Combating Impersonation Scams

Impersonation scams are on the rise and becoming more sophisticated. The phony (and relatively easy to detect) gift card solicitations—just to pick an example from a hat—haven't gone away entirely, but today's bad actors know that more savvy technology users have wised up to old tactics. Criminals have graduated from, say, impersonating your teammate or boss to impersonating customers and vendors.

Vendor Impersonation

An email impersonating a vendor may direct a recipient to send payments to a new bank account. Appearing to come from a known vendor contact, the sender's signature, including title and logo, can look totally legitimate. Even the sender's email address may look normal until more closely scrutinized, at which point a recipient might observe, "That’s an O, not a 0!". 

Customer Impersonation

Pretending to be a customer, a scammer may attempt to place a fraudulent order using a "new" shipping address. As with vendor impersonation, the email will look legitimate, and so will the accompanying purchase order. It may have all the right information, logos and approval signatures that match all the right people at that organization.

Ease of Execution

These more advanced social engineering scams are hard to protect against with technology alone, and can be executed with only a minimum of technical ability. Most of the information needed is surprisingly easy to capture because it's not often considered as sensitive as credit card numbers or other PII (Personally Identifiable Information). 

Public/Government Entities Vulnerable

This is particularly true with public entities who must be transparent about decisions and major purchases, and who regularly publish information such as bids, awards, contracts and contact information—online and largely unprotected. 

What They're Looking For

The data that scammers covet includes:

• Accounting and procurement contacts. These are often published on company websites, or can sometimes be gleaned from LinkedIn. 
• Vendor partners and their contacts. Published awards, posts on social media where a customer team is tagged as attending one of their events, or vendor marketing materials that highlight customers suggest just how easily this data might be collected. Oh, and if anyone has ever accidentally sent an email to multiple vendors without hiding the recipients list, that list is now resident inside all of those vendor systems. 
• Samples of emails, contract documents and purchase orders. These might be published on websites, almost certainly within the systems of at least a handful of other vendor partners.

Potential Consequences

Most of us know what can happen if we’re hacked. What’s alarming about these latest scams is that an organization can be 100% secure, technically speaking, having so far avoided any serious security incident, and still be vulnerable to these attacks. Any information published online or shared with vendors and partners can be used in a successful social engineering attack.

Mitigating Risks

What can you do to lower your risk? 

An ideal approach leverages a combination of process and technology that keeps security in mind. 

Process

• Have a well-defined process for changing important details like remittance information.  Scammers most often use email but they also text or call, trying to persuade unsuspecting employees to update such data. Verifying such requests through a second channel—such as a vendor's published main phone number—provides a simple and relatively effective mechanism. 
• For organizations that ship products, new shipping addresses should also be verified through a second channel, just as with remittance information. 
• Avoid sending payments by wire, and use ACH instead. If a scam is caught early, ACH payments can be voided. Wires execute faster and are harder to reverse. 
• Be suspicious of unexpectedly urgent requests. Scammers push to catch victims off guard and keep them from having time to think. With more time comes more chance of the scammer being spotted. Once they have a victim on the hook, then, they want to reel 'em in as fast as possible.

Technology 

• Use a portal for invoicing and posting solicitations.  Most modern accounting packages have the option to send a notification email regarding an invoice with a link instead of an attachment. The portal should be protected by Multi Factor Authentication. There are numerous secure and cost-effective portal services for solicitations or bids. 
• Your bank accounts should be protected by multi factor authentication and should require two people to commit a transfer. 
• Most importantly, organizations need a modern, intelligent email protection solution. Email protection has been around for so long that there is a tendency to assume they’re all the same and that they all provide about the same level of protection. Not true. Legacy email security solutions are looking for domain names known for fraudulent activities, and for malicious attachments and links, indicators which can be entirely absent in an impersonation scam. It’s just a regular email, after all, with a seemingly mundane request, seemingly from people we trust. 

More About Email Solutions

Modern email solutions use data and artificial intelligence to better identify, call out and protect against impersonation scams, and they do it without on-staff experts on email security or someone that understands how to create complex filtering rules and policies. 

There are many solutions that provide this type of protection but even more that do not, or do not include it, at least, in the "standard" package. Buyers might have to add a module or go with a “Premium” version. It should go without saying that marketing is often ahead of actual product development, so most email security solutions are going to tout their ability to protect against impersonation scams and include AI somewhere in the brochure, but the devil is in the details. 

Until recently, sophisticated modern email protection solutions have generally required significant expertise to manage effectively, limiting their use to enterprise-tier customers. Mimecast, a Prescriptive technology partner,  is one vendor that seems to have found a way to make such protection both more affordable and manageable, opening up a new level of cybersecurity protection to the middle market. We think solutions such as these are game changers.

Email is an organization's most vulnerable application and selecting the right security solution can be complicated. If you’re unsure whether your current tools are good enough, or if you need help selecting a new solution, we’re happy to help.