Many cyber frauds have an element of impersonation, that is the stranger you are communicating with is not who they say they are. However, some cyber frauds are more sinister, where the person being impersonated is someone you know and trust, like a co-worker or a romantic partner. This chapter focuses on these types of impersonation cyber frauds.

Impersonation cyber frauds are the most effective cyber frauds committed by cybercriminals. In 2019 alone, the FBI reported that half of all cybercrime losses came from one type of impersonation cyber fraud: business email compromise (BEC) attacks (FBI, 2019) – that’s a massive number.

At their core, these cyber frauds are social engineering attacks. Cybercriminals are hacking humans, not computers. The different attack methods and the psychology used for impersonation cyber fraud will be discussed in this chapter along with defensive steps.

Every day people are discovering they have been communicating with and sending money to imposters. It could be someone they thought was their chief executive officer (CEO), or a long-distance boyfriend or girlfriend they thought loved them, or someone else they trust – either way, it’s a shock. Such stories are diverse and, in many cases, heartbreaking.

ANATOMY OF IMPERSONATION CYBER FRAUD

For impersonation cyber frauds, cybercriminals seek to fool their victim into believing they are interacting with someone they know, a trusted entity. Then, once they have deceived the victim, they persuade them to give them money. Social engineering is how they do this.

Social engineering is at the heart of impersonation cyber frauds (and most other cyber frauds). There are varying definitions for social engineering. Christopher Hadnagy, the author of Social Engineering: The Science of Human Hacking, defines social engineering as any act that influences a person to take an action that may or may not be in his or her best interests (Hadnagy, 2019). Social engineering expert Jenny Radcliffe, aka the People Hacker, says social engineering is, ‘The active weaponization of human vulnerabilities, behaviours & errors.’ She goes on further to say it is, ‘The manipulation of human factors to gain unauthorized access to resources and assets for criminal gain and/or malicious intentions’ (personal communication, 17 March 2022). Social engineering is a crucial method for cybercriminals.

Cybercriminals will pretend to be anyone that they think will help them to achieve their end goal – which is getting the victim to transfer money or something else of value. However, cybercriminals have learned there are some people they can impersonate that offer better financial rewards than others (more on this shortly). These individuals are where they often focus their time and effort.

There is no limit to who they will impersonate. The internet makes impersonation easy. Researching a company or a particular figure has never been simpler with social media sites and search engines. Cybercriminals can find out the background of the person they are impersonating or the target they are trying to deceive with just a few clicks.

LESSONS FROM HISTORY

Impersonating someone for financial gain is nothing new. There are many such historical cases for criminals successfully doing just that.

In 68 AD, the Roman empire was at its peak. The Roman army was conquering new territories, and the empire appeared unstoppable.

This year also saw the death of Emperor Nero. He had been a controversial leader who was known for tyranny, extravagance and debauchery. Soon after his death, rumours began to swirl that he wasn’t dead. In the Roman province of Achaia, a Pseudo-Nero appeared (Galivan, 1973). He looked similar to Nero and had a tragic story that led to him being in Achaia. Many people thought it was indeed the emperor. Men joined his cause to reclaim his seat. Unfortunately, it wasn’t enough. In the end, he was captured and executed after a few months.

Let’s look at this a little deeper. The Pseudo-Nero was in an area far away from the Roman capital. Not many people would have seen the emperor close up. He created a story and then said something along the lines of ‘I’m the emperor, and I’m back.’ Then he persuaded people he was indeed Nero. That was it.

You could do a similar thing, anytime. You could travel to another country and pretend to be anyone you wanted. Create any story you wanted. Maybe you want to be a retired professional football player or an executive at Google. You could even go on LinkedIn, find a Google executive’s name and use it. When you introduce yourself to strangers with this new name and story, most likely, strangers will believe you. You become that person. It’s kind of like rubbing Aladdin’s Lamp and having the genie grant your wish.

Then there is the story of Grigory Otrepyev in the early 17th century. He claimed to be Dmitry, the youngest son of Ivan the Terrible, the tsar of Russia. The real Dmitry had died in an assassination in 1591, but not many people knew. Grigory created a story that had him escaping the assassination. He spoke Russian and Polish and was skilled in riding and literacy. It worked. Nobles began supporting him, convinced he was the real Dmitry. Grigory was able to raise armies. Unlike the Pseudo-Nero, Grigory was successful and became tsar. His reign lasted only 11 months before he was found to be an imposter. He died while trying to escape (Dmytryshyn, 1991).

It was the same formula as above. Grigory knew enough about Dmitry to convince people he was him. Then he announced he was Dmitry and persuaded people to follow his cause. Today, instead of emperors and tsars being impersonated, it’s CEOs.

