Reading Time: 6 min

Impersonation attacks have been on the rise in the past decade, with established corporate giants and government agencies in the line of fire. The Federal Trade Commission’s Consumer Sentinel Network is constantly wary of thousands of impersonation scams being reported to them, targeting these companies and government bodies. 

The problem with these attacks is that they play on human psychology making them very hard to detect and stop. Moreover, scammers are getting more and more technologically sophisticated in their impersonation techniques. This is ultimately increasing the success rate of scams. 

Poor security practices in organizations and lack of awareness among employees are common reasons that contribute to successful impersonation scams. So much so that in 2023 alone, FTC shows 330,000 instances of business impersonation scams and 160,000 instances of government impersonation scams being reported to them! In their Consumer Protection Data Spotlight, FTC disclosed the total cost associated with these attacks in the past year surpassed $1 Billion. 

What are Impersonation Scams? 

Impersonation scams are cyber threats where an attacker impersonates an organization, institution, or individual to trick victims into disclosing sensitive information. Impersonation scams are typically charged by a financial motive or to gain access to an organization’s internal systems and information. 

Who Are Targeted?

In reality, everyone can be impersonated online. However, keeping the motive of profitability in mind, cyber attackers typically impersonate the following popular targets in scams: 

1. Well-known private companies 
2. Government agencies
3. Banks and financial institutions 
4. Colleges, Universities, and other educational institutions 
5. High-ranking corporate executives (CEO, CTO, CFO)
6. Friends and family 

What Methods Are Used?  

To carry out impersonation scams attackers may use the following methods: 

1. Email phishing: Phishing emails are usually sent from forged or spoofed domain names, impersonating real organizations to defraud their existing or potential customers.

2. Vishing/Smishing: Similar to phishing, but carried out over phone calls or SMS, attackers impersonate legitimate sources to extract sensitive information. 

3. Social media: Impersonation is very rampant on social media, with fraudsters making fake profiles of existing users to spread misinformation or trick friends and family. Account hijacking is another way social media impersonation scams can be perpetrated. 

What Are The Goals? 

The ultimate goal of impersonation scams is to: 

1. Steal sensitive information like login credentials, account passwords, credit and debit card details, etc. 
2. Steal or wire money from victims and organizations 
3. Manipulate victims into downloading ransomware and malware into their systems
4. Identity theft 

Top 5 Impersonation Scams Reported by Consumers to FTC in 2023 

FTC in their Data Spotlight report, enlisted the following scams which were most popularly reported by consumers in the year 2023: 

1. Fake Account Security Alerts 

Suppose you receive a message from your bank stating that you transferred X amount of money, asking you for a confirmation whether you have made this transaction. This is quite a standard message sent by banks when you make a transaction, for security purposes. Only the message is not really from your bank. This time it’s from an attacker impersonating your bank to trick you into transferring your funds. 

2. Fake Account Renewal Alerts

You had a Netflix account that you hadn’t renewed in a while and you get a sudden alert from Netflix informing you that they are going through with an auto-renewal that will deduct money from your account. This is startling and will immediately urge you to take action. This fake alert from a scammer impersonating Netflix is inspired by similar impersonation scams reported by consumers to the FTC. 

3. Incredible Discount offers, Sale, and Gift Coupons 

If you are not living under a rock, this scam wouldn’t be new to you. We often receive messages and emails from e-commerce companies about the latest Sale and discounts. While some are genuine, most of these messages are scams! It is important to stay cautious and look for warning signs like suspicious links and attachments. Other dead giveaways can be poorly written messages, grammatical errors, and offers that may seem too good to be true! 

4. Package Delivery Issues 

Between 2023 to 2024, there was a huge surge in package delivery issue scams. This scam looks quite harmless. A package delivered in your name missed the delivery and you are informed to pick it up manually from your local post office. The message usually has a link attached to it with more details about your package. But the truth is there is no package and the link may lead you to a phishing website to steal your credentials or start downloading malware on your system! 

