?Users are encouraged to choose authentication apps, hardware tokens, or biometrics as a second factor over SMS-based authentication due to the risk of SIM-swapping. The website?www.TwoFactorAuth.org?maintains a comprehensive list of websites that offer MFA.
• ?Keep devices up to date. Stay informed about publicly-disclosed vulnerabilities and update devices—including firmware—to the latest version to ensure they are patched against known vulnerabilities that threat actors could exploit to gain unauthorized access to your device or data. If a machine cannot receive updates from the vendor, consider not purchasing or discontinuing the use of the device.?Apple is exceptionally good with this.
• ?Backup devices. Protect your information from malware, hardware failure, ransomware, damage, loss, or theft, by making multiple copies and storing them offline. If you use an external device like I do, run a scan on it frequently.
• ?Report any suspicious activity, identity theft, and fraud to your financial institution, local police department, and the Federal Trade Commission (FTC). Cyber-related incidents may also be reported to the NJCCIC via the Cyber Incident Report form.

?Some of the information I just mentioned is after the fact, yet some tips can be implemented now. Socially engineered imposter scams are happening more frequently; we must be vigilant. Don't act impulsively and eliminate the emotion. Although that offer, email, or flirt may be tempting, think before you touch the pan on the stove.?Remember, one click can bring a lifetime of pain.

?I hope the information in this article is helpful and wish you the best in your endeavors to run a good business and be a responsible person.