Here is an example from the late 1800s. An American fraudster arrived on the shores of England in July 1893. His first stop was London to stay at the Savoy hotel. Before his arrival, he had made a plan. He arranged for another American named McDonough to be at the hotel. McDonough’s job was to introduce him to fellow business people who were known to frequent the Savoy. McDonough introduced him as Mr Griffith, a director at Standard Oil Company. Standard was the largest oil company in the world at the time. The story was that the oil company wanted to do deals. There was money to be made. One night he ran into a problem when someone introduced him as Mr St Elmer. The previous night someone else introduced him to the same gentlemen as Mr Griffith. When questioned about the discrepancy, he casually explained his full name was Griffith St Elmer and went by either (Pall Mall Gazette, 1893).

Mr Griffith’s story would continuously change. One version was that there were 100,000 barrels of oil in his care, with more arriving. He had to find buyers for the oil. Another was that Standard Oil was looking to buy a large steel company.

He began socialising at the finest clubs and restaurants, hanging out with other successful individuals. At one of the London hotels he frequented, he saw Mr Studebaker, who owned one of the largest carriage builders in the United States. He walked up to him and grasped his hand, saying, ‘You must know me, Griffith of the Standard Oil Company.’ Mr Studebaker did not know him but thought he had most likely met him somewhere and had forgotten.

Griffith was friendly and personable. Mr Studebaker was taken in. Eventually, he introduced him to his good friend, Mr Lamb (not his real name). Griffith told story after story about his oil business. During drinks, Griffith mentioned he was interested in purchasing a large chunk of land owned by Mr Lamb.

Mr Lamb invited Griffith to visit his home town. Mr Lamb enjoyed Griffith’s company and arranged for him to stay several days. Once there, Griffith mentioned his good friend, John D. Rockefeller, the President of Standard Oil Company, was due to arrive in London at any moment. He almost certainly would take the first train available to join him.

During his trip, one evening Griffith had an urgent problem. He needed to visit a local bank but all the banks had already closed for the day. He produced a large cheque to Mr Lamb, saying he urgently needed to cash it to take care of a personal situation that evening. Would Mr Lamb loan him the money until the banks opened and he could cash his cheque? Mr Lamb did.

Later that evening, Griffith hosted a large dinner for Mr Lamb and principal employees at his hotel. Griffith borrowed more money from Mr Lamb’s son-in-law. The next day, Griffith told the hotel Mr Lamb would be paying for all the expenses later. Griffith even borrowed some money from the hotel clerk, telling him to put it on Mr Lamb’s bill. Griffith then left town, never to be seen again (Pall Mall Gazette, 1893).

Notice themes between the examples above?

All the imposters pretended to be someone in a position of authority. They were people who instantly commanded respect, like an emperor, tsar or a high-ranking executive at a reputable company.

It’s easy to say you are someone else. Whether or not anyone believes you is a different matter.

Consider the more recent example of Frank William Abagnale. He is one of the most notorious imposters in modern times. In the 1960s, before he was 22, he pretended to be an airline pilot, physician, lawyer and US Bureau of Prisons agent. He was hugely successful. The Leonardo DiCaprio film, Catch Me If You Can, is based on his life. While Frank travelled the world, he also cashed $2.5 million fraudulent cheques in every state and in 26 foreign countries (Ewalt, 2006).

The internet has changed how impersonation frauds work. In an interview, Abagnale, who is now a leading security expert, sums up the situation:

In the old days, a conman would be good looking, sophisticated, well dressed, well-spoken and presented themselves real well. Those days are gone because it’s not necessary. The people committing these crimes are doing them from hundreds of miles away.

(Solon, 2017)

SOCIAL ENGINEERING

Before getting into the different impersonation cyber attacks, it’s essential to understand the tactics cybercriminals use to conduct these attacks, which is primarily social engineering. This is the art of manipulating people to get them to make decisions that benefit cybercriminals. Cybercriminals want you to make decisions without thinking about them.

How can someone be tricked into making a decision that isn’t good for them? Let’s look at how cybercriminals do this.

Persuasive techniques

Remember the last restaurant you visited. When the bill for your meal arrived, you reviewed it, paid and probably decided to leave a tip. How did you determine the tip amount? Most likely, your tip amount was based on the quality of the food and service. What if the amount you paid was influenced without you realising it?

Sometimes when waiters bring bills, they also bring a small gift, like a liqueur, fortune cookie, chocolate or a mint. A study into restaurant tipping found that giving a single mint caused a three per cent increase in tips.

What happens if you get two mints? A whopping 4x increase to 14 per cent. It gets even better: if the waiter provides one mint, then starts to leave the table, but then turns around and says, ‘For you nice people, here’s an extra mint’, the tip amount soars to a 23 per cent increase (Strohmetz et al., 2002). It wasn’t what was given, but how it was given. You can be influenced by persuasion techniques and not realise it is happening.

