How Do Bad Actors Use Impersonations

By
3 Minutes Read

By Eddy Berry, Security Research Analyst, TraceSecurity

Bad actors always look for ways to get into a business’s network through different types of social engineering like phishing, vishing, and smishing. There are many angles that they can attack from, but it’s usually in the form of impersonations. These impersonations can range from a high-ranking C-level in the company to a loved one on a personal level.

Some companies, whether big or small, often put information on websites to inform people of their purpose, practices, and procedures. Some may have access to order forms, contact forms, and other ways to get in touch with their employees. This can be good for customers, of course, but it can also be dangerous in the wrong hands. Bad actors will take this information and use it against the company.

Impersonations

With the information on websites and in public areas, a bad actor will take these pieces of information in order to get access to a business’s network and devices. Reconnaissance is a big step when it comes to these attacks, which refers to the collection of information on employees, managed service providers, and even personal connections to employees.

There are some common threads when it comes to impersonations. Bad actors do not want you to look into credentials or verifications of their supposed job or status, which is exactly what you need to do. Always verify whoever is calling, even if they say that they’re from a certain contracted service or if they give names of people you know.

There are a few common impersonations that bad actors find success with.

C-Level Employees

When it comes to most businesses, the CEO is usually prominent in many aspects. Their name is easily found, and some appear in public areas for interviews or events. This makes it very easy not only to get their contact information, but it can be easy to lift their speaking mannerisms and even their very voice when it comes to AI.

IT Professionals

Most of a business’s employees won’t know the many different services that the business uses. Many companies use third-party IT services, either for managed service or occasional contract work for repairs or maintenance. Bad actors expect that most employees are unaware, so they attempt to get sensitive information by posing as one of these IT professionals, asking them for login information or to go to malicious websites.

Mail Carriers

Some bad actors have taken to impersonating representatives from USPS, UPS, FedEx, and other various mail carriers. They will inform you that there is a delayed package or that there is an incorrect address, which needs your information to properly deliver it. These businesses will never try to contact you without prior notice or by request from you. It’s always better to call the mail carrier directly if there is a problem.

Contractors

Most businesses use outside services, whether it’s physical or for the network. Usually, these boil down to things like communication services, mail services, or repair jobs. While it is more difficult to find this information, bad actors can impersonate these contractors, assuming the role of the service, and they may try to get information. This extends to physical on-site social engineering as well – bad actors have been known to put on a disguise to get access to business buildings.

Invoice/Fee Collectors

A more common message that bad actors have been using are fee collection agencies. These include things like overdue tolls, debt, unpaid tickets, and other various things that may cause worry for people. These agencies will never send you a text requesting payment – they will send it in the mail or call you directly.

Impersonation is the main reason social engineering attacks succeed. Bad actors will gather information that is publicly available and use it to send fake emails, texts, and even phone calls in order to get sensitive information from the business. They may also try to get into an account to install malware and other ransomware to the network, demanding payment to release it.

Despite the impersonations, employees should always verify and validate any person contacting them for information. Even if it’s a C-level employee, these checks are in place for a reason. Security awareness training is also a good way to keep employees attentive to phishing and other forms of social engineering. It is one of the best ways to make sure that cyberattacks don’t succeed.

Connect with TraceSecurity to learn more.
Picture of TraceSecurity

TraceSecurity

TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.

Author

Recommended For You