5. Trouble with the Law Scares

Stress and duress often lead to bad or lack of judgment. This is the motivation behind this time of impersonation scams. Scammers impersonating law enforcement agencies charge innocent individuals for getting involved with the law in some way. Confused victims do whatever the scammers say to stay out of trouble and defend themselves. 

FTC Introduces New Rule on Government and Business Impersonation

On April 1, 2024, the FTC finally rolled out the new rule on government and business impersonation. They introduced strict actions to prevent impersonation scams and minimize financial losses incurred by consumers. Here are the key takeaways at a glance: 

1. The FTC can take legal action against perpetrators to get refunds on money stolen from scammed consumers 
2. FTC is continuously trying to protect and educate consumers on the various types of impersonation scams so they are better informed and equipped
3. FTC is also accepting public comments till 30th April on their trade regulation rule on impersonation for more consumer insights

Email: A Primary Medium for Impersonation Scams

FTC highlights email and text messages as the two primary mediums for impersonation scams post-2020. While phone call scams were popular earlier, they have experienced a steady decline in frequency with email and SMS scams being on the rise!

But why do attackers choose email? Email is a potent medium for cyber attacks since it is used too often in personal and professional environments. More than 300 Billion emails are sent per day with 4 billion+ active email users worldwide! This makes email a popular medium for scammers to vet out potential victims. Other factors that make email a popular choice are: 

1. Lack of awareness on email fraud 
2. Poor email security practices in organizations and government agencies 
3. Lack of support for advanced domain authentication protocols 

How to Prevent Email Impersonation Scams?

There are two main approaches to prevent email impersonation: being cautious about the emails you receive and making it harder for scammers to impersonate legitimate senders (this applies more to organizations).

For individuals, here are some tips:

• Be alert to red flags: Scammers often create a sense of urgency or pressure to trick you into acting quickly without thinking. Watch out for emails with bad grammar, misspellings, or unexpected requests for money or personal information.
• Verify sender addresses: Don’t just rely on the sender name. Look closely at the full email address. Scammers can easily spoof sender names to make them look legitimate.
• Don’t click on suspicious links or attachments: Hover over links before clicking to see the real destination URL. Never download attachments from unknown senders.
• Be wary of unsolicited emails: If you receive an email from someone you don’t know, be especially cautious. 

For organizations, there are additional technical measures that can be implemented:

• SPF authentication: SPF helps to verify that emails claiming to be from your domain are sent from your authorized servers.
• DKIM authentication: DKIM helps to verify that emails are not tampered with during transactions and that the message content has stayed intact
• DMARC: DMARC builds on SPF and/or DKIM and lets you specify how email receivers should handle unauthenticated emails from your domain.
• Educate employees: Train staff to be aware of email impersonation scams and how to spot them.

While technical protocols can require time, effort, and resources to configure along with knowledge and expertise – organizations make the process easier with a DMARC analyzer. This tool helps you set up, monitor, and manage email authentication easily for single or multiple domains. Moreover, it is a faster, cost-effective, and safer solution to transition from non-enforcement to enforcement policies. This to an extent protects you against email impersonation scams. 

Final Words

The FTC is continuously trying to assist victims of impersonation scams and spreading awareness of cyber threats. As highlighted by them, it is important to remember that the commission will never demand money, blackmail you, use force, or offer you rewards. Hence if you receive an SMS, email, or phone call from someone claiming to be FTC and acting suspiciously, beware! You can immediately contact the FTC helpline numbers mentioned on their official website for assistance. 

Finally, remember to always preach and practice safe digital communication, stay aware, and invest in good cybersecurity tools. Prevention is always better than cure, and taking the right steps now can help you save damages in remediation costs in the future!

*** This is a Security Bloggers Network syndicated blog from PowerDMARC authored by Yunes Tarada. Read the original post at: https://powerdmarc.com/ftc-report-impersonation-scams/