Marketers understand persuasion. They aim to persuade you to do something without you realising it. For example, how often do you see advertisements with headlines such as ‘for a limited time only’ and ‘special offer’? These are persuasive techniques to get you to buy their product quicker than you usually would. Cybercriminals use these same principles. They want you to say YES, and not even understand why you are doing so.

Dr Robert Cialdini, a world-renowned expert in persuasion techniques, developed what he calls the ‘Principles of Persuasion’ (Cialdini, 2007): six universal types of persuasion that guide human behaviour. Here they are:

1. Reciprocity: People are obliged to give back to others what they have received first themselves.

   When cybercriminals do small favours, they aim to invoke the sense that the victim must give back.

2. Scarcity: When there is not enough of something, it makes people want it more.

   Cybercriminals will often say things like ‘this is the last one’, or they don’t know if they can get an item in the first place. It is their unique proposition.

3. Principle of authority: People follow the lead of credible experts.

   Cybercriminals conjure up stories about their experience. They pretend to be government officials, academics or just about anyone with authority.

4. Consistency: People like to be consistent about things they previously said or have done.

   If the cybercriminal can get the victim to commit verbally or in writing, the victim is more likely to follow through.

5. Principle of liking: People like to say yes to people they like.

   Cybercriminals compliment victims and look for areas of similarity to share to get their victims to like them.

6. Consensus: People like to follow the herd. When everyone around them appears to share the same risks, people let their guard down.

   If cybercriminals can get multiple people to become unknowing victims, they will have an easier time convincing other people. The thinking is since everyone is doing it, it must be legitimate.

Cybercriminals understand these techniques. They will use any combination of them together to achieve their aims. The methods of persuasion are classic, time-tested tools that have been used for centuries by criminals. They are masters at what they do. Understanding their persuasion strategies is the first step in defending against them.

In impersonation cyber fraud there is one persuasion principle that is heavily used, more often than the others – the principle of authority. It’s worth exploring this further.

The principle of authority

To first understand the principle of authority, it’s essential to review obedience.

A simple example of obedience is when a parent tells their seven year old to stop watching TV and study instead. If the child does as he is told, he is said to have obeyed his parent. If he doesn’t do as he is told, then he is said to be disobedient.

Another example of obeying authority is seen in religions. Take Christianity, for instance. There is this phrase in the Bible: ‘For the Lord’s sake, submit to all human authority – whether the king as head of state or the officials he has appointed’ (Peter 2:13 in Holy Bible, 2011).

Peter forgot to add a caveat: submit to all non-fraudulent human authority. With books like the Bible telling people to obey authority, there is little wonder that for most people there is a strong pull towards doing so.

Obeying authority isn’t a bad thing. It’s a core principle of any society, for example police officers and judges are in positions of authority and should be obeyed. It also means it is easy to exploit; you shouldn’t obey fraudulent authority, but how do you know if authority is fake?

People are naturally inclined to believe another person in a position of authority or to trust organisations they perceive as legitimate. It’s the natural default for most people.

To illustrate this point, think about the example below.

When you are at the hospital and see a doctor walking around, you will recognise they are an authority on medicine. You will instantly have a level of trust in them. If you see that same doctor in a Starbucks next to the hospital, you most likely will have the same reaction. But how do you know if the person is a doctor? They are dressed like a doctor. They are wearing doctor garments and have a stethoscope around their neck. Surely, they must be a doctor? In reality, seeing someone dressed as a doctor in Starbucks, you will most likely assume they are a doctor. However, unless you investigate further, you cannot be certain.

Let’s shift this to the workplace. If the CEO of your company were to come into your office and ask you to do something, you would recognise their authority and comply with their legitimate request. Now, if the same CEO were to email you and make the same request, you would still remember their authority and comply with it. Who wouldn’t? Most people do this by default. You might not even realise the principle of authority is influencing you; it could be an automatic response. The boss asked for it, so do it.

It’s a disturbing reality that many people will do things they usually would never do when asked by someone in authority. It is why knowing who you are communicating with is so important. The principle of authority creates legitimacy. Once that is established between the cybercriminal and the potential victim, it becomes easier for the cybercriminal to perpetuate the fraud.

Consider the case of Edward Snowden and how he used the principle of authority.

The National Security Agency (NSA) in the US is the keeper of many of the US’s top secrets. In 2013 it went through its darkest days yet. A treasure trove of highly classified information was released to the public by a whistle-blower, Edward Snowden. He was a systems administrator (sysadmin) at the NSA.

When it comes to computers, a system administrator is the authority. Many people will follow the advice from a sysadmin regarding their computer. Snowden understood this and used it to gain further access at the NSA.

