Impersonation Tactics and Examples

How do you recognize an impersonation attack? You should be suspicious if someone makes an unusual request, especially if it could compromise information security. Unfortunately, you should be suspicious if someone is acting particularly friendly toward you in order to gain your trust. They may actually just be an innocent friendly person, but you should not let down your guard. You should also be wary of a new acquaintance who was especially interested in the details of your work or how your workplace operates.

Also, be suspicious if someone purporting to be in a position of authority over you asks you to do something that would be a violation of your organization’s policies or procedures, whether it is someone within your organization who claims to be in management or someone posing as perhaps a police officer or an auditor of some type. The social engineer patiently pieces together all the fragments of information that they can find into a coherent picture. Each victim who gives them information considers what they say or do to be harmless. So the combination of details gives the impersonator what they need to become powerful. The more information they have, the better they can avoid detection.

Impersonators can spend a lot of time researching their target. And you’ll see that in an example later. They find information about your company by doing the following things, perhaps stalking employees on social networking sites, looking at company websites, doing an email phishing scam, phone pretexting, which is calling and setting an appointment of some type so you’re expecting them to arrive, dumpster diving, which we just discussed, eavesdropping on employee conversations, and from black market websites or other social engineers. This is an interesting example of impersonation, the case of Mia Ash, a young London-based student photographer. Mia is working on an exercise which requires her to reach out to people around the globe.

She uses her Facebook and LinkedIn accounts to make contact primarily with Middle Eastern and Asian men between the ages of 20 and 40. Mia asks her new friends for help completing another assignment by sending a Microsoft Excel document copy of photography survey.xlsm. But it needs to be opened at work so that it functions correctly. Mia Ash is not a real person. She’s a false persona created by the Iranian Advanced Persistent Threat Group Cobalt Gypsy. The document that she sends installs a remote access Trojan called PupyRAT, which creates a backdoor into the company computer network to steal information. This is a more typical example. Imagine you’re a receptionist at your company.

And these friendly HVAC contractors show up and tell you that they got a call that your HVAC system failed, and your server room is overheating. This actually happened at my previous employer, so it is a completely believable scenario. This would, of course, be an emergency. Because if the server room is too hot, your servers could overheat, which could have disastrous consequences for your company. Not only might you let them in, you would probably even call ahead to your IT department and tell them that the contractors need access to the secure server room.

With this knowledge of what impersonation is and how it’s used, let’s discuss how to protect yourself from social engineers who create elaborate scenarios, win each detail, and are driven to steal. By following some common sense rules and using your best judgement, you can defend against these attacks and better protect yourself, your company, and your customers’ information. When in doubt about the validity of an individual or request, contact your manager, or the manager of the requester, for authority to comply with their request. Never give out passwords. Technical support personnel do not ever need your password or other information related to accessing your system. Avoid revealing information, especially out of trust or fear. Ensure the physical security of your premises.

Don’t enable tailgating as we discussed earlier. “Ask yourself who is this? And why are they here?” If you’re unsure about a person’s authorization or access permission, report the situation to the appropriate staff. Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work. Adopt a healthy dose of scepticism for anything out of the ordinary, especially strangers who endear themselves to you. Adhere to the policies and procedures within your organization that stipulate how you should manage situations. That could possibly be social engineering attacks. In conclusion, you have learned what impersonation is, what objectives attackers are aiming for in impersonation, and who is at risk for impersonation attacks.

We discussed red flags and warning signs of an impersonation attack and went over examples as well as what you can do to protect yourself from an impersonation attack. We’ve come to the end of this course. And I hope you have gained some valuable information to protect yourself and your organization from several different types of attacks. We first discussed phishing and then explored several different forms of phishing, including spearphishing, whaling, smishing, and vishing. Then we talked about several types of social engineering attacks that you should be aware of, including dumpster diving, tailgating, baiting, and impersonation. I’ve enjoyed teaching you and hope you have enjoyed learning some new techniques to keep yourself and your organization safe.