Every company is a target for cybercriminals. Best practices and a plethora of technologies exist to detect and defend against companies’ systems and staff being compromised. The standard menu includes firewalls, malware prevention, email/spam filters and more AI that is designed to alert for threats.
Not surprisingly, the bad actors have moved in large numbers to weaker targets that are out of scope for any of these technologies. As a result, it is not your company they target – it is trusted third parties with whom your company commonly conducts business. This is called “impersonator fraud,” and according to the FBI, it is the number one type of cybercrime by victim loss.
Instead of attempting to bypass firewalls and AI, this fraud relies on the relatively easy hacking of an individual’s email account. This could be an employee of your vendor, an attorney, an investor, a customer, a realtor, or even one of your employees or executive email accounts. And while it is already the number one cyber fraud type, it is also the fastest-growing – accelerated largely due to the pandemic’s impact on remote and hybrid work from home models.
Impersonation works best through emails and sometimes phones. Its success relies on the preparation and nuanced expertise of the fraudster – which is getting more sophisticated by the day. Sitting in someone’s email account allows the bad actor to read their correspondence and learn how they act. Especially of interest are communications concerning upcoming financial transactions or valuable confidential material.
Given the time zone difference and plausibility of the request, the CFO’s staff is likely to comply, of course not realizing that the payment they are issuing is not going to the intended vendor. It is instead going to the fraudster who is now also probably vacationing in Malaysia.
Typically email filters and/or AI-based detection will flag emails with suspect addresses, subject lines, and links that could be dangerous, and sometimes even content that looks suspect. Impersonator fraud is so insidious because the email is from a ‘good’ and trusted account, and its content is absolutely perfect in its vernacular and business reference. The problem is, of course, it is not from the trusted third party – your staff is communicating with a highly sophisticated fraudster.
Most Common Prevention Techniques
Today's most prolific defense is ‘best practice.’ Operations and finance staff are trained and frequently tested to ensure they take verification steps if an email may have financial or confidential consequences.
And the truth is they do follow procedure -- most of the time.
According to a survey done by the Harvard Business Review - Why Employees Violate Cybersecurity Policies - 67% of the people polled acknowledged that they have failed to follow procedures in some instances. The most common reasons were workloads and deadlines. Statistically, most of these digressions will not result in a loss, but when they do, they can be catastrophic – like when Hackers Tricked 3 British Private Equity Firms Into Sending Them $1.3 million.
One way to call out how prolific and vulnerable companies are to impersonator fraud is to look at your Cyber Insurance policy. Business Email Compromise (aka Impersonator fraud) is usually covered under “Social Engineering.” But because of the number of claims, it is typically limited to very small coverage amounts.
So, the paradigm here is that the number one fraud type, with limited insurance, is the one that is not defended by technology but instead by best practices and ‘hope.’
Technology To The Rescue
Fortunately, new methods are being created to combat these bad actors by bringing proven technologies like biometrics and MFA to the point of attack. Providing staff with a weapon that exposes fraudsters shifts the power back to your company and leaves the fraudster with nowhere to go when they have to prove their identity. Email integrated with Identity Verification workflow makes a vulnerable platform an effective deterrent.
In this virtual business world, the ability to ‘ask for ID’ via email is akin to the shift in airports using biometrics instead of subjective glances.
Cybercriminals will continuously evolve their strategies to adapt to new security measures. However, in the case of Impersonator fraud, leveraging proven MFA technologies incorporating biometrics and data will have an immediate impact. Asking a fraudster to take a selfie is like a burglar who hears barking dogs. They’re going to go to someone else’s house.
About the author: Brian Twibell is the co-founder and CEO of WireSecure, a company that provides a digital verification solution to prevent impersonator fraud based in New York.