Here is an excerpt from an NSA memo:

18 June 2013, the NSA civilian admitted to FBI Special Agents that he allowed Mr. Snowden to use his (the NSA civilian’s) Public Key Infrastructure (PKI) certificate to gain access to classified information on NSANet; access that he knew had been denied to Mr. Snowden. Further, at Mr. Snowden’s request, the civilian entered his PKI password at Mr. Snowden’s computer terminal. Unbeknownst to the civilian, Mr. Snowden was able to capture the password, allowing him even greater access to classified information. The civilian was not aware that Mr. Snowden intended to unlawfully disclose classified information. However, by sharing his PKI certificate, he failed to comply with security obligations.

(Bauman, 2014)

In other words, Snowden used social engineering to deceive the NSA employee into entering his password.

Just using the different persuasion principles alone would be effective for cybercriminals. But their real trick is to get their targets in an emotional state before using the persuasion techniques. This supercharges their ability to use persuasion methods. How cybercriminals get people into an emotional state is discussed in the following chapter.

Social engineering attacks

The majority of social engineering attacks are conducted, at least initially, through a form of phishing or through social media. This section discusses these. Cybercriminals may use one method or multiple different methods together.

Phishing

Phishing is the most common type of social engineering attack method. Phishing attacks often seek to get the victim to reveal sensitive information like usernames and passwords. However, in many circumstances, phishing can simply be a request for the recipient to do something, such as transfer money. In contrast, other phishing attacks aim to get access to a legitimate email account to launch further, more credible attacks.

Figure 2.1 shows a phishing email example on a mobile phone.

Take a close look at the example and think about all potential warning signs.

Next and in Figure 2.2 is an evaluation of this phishing email.

1. You can’t confirm who sent it. Is the email address authentic? Does it look like it’s the official company email address? In this case, it doesn’t. If you are not sure, contact the business directly, using contact details that you know are legitimate.
2. It has spelling and grammatical errors. Most legitimate business emails do not contain these types of errors. When an email contains spelling and grammatical errors it is a sign something is not right, and it could be fraudulent. This is changing, however. More and more phishing attempts have proper spelling and grammar, making them harder to recognise.

3. It has a request to do something. The email is after your personal details, which cybercriminals can use to attack you again.
4. It has a malicious link. To determine if a link could be suspicious, hover over it. This often displays the URL. Does it make sense and look right? For example, if you’re getting an email supposedly from HSBC but the link is to another non-HSBC-named site be on alert.

   Be wary of any links you receive in an email. They could redirect you to a phishing website or trick you into downloading malicious software. Often when a malicious link is clicked, the user is requested to download files with well-known extensions like .doc or .pdf. Do not download them unless you are 100 per cent certain they are genuine. These files could contain malicious content to infect your device.

   With websites, it is always safer to go directly to the company’s website by typing in their website address (URL) directly into the address bar on your web browser or by finding their website on a search engine yourself.

5. There is a sense of urgency. Cybercriminals want you to act fast before thinking through their request. The best rule of thumb here is do not rush, slow down and think through what the request is before acting (Australian Competition & Consumer Commission, no date).

Spear phishing

Compared to traditional phishing campaigns, spear phishing focuses on one specific individual. Cybercriminals will do their research before the attack. They will spend more time and effort in crafting their phishing message to make it sound as convincing as possible to their victim. Usually, the messages will appear as if they are being sent from a trusted individual. The goal is the same as for standard phishing: get the victim to reveal sensitive information or do something (usually transfer money).

Spear phishing attacks use any communication method: email, text, phone call or social media.

Smishing

Increasingly cybercriminals are using other communication methods for their phishing campaigns. Smishing is when text messages are used instead of email.

See Figure 2.3 for an example of a smishing message.

Notice what’s wrong with the text message? The first text message is a legitimate message. The second is from a cybercriminal.

Next and in Figure 2.4 is an evaluation of the message.

1. The text message can look legitimate because cybercriminals can ‘spoof’, that is, impersonate phone numbers and email. This makes it appear the message is coming from a particular number when it isn’t.

2. Notice the subtle differences between messages. The first message asks the recipient to go the company app and perform an action. The new message ignores that and tries to get the victim to click a suspicious link.
3. There is a malicious link. Any link in messages should be treated with caution. Go to a web browser and type in the website address for the company the text is purported to be from directly instead of clicking links.
4. The link isn’t secure. The link is for an HTTP instead of an HTTPS. With HTTPS, the connection from your browser to the website is encrypted, making it difficult for cybercriminals to intercept information you enter. With HTTP, there is no encryption to prevent cybercriminals from seeing your information.

   A big warning here, do not rely on this alone. This, too, can be faked in some circumstances.

5. There is a sense of urgency. Keywords like suspended are used to elicit an immediate response for you to do something. Always step back and give yourself some time to think through what you have been asked before taking action (Australian Competition & Consumer Commission, no date).

