U.S. consumers alone lost US$5.8 billion to scammers in 2021, a third of whom were reportedly victimized by imposter or impersonation scams, with each losing as much as US$1,000. But what are impersonation scams, exactly?
What Is an Impersonation Scam?
An impersonation scam occurs when attackers pretend to be representatives of a bank, the authorities (e.g., police or any other federal agency), or a company to trick victims into giving them money.
For impersonation scams to work, the criminals mimic trusted brands by using their logos and even known employees’ identities to make the ruse believable.
How Do Brand Impersonation Scams Work?
Brand impersonation scams work because the victims never really see who they’re talking to. Scammers use various channels to get to their targets—emails, voice calls, chat messages, and even social media posts. We’ll focus on online impersonation scams, though.
Typical scenarios include:
- Scammers pretending to be from one of your service providers send you an email complete with the company’s logo, contact details in the signature, and even a look-alike email address.
- Because an impersonation scam is a cybercrime, all messages always require recipients to send money at once. Scammers can say, for instance, that you have an outstanding bill to pay.
- Panic is probably one of the best scammer tactics ever. Many may say your account has been hacked or suspended and need you to take immediate action to restore access.
- Scammers can also create fake social media profiles of trusted brands, including personalities, to trick victims into giving out personal data.
What Are the Different Kinds of Brand Impersonation Scams?
There are three primary types of impersonation scams. We discussed each in greater detail below.
Executive Impersonation Scams
This kind of impersonation scam requires taking over or spoofing a company CEO’s email account. The first tactic, of course, can only be performed by sophisticatedly tech-savvy hackers, as they would need to compromise an account that may be heavily secured.
Spoofing, meanwhile, only requires obtaining access to a domain that looks a lot like that of the target CEO’s company. An example would be john_doe@mїcrosoft[.]com, where the “i” in “microsoft” has two dots instead of one on top. It’s actually the Cyrillic small letter, yi.
In this scam, the cybercriminals posing as the CEO send an email to a company employee who takes care of payments. The request usually asks the victim to send an urgent wire to a
specific recipient (i.e., the attackers’ account).
Vendor Impersonation Scams
As in executive impersonation scams, the hackers either compromise the account of a vendor company’s employee or spoof it. They then send an email to tell the target company that their bank account details have changed. The new information, of course, belongs to the fraudsters. As such, each time the organization pays its bill, the money lines the scammers’ pockets.
Customer Impersonation Scams
The same techniques can be used in this scam, although customer accounts are more likely easier to hijack or spoof. They are, after all, typically less secure than corporate email accounts. In such a scam, cybercriminals can spoof a customer who’s asking for a refund, for instance. If they get all the details right then, they can easily trick a vendor into paying up.
Only two of the three kinds of impersonation scams can fall under brand impersonation—executive and vendor impersonation scams—because their emails typically carry what is probably the most identifiable symbol any brand has, its logo.
While it’s hard to spot a brand impersonation scam email on the fly, there are still ways to avoid falling for it, such as considering any link embedded in a message that asks for payment is suspect. Keep in mind that legitimate companies, including vendors, will never ask anyone to pay their bills using a different account number than the one on their records or even stated in their contracts.