What is MFA?
Multi-factor authentication (MFA) is a security method that requires users to prove their identity using two or more distinct factors before accessing …
An impersonation attack occurs when a malicious actor poses as another person or entity to steal data or funds from an employee.
This is often stolen by deception such that the employee:
While every attack looks different, the basic structure of an impersonation attack is as follows.
The bad actor starts by identifying an employee of interest. This is typically the person who pays invoices or has access to sensitive information.
Research is then performed on the employee. What vendors do they liaise with? Who do they report to? What are their general responsibilities?
Cybercriminals exploit open-source intelligence (OSINT) to learn more about the intended victim.
OSINT comprises publicly available data that may relate to corporate reports, conference minutes, employee profiles, social media posts and even media appearances.
Once the actor has researched the victim in detail, they repeat the intelligence-gathering process for the identity they want to impersonate.
This is someone who engenders trust in the target, such as one of their superiors or a well-acquainted colleague.
Here, the actor impersonates the identity with credentials that appear authentic (such as an email account).
The attacker then crafts a plausible reason for having to contact the victim.
Communication tends to occur via email (more on this below), but some may reach out with a text or phone call.
In the final step, the employee is asked to perform a certain action.
Common examples include:
To be successful, impersonation attacks rely on social engineering. In a cybercrime context, social engineering is the act of deceiving an employee into betraying company data or resources.
Social engineering tactics work because they capitalise on quirks in human psychology. Invariably, the victim is motivated to act because of:
The technique is also easier for the criminal to carry out. Instead of having to locate and exploit a system vulnerability themselves, they simply manipulate employees into giving them what they want.
The varied ways this manipulation occurs are explained in the next section.
Unfortunately, there are numerous ways.
Phishing is a type of email impersonation attack where employees are contacted by the stolen email account of a coworker, manager or executive. This is often called email impersonation or email spoofing.
As we noted earlier, emails often trick employees into divulging sensitive data. However, some emails will direct the employee to links or images that contain malware.
The numbers on phishing are staggering. Worldwide, email impersonation accounts for 1.2% of all daily email traffic or around 3.4 billion emails per day.
The most commonly targeted industries are finance and insurance and 43% of all phishing attacks imitate Microsoft alone.
Email-based phishing is so prevalent that various sub-types exist:
Additional types of non-email-based phishing (but with similar objectives) include:
Cousin domains refer to any domain names that are registered to resemble more legitimate versions.
To trick users into believing they are interacting with a legitimate entity, cousin domains leverage minor variations in spelling, add extra words or replace certain characters. These domains will also imitate the design and layout of the legitimate domain to enhance the deception.
The objective of this type of impersonation attack is much the same as it is with phishing. Invariably, victims are prompted to enter their login credentials, transfer money or download malicious files.
In an account takeover (ATO), the cybercriminal obtains access to an account with stolen credentials that are often purchased on the dark web.
Accounts without multi-factor authentication are especially vulnerable. The criminal can use the details to commit identity fraud or perform further account takeovers if the victim tends to use the same password.
Man-in-the-middle (MTM) attacks occur when the malicious actor intercepts and then alters communication between two parties without their knowledge.
In some cases, MTM attacks are a digital form of eavesdropping that occurs on unsecured Wi-Fi networks. But messages can also be intercepted via HTTPS and SSL/TLS connections.
Since impersonation attacks are designed to take advantage of human error, preventing them can be difficult.
Nevertheless, they can be mitigated or even prevented with a multifaceted approach that combines user education, technical defences and proactive surveillance.
Forewarned, as they say, is forearmed, and impersonation attacks are no different.
Businesses do not need to spend vast sums of money to create awareness among their employees, but the importance of training frontline staff is paramount.
Sessions should educate employees on the dangers of such attacks and familiarise them with the warning signs of email impersonation.
Various tools are also available to simulate phishing scams and provide alerts and other functionality that integrates into existing email platforms.
Robust authentication mechanisms are another facet of the defence against email impersonation. Considered the golden trio of email authentication technologies, DMARC, SPF and DKIM validate emails and substantially reduce the likelihood of cybersecurity incidents.
Otherwise, various email security providers offer tools that anticipate and protect against even the most advanced email impersonation attacks.
Many are powered by machine learning and AI technology that block malicious emails with accurate threat classification and multilayered detection techniques.
Some also offer email encryption, content filtering and various analysis tools that provide complete visibility across multiple communication channels.
One of these analysis tools is threat intelligence, which enables businesses to stay one step ahead of attackers with insights into the tactics, techniques and procedures (TTPs) they employ.
Proactive surveillance requires the organisation to use initiative and monitor for impersonation attempts. Telltale signs include unusual website behaviour or any suspicious login, email, social media, DNS or network activity.
To check for cousin domains, the organisation can use plagiarism detection tools or manually check derivations of its URL or social media accounts for impersonation.
Automated software can not only detect and validate cousin domains but can enforce intellectual property (IP) rights and have the offending domain taken down.
In summary:
Multi-factor authentication (MFA) is a security method that requires users to prove their identity using two or more distinct factors before accessing …
Imposter scams are a type of fraud where scammers pretend to be trusted individuals, companies, or government agencies to deceive victims into …
Accounts payable fraud is a deceptive practice that exploits vulnerabilities in a company’s payment processes. It occurs when individuals—whether employees, vendors or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.