Vishing

Cybercriminals also use phone calls for phishing attacks. These attacks are called vishing attacks. It’s easy to ignore an email, it’s not so easy to do the same with a phone call. Cybercriminals can spoof a company’s internal phone number, and they can pretend to be a co-worker.

Consider this transcript:

• Good afternoon, is George Bloggs in?
• Wonderful, this is John Doe (aka cybercriminal) from the IT department. How are you today?
• Great to hear. We are going through a security review of our systems this week. The goal of this call is to make sure your computer is working correctly and is up to date on our security software tools. I’m sending you an email to test with. Let me know when you get it? (Cybercriminal sends email.)
• Got it? Good, click the link in the email. This will take you to our security testing centre. Once you have entered your username and password, we will begin testing your computer.
• All good, you should be at our security portal page. See the link there, just download and run the file. The software will then run automatically and report back to us any security issues with your computer. We need to do everything we can to protect our company and its employees.
• OK, everything looks good. Pleased to report to you no security issues have been found on your computer. You can sleep well tonight.

In this case the victim has been tricked into clicking the link and installing malicious software, giving the cybercriminal their username, password and remote access to their device.

Social media

Popular social media sites like Facebook, Instagram and LinkedIn can all be used for social engineering. Cybercriminals can create fake profiles and trick victims into accepting them as contacts. These will be used to launch further attacks to deceive victims into revealing sensitive information.

Spotting fake profiles on social media can take work. A good place to start is asking yourself, do you know this person? Do you really want someone you do not know as a friend on Facebook?

Other checks include doing a reverse image search on the profile picture. Cybercriminals will often use the same image for multiple fake accounts. Is there a low number of followers, friends or connections? Is there a lack of activity? While these alone don’t necessarily mean the account is fraudulent, they do signal further caution is needed.

Here is one example of fake profiles discovered on LinkedIn by Bruce Johnston, a LinkedIn specialist. He noticed a large number of subscribers to his LinkedIn newsletter one day. Upon further investigation, many of the subscribers were from the same company. The company had 467 employees – 450 of them had the same attributes: all spoke three languages, had Master’s degrees, had work experience at the exact same previous company, all were women, titles were either product managers or senior product managers and, to cap it off, all of the 467 employees joined LinkedIn between 18 July and 18 August 2021. Is it likely these profiles are real? It is certainly possible, but highly unlikely (Johnston, 2021).

IMPERSONATION CYBER FRAUD ATTACK METHODS

The social engineering methods form the foundation for many different impersonation cyber fraud attacks. In this section the more common ones are discussed.

Business email compromise attacks

BEC is a form of spear phishing attack where a cybercriminal attempts to trick a senior executive (or budget holder) into transferring funds, or revealing sensitive information. The cybercriminals behind BEC attacks send convincing-looking emails that might request unusual payments or contain links to ‘dodgy’ websites. Some emails may contain viruses disguised as harmless attachments, which are activated when opened.

Unlike standard phishing emails that are sent out indiscriminately to millions of people, BEC attacks are crafted to appeal to specific individuals and can be harder to detect. BEC is a threat to all organisations of all sizes and across all sectors, including non-profit organisations and governments (NCSC, 2020).

Cybercriminals engage in a dialogue with their victim to establish their identity and build trust. Most of the time, this is done by email, but tools like WhatsApp or text messages are increasingly used. Sometimes all it takes is just one email; in other cases, it’s a drawn-out process that can take a few days or weeks of exchanges.

These are the steps of a BEC attack.

1. Identify the target victim. This is the most time-consuming step.

   Through a combination of social engineering and research, cybercriminals identify their targets. They will readily use various online sources like Facebook, Google or LinkedIn to gather information. Who are the key executives? Who are the best people in the company to impersonate? How do they speak or write? What is their communication style? Cybercriminals will study anything public about the company or individuals they can find. When they are ready to strike, they will do so with precision and accuracy.

2. Grooming phase.

   Cybercriminals use a series of steps to establish trust. They will use a range of persuasion tactics via any communication method they can to establish creditability and impersonate someone, copying the style of how a person communicates.

3. Exchange of information.

   At this point, the victim becomes convinced that this is a legitimate transaction. They now believe they are communicating with the genuine individual. They are then given instructions as to how to transfer funds. The funds are sent to accounts controlled by the cybercriminals.

4. Payment.

   Funds are transferred, and the cybercriminals pop open the champagne.

According to the FBI Internet Crime Complaint Center (IC3), nearly $2.4 billion was lost in 2021 due to BEC attacks (FBI, 2022). These are only the reported cases. Many companies do not want the reputational hit (reduced stock price, loss of customer trust or sales) that comes with falling for a BEC attack and will not report it. You can only imagine how high the actual number is.

