Digital Deception: Corporate Risks and Defenses

Online impersonations are a multi-billion dollar risk that threaten corporate security and public trust. Online impersonation occurs when an online threat actor or threat group adopts the identity of a trusted individual or brand in order to exploit brand trust for financial gain, to damage public reputation, or to gain unauthorized access to restricted sensitive information.

‍

Threat actors target a wide range of entities; according to a 2023 Cloudflare report, social media, technology, financial services, and luxury goods brands are commonly impersonated, although other business, government, and non-profit organizations are regularly mimicked as well.

‍

Preventing overexposure of PII (Personally Identifiable Information) and early identification are the best ways to protect yourself, your data, and your corporate reputation from online threat actors.

‍

The Damage and Scope of Online Impersonation

‍

Unprotected personal data is at risk of being leveraged for an impersonation attack, as the number and complexity of these attacks continues to rise.

‍

The Federal Bureau of Investigation, in its 2023 Internet Crime Report, estimated that impersonation attacks resulted in $5.2 billion in losses when factoring in business email compromise attacks, personal data breaches, identity theft, and other phishing attacks. No doubt spurred by lucrative prospects, impersonation attacks are increasing year over year by 85%, according to the Federal Trade Commission.

‍

If online threat actors collect enough personal or corporate information, they can create fake accounts of nearly any entity. The barrier for these types of attacks can be as low as creating a fake, but believable, X (Twitter) account to fool users into thinking that the threat actor is a legitimate spokesperson for the company.

‍

Beyond fake social media accounts, more advanced impersonation attacks may involve direct contact with company personnel using spoofed phone numbers, or fake emails posing as a company leader to elicit sensitive information.

‍

Threat actors have gone as far as creating fake company websites to redirect both customers and employees, in hopes that users will unknowingly enter personal information such as login or payment credentials.

‍

Online Impersonation Attacks Can Cost Millions

‍

Impersonation attacks are becoming increasingly sophisticated, target all levels of corporate organizations, and highlight the vulnerabilities in existing corporate systems and processes.

‍

In an elaborate scheme last year, threat actors attempted to impersonate the CEO of the world's largest advertising group, WPP.

• According to The Guardian, the attack used CEO Mark Read’s publicly available pictures and videos of his public appearances to generate an AI voice clone. The threat actors set up a WhatsApp account and a Microsoft Teams meeting using the CEO’s persona to appear legitimate, and then sought to convince a senior executive to transfer money into a fraudulent business account.

• Luckily, the executive recognized the request was not legitimate, so he did not transfer the funds and alerted other executives about a potential scam. 

‍

While less sophisticated at face value, a 2023 attack against Caesars Entertainment was far more effective and destructive.

• An online threat actor impersonated a low-level IT worker to gain unauthorized access to the company’s network. Once the actor was inside the network, they deployed ransomware to effectively shut down Caesars Entertainment’s business operations for days.

• According to Forbes, the threat actors impersonated the employee by taking information from their LinkedIn profile and asked the firm’s IT help desk for renewed access.

• The ransomware attack cost the company an estimated $15 million and exposed numerous loyalty program members’ social security numbers, damaging the brand’s reputation for exposing customer data.

‍

In a 2022 incident, an online threat actor successfully impersonated an actual pharmaceutical company, Eli Lilly.

• According to The Washington Post, the threat actor created an X account with a handle very similar to Eli Lilly’s real handle, and purchased a blue checkmark from X that lent the perception of legitimacy to the profile. They then posted a fake announcement stating that insulin was free.

• According to Forbes, the resulting reposts and media exposure from the fake social media account resulted in Eli Lilly’s stock price decreasing 4.37% in a single day. Eli Lilly lost an estimated $15 billion in market capitalization.

‍

How to Protect Yourself and Your Business

‍

Employees must both avoid falling for impersonation scams and be aware of their own online data to avoid impersonation by threat actors.

‍

The best way to stop impersonation attacks is by denying the actors the information they seek, and identifying the accounts that threat actors use before they build enough credibility to deceive other employees or customers. Every employee can take these steps to better protect their company from online impersonation threats:

‍

• Always be aware of who you are interacting with by verifying the sender’s email address to confirm it is from a known domain.

• Always use multi-factor authentication for online accounts. This provides an extra layer of security and helps prevent compromised passwords from being used to gain unauthorized access to accounts and networks. 

• Avoid sharing personal information via email or clicking on suspicious links as threat actors use social engineering to pressure individuals to click phishing links.

‍

In particular, limiting access to executives’ PII will make it harder for threat actors to impersonate senior principals.

‍

Here are some best practices for executives to limit unintentional PII exposure that could jeopardize corporate security and operations: 

‍

• Minimize exposure of your PII online, including data points that could be used to generate a convincing phishing campaign against you or to impersonate you. This includes PII you may be exposing on your social media profiles, in public records, and in data aggregators. 

• Maintain separate personal and professional social media profiles, so that your personal profiles are not publicly identifiable. Your professional, public-facing profiles should not contain any PII. 

• Monitor the major social media platforms for accounts using an executive’s likeness to impersonate them. Report each account to the platform for removal immediately.

‍

Author Steven Duke