This year, ‘Scams Awareness Week’ is spotlighting impersonation scams, and the ACCC and ScamWatch are promoting the theme 'Who's really there?'.
Impersonation scams come in all shapes and sizes. They’re where scammers pose as the brands or people that are most familiar to us. Those trusted businesses that we know and love, or as friends, family, or work colleagues, aiming to steal money, personal information or sensitive credentials that might provide access to vital assets or data.
ScamWatch define impersonation scams as 'where scammers pretend to be trusted businesses, friends or family to steal your money or personal information. Impersonation scammers can reach you on all mediums such as text message, websites, social media, email and phone calls. Scammers often pretend to be government officials, well-known companies, charities, celebrities, law enforcement or even family and friends.'
They are essentially the good old-fashioned con-artist, but in today’s digital age they take advantage of all that technology offers to deceive you. It may be in the form of an SMS text message, as a fake website or eCommerce portal, on social media, as a phone call, or of course via email. Or it may even be a combination.
Scammers can even pretend to be government officials, charities, celebrities or law enforcement. Sadly, they have no moral barriers, and are willing to do whatever it takes to penetrate your defences.
Let’s look at some of the more common forms of impersonation employed in email scams.
1. Phishing Attacks (Or vishing, smishing, quishing, and other variants)Phishing attacks are the ultimate form of impersonation, and probably the most prolific. They’re when someone sends you an email pretending to be someone else. Typically, they’re impersonating a well-known and trusted brand or service, like an energy company, a bank or finance company, a phone company, a parcel delivery service, a government agency or provider, or a streaming platform like Netflix. Try to think of something you can’t live without, and that company is likely to be spoofed in a phishing attack.
They generally come as an email, although there are a range if variants, forms of phishing like smishing which is phishing using SMS messages, or quishing, which is phishing with embedded QR codes. Bad guys will use whatever it takes to try and optimise their campaigns.
Tell-tale signs of a scam are grammatical errors, however the rise of AI services like ChatGPT means that those easy giveaways are occurring less frequently.
They will also normally include some kind of urgent call to action, like that your electricity is about to be cut off, or that your Netflix subscription is about to be cancelled. Or conversely, they may tout good news like a generous tax return or reimbursement. All just a click away.
Once you’ve taken the bait and clicked the link, they will direct you to a phishing site. It’s a landing page or website designed to look like the company that they’re spoofing, and those pages can be very convincing replicas.
Phishing sites are designed to harvest your sensitive credentials, like credit card details, personal identity information like your name, address and date of birth, and/or your username and passwords. They may even send you a false verification link to capture the SMS verification number that you have received on your mobile from a legitimate service, so that they can complete transactions using the information that you have inadvertently disclosed.
Scammers will try to capture all of that information, or just part of it, then they may marry it up with a database that they have stolen elsewhere to launch follow on attacks that are even more sophisticated, to compromise your accounts, to process fraudulent card transactions, or they may simply sell your information on to the highest bidder on the dark web.
2. CEO Fraud or WhalingCEO Fraud, sometimes known as Whaling, are targeted email scams where the cybercriminals impersonate a high-ranking executive within your organisation in an attempt to exercise their authority and influence to trick and coerce employees. In that case, to be clear, the person that the scammers are spoofing could also be a CFO or Financial Controller, or a VP or other person of high status in your org.
These scams often entail a degree of social engineering, which means that the bad actors behind the scam have spent many hours researching the person that they’re impersonating online, checking company updates on LinkedIn and learning about connections within their professional networks, perhaps identifying times when they are likely to be out of the office or away attending a conference, all so that their colleagues will find it harder to confirm the voracity of the fraudulent request.
The emails are generally an attempt to authorise a payment or funds transfer, although they may also seek to change payroll details or account details for invoices so that funds are diverted to an unintended account.
You can download our free whitepaper, ‘CEO Fraud: What Every Executive Needs To Know’, to learn more.
3. Business Email CompromiseSimilar to CEO Fraud or Whaling, Business Email Compromise or BEC, is where those perpetrating the scam are impersonating a particular individual. The NCSC define it as ‘where a criminal attempts to trick a senior executive (or budget holder) into transferring funds, or revealing sensitive information.
4. Identity TheftIdentity theft is when a criminal gains access to your personal information and uses it without permission for their benefit, financial or otherwise. So, it can impact a business, but can also impact individuals.
Often identities are stolen and used in illegal activities, such as creating fake identity documents with your name, applying for real IDs, or getting loans, credit cards, and mobile phone contracts.