BEC has evolved. Today, cybercriminals will spoof lawyers’ email accounts, target real estate professionals or imitate suppliers, just for starters. The floodgates have opened. Anyone you send money to can be impersonated by cybercriminals.

Cybercriminals have also started using different payment methods. It used to be that they would request a wire transfer. Now, it’s a mixture of wire transfers, payment apps and gift cards (for example eBay, Google Play, iTunes, Amazon). Gift cards accounted for 60 per cent of all BEC attacks in the fourth quarter of 2020, with an average loss of $1,270. Wire transfers accounted for 22 per cent of attacks, with an average loss of $72, 044 (Agari, 2021).

Here is another current variation, as reported by cybersecurity vendor Trend Micro:

[T]hey [cybercriminals] have started sending emails notifying the target organisation of acquisition terms of an overseas vendor – with the caveat that 30% of the purchase price had to be wired.

(Trend Micro, 2020)

Cybercriminals continue to innovate with new technologies. Attacks are now targeting mobile devices more as it’s harder to detect BEC attacks on mobiles. Cybercriminals know that the majority of emails are opened on mobile devices. Most mobile clients only display the sender’s name and not the email address. It makes it easier for cybercriminals to impersonate individuals. When using time-sensitive persuasion techniques, it makes it less likely that people will dig further to see if the message is legitimate or not.

Other communication channels like Facebook Messenger or WhatsApp are used increasingly. In these situations, there is no email to verify. It’s the phone number that is in question or the Facebook account itself. In many cases, the attacks come from multiple communications channels. One particularly effective method is to start a dialogue by email and follow it up with a phone call.

To make matters worse, research in 2018 showed that almost 40 per cent of employees cannot identify a BEC attack (Wilson, 2018). How are businesses falling for this in such large numbers? Fraud has always been a threat to business since way before the internet. Companies already had fraud controls in place, yet they fall like dominos to BEC attacks.

Cybercriminals will attack individuals with a ‘one–two’ punch of emotion and persuasion. For example, an opportune time for cybercriminals to strike is at the end of a working day. Friday is particularly popular. People are already thinking about their weekend plans. In many cases, they are getting excited at this point, and are in an emotional state. For cybercriminals, this may be the ideal time for them to send out an email marked ‘Urgent’, with the suggestion of consequences if the reader does not action it for their ‘CEO’ by doing a transfer of some sort. Time pressure is a great persuasion tool.

What if you are not the one getting fooled? Say your boss comes into your office one day and tells you the company is about to complete a significant acquisition. He asks, ‘Will you please send X amount to here?’ You send the money only to find out a cybercriminal received it instead. This is what happened to Pathé.

France has been a source of excellent filmmaking since filmmaking began. One of the early pioneers of the industry were the Pathé Brothers. They started in 1896 and by the early 1900s had become one of the largest film equipment and production companies in the world. Today they continue to produce great films. In addition, they run theatre chains across different countries in Europe. They do this by establishing various subsidiaries in these countries. It was in one of these that a BEC attack occurred that rocked the entire company.

The Netherlands subsidiary of Pathé Theaters employed 1,900 people and recorded sales of €209 million ($236 million) in 2017. They are a major theatre chain in the Netherlands.

Dertje Meijer was the managing director for the Amsterdam subsidiary. On 8 March 2018, she received an email apparently from the CEO of the French parent company. The email started with a simple question: ‘Have you been contacted by Mr. [Real name of employee] from KPMG this morning?’

Meijer told him she had not received anything. The CEO said Pathé was acquiring a foreign corporation in Dubai. He asked her to contact a KPMG employee via the included email to get the Dubai company’s banking information to know where to send the money.

Here is part of the message she received:

As a security measure for this type of confidential transaction, we must communicate via my personal email so that our discussions are free of any risk of disclosure and respect the transaction’s norm. It is imperative that no matter what, whether orally or by phone. In accordance with the norms of KPMG, my personal email is to be the sole means of communication. Once the transfer orders have been written out, please forward to Mr. [real KPMG employee] or to myself the confirmation by email.

At this point, Meijer became suspicious. She sent the email to her CFO, Edwin Slutter, to get his opinion. He recommended she reply to the email and get confirmation from a second person like a high-ranking employee.

She had been communicating with a cybercriminal, who then impersonated that second high-ranking employee. They confirmed the legitimacy of the deal while stressing the need for continued secrecy.

Attached to the email was the invoice from the Dubai company requesting 10 per cent for the acquisition signed by the CEO and the Pathé France manager. Slutter then compared the signatures and verified them. He and Meijer were convinced and made the initial payment. Around this time, the CFO went on holiday.

Cybercriminals continued their fraud over several weeks, eventually stealing €19 million before being stopped. The scale of this fraud needs to be put into perspective. It was over 10 per cent of the entire yearly revenue for the Netherlands subsidiary. It took only 20 days to steal the funds (Zorz, 2018).

