Impersonation Scams

An impersonation scam, also known as an imposter scam, is a type of cybercrime where a malicious actor pretends to be a trusted individual or organization to deceive a victim. The goal is to trick the victim into giving up sensitive information, such as login credentials or financial data, or into transferring money to a fraudulent account.

How Impersonation Scams Work

Impersonation scams rely heavily on social engineering, a technique that utilizes psychological manipulation to exploit human trust and circumvent security measures. The scammer often researches their target to make the scam more believable, gathering details from public sources, such as social media and company websites, to mimic the tone, language, and context of a legitimate person or organization.

Common tactics include:

• Email Spoofing and Forged Headers: Scammers can create fake email addresses that are very similar to legitimate ones by changing a single letter or using a different domain code (e.g., your-bank.com vs. your_bank.com). They can also alter email headers to make it appear as if the message is from a trusted source, like a high-level executive or a vendor.

• Urgency and Emotional Manipulation: Impersonation scams often create a sense of urgency to pressure the victim into acting without thinking. For example, a fake email from a CEO might demand an immediate wire transfer for a "confidential" project.

• Multi-channel Engagement: Attackers may use a combination of methods, such as a phishing email followed by a phone call to "confirm" a fraudulent request, to increase the scam's credibility. Scams can also extend beyond email to include fake social media profiles, fraudulent mobile apps, and malicious search engine ads.

Types of Impersonation Scams

• Business Email Compromise (BEC): A scammer impersonates an executive, a vendor, or a business partner to trick an employee into sending a wire transfer or sensitive data to a fraudulent account.

• CEO Fraud: This is a type of BEC where the scammer poses explicitly as a C-suite executive, like the CEO or CFO, to exploit an employee's respect for authority and get them to authorize a fraudulent transaction.

• Vendor Impersonation Fraud: A scammer impersonates a legitimate vendor to change payment details and divert payments to their own account. This often goes unnoticed until the real vendor reports a lack of payment.

• Bank Impersonation Scams: A scammer pretends to be from a bank's fraud department, advising the victim to transfer their money to a "safe" account to protect it from a supposed breach.

• Tech Support Scams: A scammer poses as a representative from a tech company to convince a user that their computer is infected with a virus. They then ask for remote access to the device or demand payment for a "fix.”

ThreatNG helps with impersonation scams by providing an external, attacker-centric view of an organization's digital footprint. It proactively identifies vulnerabilities and risks that a scammer could use to impersonate a company, its employees, or its brand.

External Discovery and Assessment

ThreatNG's External Discovery acts as the initial phase in preventing impersonation scams. It identifies and maps an organization's publicly exposed assets, providing an external perspective that is crucial for anticipating an attacker's moves. This process can reveal misconfigured assets that could be vulnerable to impersonation.

The platform's detailed assessments provide specific examples of how it identifies and helps an organization address impersonation risks:

• BEC & Phishing Susceptibility: This assessment is directly tied to impersonation. It uses Domain Intelligence, Email Intelligence, and Dark Web Presence to find signs of a planned scam. For example, ThreatNG can discover a domain like mycompaany.com, which is a misspelled version of a legitimate company's domain, and flag it as a potential phishing site intended to impersonate the company.

• Brand Damage Susceptibility: This assessment, derived from attack surface intelligence and digital risk intelligence, identifies domains that use offensive or critical language that could be exploited for brand impersonation. For instance, it could discover a domain like boycott-mycompany.com being used in a scam campaign.

• Mobile App Exposure: ThreatNG evaluates mobile apps in marketplaces for exposed credentials and other sensitive data. It can identify if a malicious app is impersonating a company's brand and if it contains exposed credentials, such as a Stripe API Key, which could be used for financial fraud.

Reporting and Continuous Monitoring

ThreatNG offers a range of reports designed to aid in the prevention of impersonation scams, including Executive and Technical reports. These reports highlight risk levels and provide recommendations for mitigation, enabling a security team to respond to critical threats promptly.

The platform’s continuous monitoring is vital for staying ahead of impersonation scams. It constantly tracks an organization's external attack surface and digital risk, ensuring that new threats, such as newly registered fraudulent domains or exposed credentials, are detected and flagged as soon as they appear.

Investigation Modules

ThreatNG's investigation modules provide the detailed analysis needed to combat impersonation scams:

• Domain Intelligence: This is a key tool for identifying impersonation. It can identify and group newly registered Domain Name Permutations, which are variations of legitimate domains that scammers often use to trick users.

• Sensitive Code Exposure: This module scans public code repositories for exposed sensitive data like API keys, access tokens, and cloud credentials. For example, finding a leaked GitHub Access Token could alert an organization that an attacker might try to use it to impersonate a developer.

• Dark Web Presence: This module monitors the dark web for mentions of the organization and associated compromised credentials. This provides a critical early warning that an attacker might use stolen credentials to impersonate an employee and conduct a scam.

Intelligence Repositories

ThreatNG's DarCache intelligence repositories provide the foundational data that powers its capabilities for preventing impersonation scams.

• DarCache Rupture (Compromised Credentials): This repository contains a database of compromised credentials. By continuously checking this, an organization can proactively identify if employee credentials have been leaked and force password resets, preventing an attacker from using them to impersonate an employee in a scam.

• DarCache Ransomware: This repository tracks over 70 ransomware gangs and their activities, providing organizations with intelligence on new tactics and events that may involve impersonation.

Complementary Solutions

ThreatNG can work with complementary solutions to build a more comprehensive defense against impersonation scams. For example, if ThreatNG’s Domain Intelligence module identifies a suspicious domain name permutation, that information can be sent to a Security Orchestration, Automation, and Response (SOAR) platform. The SOAR platform could then automatically send a takedown request to the domain registrar and add the domain to a block list, preventing it from being used in a scam.

Similarly, if ThreatNG's Dark Web Presence module identifies compromised credentials, that intelligence can be sent to a Security Information and Event Management (SIEM) system. The SIEM can then be configured to automatically suspend the affected account or trigger a multi-factor authentication prompt, which would prevent a potential impersonation scam from causing harm.