These sorts of scams can have devastating financial and emotional impacts on the victim and may remain unresolved or cause problems for years. According to ScamWatch, from January to September of 2022, Identity Theft was the 4th most commonly reported scam type in Australia and cost its’ citizens almost $8 million.
Emerging technologies like voice and image generation AI’s, such as deepfakes, are making identity theft an even greater challenge. If you think you’re a victim of identity fraud, you can read our guide to find out what to do.
5. Account Takeover AttacksAn Account Takeover Attack is where a malicious cybercriminal gains unauthorized access to an account and uses it to propagate attacks on others. These scams are particularly troublesome because the emails are emanating from a legitimate account so in the early stages they are less likely to be intercepted by email filters and other security services.
Cloud services like MailChimp are common targets for such attacks, because the account owner is less likely to notice the activity, and the services will often contain a database or list of contacts that criminals can target, along with any other database of targets that they want to upload and include thenmselves.
Here’s an example of an email that was intercepted by MailGuard that was sent from a compromised MailChimp account and impersonating the account owner. In this instance, recipients could be forgiven for believing that the email is legitimate given that it is coming from a sender email address that is frequently used by the company.
Supply Chain Attacks are very common. They occur when cybercriminals compromise one company, with the intention of using that compromise to gain access to other companies in their supply chain.
Blackbaud and Solar Winds are two of the largest scale and high-profile supply chain attacks in recent times.
SolarWinds, a software company with thousands of customers throughout the world, including government agencies and Fortune 500 companies, was hacked after attackers breached its networks and accessed the company’s proprietary IT software, Orion.
The attack involved inserting malware into legitimate updates for the Orion software, that allowed attackers remote access into the victim’s environments. Companies that applied the Orion updates, who were of course SolarWinds customers, also unwittingly installed the malware on their own systems. Reports state cybercriminals used the SolarWinds' hacked program to infiltrate at least 18,000 government and private networks.
In the case of Blackbaud, which provides services for many corporations, charitable foundations, education institutions and healthcare entities, it was hit by a ransomware attack.
After the company’s self-hosted environment was infected with malware, its cybersecurity team was able to stop the attackers from encrypting the entire network, however, the hackers did manage to steal a subset of data prior to deploying the ransomware payload, including data belonging to Blackbaud’s customers. The breach resulted in millions of sensitive student, patient, and donor data records being compromised.
There are many other examples, because supply chain attacks often impact a large network of companies, as with Blackbaud and SolarWinds. In other instances, they may only seek to breach a one particular target, often a smaller and less sophisticated supplier or contractor, with the objective of gaining access to a larger trading partner like a large corporate or government agency.
That was the case for mega-retailer, Target, which was breached with over 40 million debit and credit card accounts being exposed, after cybercriminals compromised a HVAC (heating, ventilation & air conditioning) contractor that possessed login credentials for the Target network. Speculation at the time was that the practice of providing network access to HVAC contractors by large retailers was not uncommon, so that they could monitor store temperatures and alarms, and to communicate with staff.
According to the US National Institute of Standards and Technology (NIST), cyber supply chain risks include:
What’s the motto of the story?
Sadly, the motto of this story is that cybercriminals will do whatever it takes to trick someone into divulging sensitive credentials, or into making a payment or downloading malware. And the ramifications can be drastic.
As you would have noticed as we stepped through some of the more common types of email impersonation scams, there are lots of similarities between them.
The lessen to learn from it all is simply that you can’t judge a book by it’s cover. When it comes to online communications and emails, it is prudent to be cautious, with a healthy dose of suspicion. Take a few moments to think twice before clicking a link or sharing your details.
Aside from looking for the more obvious grammatical errors, use common sense to check if you are expecting a communication from the sender or company. If in doubt, don’t click. Pick up the phone and call to check or go directly to the company’s website to check your account status there.
And hover over the link of the sender email to check that it’s really from the person that it purports to be. Or on the landing page that you're directed to, check that the URL belongs to the company.
For Scams Awareness Week, the ACCC and ScamWatch offer the following advice:
'Key signs of impersonation scams
How to avoid Impersonation scams
How to verify who you’re dealing with?
Victim support
Reporting impersonation scams
The important role of business in scam prevention
MailGuard urges users not to click links or open attachments within emails that:
Many businesses turn to MailGuard after an incident or a near miss, often as a result of an email similar to the one shown above. If unwanted emails are a problem for your business, don’t wait until it’s too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.