It’s hard enough defending against cybercriminals yourself, but what do you do when the manager, director or CEO of your company unknowingly falls under the sway of cybercriminals?

It’s critical to set up company controls and look closer at unusual requests that ask to circumvent the controls. Don’t look at the request itself, but the evidence behind it. Does it make sense? Have you confirmed it in person or by telephone with all parties?

Invoice redirection fraud attacks

Invoice redirection fraud is a variation on BEC. It’s when cybercriminals impersonate a supplier to trick victims into transferring money or sensitive information. Cybercriminals send new updated bank details for an existing invoice that is due to be paid. The company then pays the cybercriminals instead of the legitimate supplier. It’s that easy.

Supplier invoice redirections can be for some serious money. For example, in 2017, the FBI took down a criminal network in Lithuania running invoice redirection fraud. The criminal network spent two years researching and calling two companies, gathering as much information as possible about them. They complemented this by running phishing campaigns against the companies, and received more employee account details and information for them to use.

Once they had the information they needed, they knew how and when to strike. The cybercriminals pretended to be a supplier that was due to receive a large payment. The caller convinced an employee to change the bank account details from the supplier to an account controlled by the cybercriminals.

How successful were they? Over $100 million was transferred to them. Once the cybercriminals received the funds, they undertook immediate money laundering exercises all over the world (Cimpanu, 2019).

Why would criminals ever go back to robbing banks? It’s way easier to make money with far fewer risks with cybercrime.

Cybercriminals are getting more creative in their approach to invoice fraud. They are using social engineering and hacking to get access to a company’s customer list. Then they use that information to send fake invoices or request changes to payment details from the customer. Cybercriminals are now going after the entire supply chain ecosystem.

Employee payroll redirection attacks

Employee payroll fraud generates a small amount of money per victim. However, cybercriminals can target victims en masse, generating a lot more money. An email is sent to payroll or human resource personnel requesting to change an employee’s direct deposit for payroll. The cybercriminal provides new banking details, and when payroll is finished, the funds are transferred to the cybercriminal’s account.

There are cases where cybercriminals have hacked into the payroll system itself and changed the direct payroll deposit for many employees all at once. It is not just businesses that have been targeted, but governments and municipalities too. For example, in 2019, Tallahassee, Florida, had its payroll system hacked. The cybercriminals redirected employee direct deposits to their accounts. They stole $498,000. The fraud impacted employees throughout the city (Etters, 2019).

Tech support fraud attacks

Here cybercriminals will contact the victim to offer to provide fake customer, security or technical support. They use the phone, email or a messaging app like WhatsApp. They pretend to be official agents for the companies in question, such as saying they work for Dell computers or the McAfee security company, to provide authority. They tell the victim they need to resolve issues like a compromised email or bank account, a virus on their computer or renew a software licence. They could also pose as representatives from virtual currency exchanges or banks. In 2021, the FBI received 23,903 complaints about tech support fraud totalling over $347 million lost from victims in 70 countries. This was a 137 per cent increase from 2020 (FBI, 2022).

Government impersonation attacks

The FBI has seen a recent increase in phone calls that spoof the Bureau’s phone number as part of a Social Security scam. In 2021, the FBI had 11,335 people report they were victims of government impersonations with losses of over $142 million (FBI, 2022).

The UK government has also been hit hard with government impersonation scams. One such attack making the rounds in early 2020 was the UK government refund scam. Cybercriminals directed victims to a fake gov.uk website, looking just like the existing UK.gov websites. Its sole mission was to steal personal and payment information.

On the first page, you will see a ‘Claim your refund’ option. Who doesn’t want to claim an unknown refund and collect some easy cash from the government?

Then the victim is directed to the next page, where they need to verify who they are. The page again looks like it could be an official UK.gov website. Here they need to enter their full name, date of birth, home address, phone number and National Insurance number: just about everything a cybercriminal needs to steal the victim’s identity.

Next is the best part. Of course, the victim needs to receive a fake refund. Here the cybercriminal asks for the name on the card, card number, expiry date, CSC number, bank account number and their sort code.

On the final page, the victim gets a fake confirmation code, making them feel assured that the entire process is legitimate. It also gives the cybercriminal time to drain the account as much as possible before the victim realises their error (Lovemoney, 2021).

This fraud has a double whammy impact on the victim. Not only do they have to deal with the fraudulent use of their credit cards and bank accounts, but they will also probably have to contend with their identity being stolen and reused for other nefarious activities.

Romance attacks

It’s one thing to have your money stolen by cybercriminals, it’s another matter entirely when you not only lose money but get your heart broken at the same time. Of all the cyber impersonation frauds cybercriminals execute, romance fraud is the most insidious.

