Attackers use impersonation to make themselves appear to be someone different. In this video, you’ll learn about some of the most popular impersonation and fraud-based attacks.
Let’s step through a number of different phone calls that have been received by individuals with this particular pretext. Of course, this is one where there is an actor, and there’s a story that they tell. And these are actual scam calls taken from YouTube videos that are available. And they’re probably very similar to ones that you may have received. The first one is, “Hello, sir. My name is Wendy. And I’m from Microsoft Windows. This is an urgent checkup call for your computer as we have found several problems with it.”
Obviously, this is not Wendy, and Wendy is not from Microsoft Windows. Another one says, “This is an enforcement action executed by the US Treasury intending your serious attention.” Bad grammar aside, it’s very unlikely that this voicemail was indeed left by the US Treasury.
And lastly, “Congratulations on your excellent payment history.” Well, already we know that this is not accurate. “You now qualify for 0% interest rates on all of your credit card accounts.” And again, this is not someone from a credit card company or a financing company. This is all someone taking advantage of impersonation. Impersonation is when an attacker is pretending to be someone that they’re not.
This may be used to make you more trustful. For example, they could call and say they’re from your company’s help desk, and they understand there’s some problems that need to be resolved on your system. Obviously, they’re not from your company’s help desk, but you thinking that they work for the same company as you immediately provides some level of trust.
Or they may call you and say that they are the vice president for finance, or they’re responsible for manufacturing within your organization. They’re obviously not from your organization, but by introducing themselves as someone higher in rank, they’re hoping that you will, without thinking, provide them with the information they need.
Or the attacker may be using very large terms or technical details to get you thinking more about what they’re saying rather than if this call is indeed legitimate. Attackers use impersonation all the time to be able to make you more comfortable with the conversation or to get you to provide information to someone who is more trustworthy than some stranger calling you from outside.
One of the goals of the attacker is to elicit information from the person they’re calling. They’re looking for a piece of information or an important detail that they normally would not have access to. This is very commonly seen with voice phishing, or vishing, where someone is calling with a story that eventually will get you to give up your credit card number, your Social Security number, your bank details, or other important and sensitive information.
But obviously, the attacker can’t simply ask, so what’s your bank account number? Instead, they need to have a story about how it’s important that we get your bank account number because there’s been a problem sending a payment to a particular third party. And through this entire story, somehow, they’re getting to trust them and provide your banking information.
Another use of impersonation is for the attackers to take advantage of identity fraud. This is when they’ll pretend to be you, using your private information. But in reality, the attacker is the one opening these accounts. For example, an attacker might open a credit card account in your name with your information but use their address. So the credit card is mailed directly to the attacker. They’ll then use this credit card to purchase products and services. And of course, the attacker has no intention to pay for any of these.
And of course, all of this will appear on your credit report as nonpayment for an account that you allegedly opened. Attackers can also use identity fraud to open up their own bank account under your name. By using your personal information, they now have a bank account that they can use to store the funds that they are creating from their illegal activities. And they can now use that checking account and their position as a customer with the bank to open up loans. Those loans, of course, would be under your name. But of course, the attacker is going to take the money from that loan and use that somewhere else.
And of course, identity fraud could be used with government agencies for the attacker to get benefits under your name. This is commonly seen with things like tax fraud, where the attacker will send in your tax forms as you, and they’ll receive the overpayment to their account. They effectively have gotten your tax refund before you have a chance to do the same thing.
There are a number of steps that you can use to help prevent impersonation. One is to not volunteer information. If somebody calls and tells you they’re from the help desk and they need your password in order to fix a problem on your computer, then they’re probably phishing for information because the support team does not need a password to gain access to your system. You should also not give away any of your personal information over the telephone, email, or any other method.
The attackers would love to get information about your address, your Social Security number, your birthday, and other important details that they can then use to open up accounts in your name. And if you think the person contacting you is legitimate, but you’re uncomfortable providing personal information, you might want to do your own verification. Most of the time, you can ask the person if you can verify them over the phone, and then you can check a public phone number to make sure that that is the person who’s really contacting you.
The process of verification is one that should be a normal process within your organization. No one should take a phone call at face value, especially if that phone call is looking for financial information or sensitive details.