Impersonation#

Impersonation is a social engineering technique where an attacker pretends to be someone else, often a trusted individual or authority figure, to gain access to sensitive information or resources. This can involve posing as a co-worker, a technical support representative, a customer, or a higher-level executive. By assuming a false identity, the attacker leverages trust and authority to manipulate individuals into providing confidential information or performing actions that benefit the attacker.

The classic impersonation attack is to phone into a department, claiming the need to adjust something on the user’s system remotely and get the user to reveal their password. This specific attack is also referred to as pretexting.

Pretexting#

Pretexting is a form of deception where an attacker creates a plausible scenario or pretext to trick individuals into performing certain actions. The attacker typically creates a false story, posing as a trustworthy individual or organization, to gain the target’s confidence. They may use social engineering techniques, such as building rapport, exploiting curiosity, or appealing to sympathy, to manipulate the target into sharing personal data, account credentials, or financial information.

Identity fraud#

Identity fraud is a specific type of impersonation where the attacker uses particular details of someone’s identity.

Identity fraud involves stealing and misusing someone’s personal information to carry out fraudulent activities. Attackers gather personal details, such as Social Security numbers, addresses, bank account information, or credit card details through social engineering techniques or data breaches. With this stolen information, they assume the victim’s identity to make unauthorized transactions, open fraudulent accounts, or engage in other illegal activities, causing financial and reputational harm to the victim.

Invoice scams#

Another type of identity fraud is invoice scams, also known as invoice fraud or business email compromise (BEC), which target businesses by manipulating their invoicing processes. Attackers may impersonate a known vendor, a company executive, or a trusted partner and send fraudulent invoices or payment requests to the organization. The invoices often contain altered bank account details or request urgent wire transfers. If successful, the attacker diverts funds into their accounts, leading to financial loss for the targeted organization.

Identity fraud is most likely to include the compromise of an online account when it comes to attacks on corporate networks. Without using malware, a variety of social engineering approaches can be utilized to gain account credentials.

Other than simply asking a user for their credentials, some of these tactics include:

  • Account information from prior assaults is readily available in credential databases (haveibeenpwned.com). In the hopes that the target has repeated a password, an attacker can attempt to match a target in one of these databases. Additionally, the attacker could use impersonation on third-party websites. For instance, someone could take over a social media account rather than utilizing a work account.

  • Shoulder surfing—by observing the user write a password or PIN (or other secure information), a threat actor may gain it. Despite the name, the attacker does not have to be in close proximity to the target—they might utilize high-powered binoculars or CCTV to view the target straight from a distance.

  • Lunchtime attacks - An attacker can physically get access to a system if a user leaves a workstation unattended while logged in. This is commonly referred to as a lunchtime assault. Most operating systems are configured to launch a password-protected screen saver after a certain period of inactivity with the keyboard or mouse. Users should also be taught to lock or log off their computers anytime they leave them unattended.

To protect against identity fraud and compromise of computer accounts within corporate networks, organizations should implement the following security measures:

  • Strong authentication: Enforce the use of strong passwords or implement multi-factor authentication (MFA) to add an extra layer of security.

  • Security awareness training: Educate employees about the risks of phishing, social engineering, and the importance of secure password practices.

  • Regular password changes: Encourage regular password updates to mitigate the risk of long-term compromises.

  • Account monitoring: Implement security measures to detect suspicious account activities, such as unusual login patterns or access from unfamiliar locations.

  • Least privilege principle: Follow the principle of granting employees the minimum level of access necessary to perform their tasks, reducing the potential impact of compromised accounts.

  • Regular security updates: Keep systems and software up to date to patch known vulnerabilities that attackers may exploit.