Cybercriminals prey on the vulnerable and lonely. They use fake profiles on dating websites, apps and social media to find victims. Profiles most likely use real people’s names. The term for this is catfishing.

In the UK, Action Fraud reported romance fraud victims lost over £92 million in 2021 (November 2020–October 2021) (Muncaster, 2022). The US is worse. According to the US Federal Trade Commission, a record $304 million was sent to romance fraudsters in 2020 (Fletcher, 2021). These are troubling numbers. What is going on?

Fake profiles on dating and social media websites are an ongoing concern for all online platforms. Every online platform struggles with them. Unfortunately, some are not doing enough to stop fake profiles getting created.

The profit needs of many online platforms outweigh protecting individuals’ rights and safety.

Cybercriminal romance attack playbook

Let’s look at how cybercriminals run romance attacks. Once a fake profile has been created, cybercriminals search for victims. When a potential victim is identified, cybercriminals employ various tactics to get their victims to think they are falling in love with the person they are communicating with. Gaining the victim’s trust is key here. Cybercriminals have no shame.

They will usually try to get their victims to switch from dating or social media sites to another communication channel (for example instant messaging, email, WhatsApp) to get them away from any controls the platforms might have. Most dating and social media sites will have in place some cybersecurity tools to detect malicious activity. These are not perfect, but are better than nothing. However, once you move to a private chat forum, you have zero protection. Malicious actions by the cybercriminal will not be detected.

Cybercriminals do not waste time and want their victims to fall in love as quickly as possible. Keywords such as ‘fate’ or ‘destiny’ should immediately cause suspicion, especially if the relationship has only been going on for a short time. Cybercriminals also tend to tell their victims ‘I love you’ or ‘you’re the one’ very early on, within the first week even.

Once cybercriminals establish trust, they employ a range of persuasion techniques to get money or more personal information from their intended victim. There is an assortment of reasons used. One of the more common is creating an emergency. It could be that a relative is sick and needs emergency medical care, or that they are in a tight financial situation and need help or… you can probably think of many different scenarios.

Often during the relationship (if you can call it that) the cybercriminal will request intimate photos or videos from the victim. With this material, once the victim says they will send no more money, the cybercriminal can begin to blackmail the victim for more money. If they do not pay, then the cybercriminal threatens to send the compromised material to the victims family, friends or work colleagues. Blackmail attacks and defences against them are given in greater detail in Chapter 7.

Most romance victims do not report it. They are usually too embarrassed or traumatised to do so.

Money mules

Whether someone is a victim of a romance fraud or another type of online fraud, they can sometimes unknowingly or knowingly become money mules.

When cybercriminals complete a successful BEC attack, they have a problem – how to get the money out of the country without being detected by authorities. Individual online victims provide them with a solution (Ilascu, 2019). This is where BEC attacks often intersect with romance and other types of online fraud.

Cybercriminals convince their victims to accept and transfer money for them, inventing a range of reasons why. A popular excuse they use is that they have to complete an urgent business transaction, and their accounts are frozen in their country. In some instances, they get the victims to open up business bank accounts. The company names would be similar to the organisations the cybercriminals are targeting. Unlike most criminal money mules, fraud victims do not get a commission, they are doing it out of kindness or through some other persuasion method.

Using victims allows cybercriminals to confuse authorities and distract from their real purpose: to launder money. Victims do not realise that by transferring the funds, they have broken the law (this is discussed in greater detail in Chapter 6).

For BEC and romance frauds, money mules are the cornerstone and critical infrastructure for cybercriminals’ operations. While the cybercriminals are fleecing their romance partner of funds, they are also further victimising them by getting them to become money mules.

A further worrisome trend in romance frauds is what happens when victims are targeted again, after the initial fraud. A ‘victim recovery company’ has heard their story and can help to recover the money they lost. Many victims understandably do not trust the company calling, so, to establish their credibility, the cybercriminals provide references for the victims to meet with or call.

Here is the strange part. Former victims agree to give good references for the cybercriminals in exchange for getting their money back. They become criminal accomplices.

Mike Buckley, with the US Department of Homeland Security, had this to say when asked how bad of a problem it is:

That happens on a regular basis, unfortunately there is a greed factor involved. People say oh if I could get my money back, I don’t know the people they are going to have me do this to.

(Haines, 2020)

Romance victims are increasingly finding themselves in the crosshairs of law enforcement, not for being a victim, though, but for committing a crime (Haines, 2020).

HOW ARE PEOPLE IMPACTED?

There is a perception that cyber fraud is a victimless crime, and most victims get their money back anyway. This is not true. Cyber fraud can have a devastating impact on victims. The vast majority never get their money back.

Professor Mark Button is the Director of the Centre for Counter Fraud Studies at the University of Portsmouth. In his excellent book, Cyber Frauds, Scams and Their Victims, he and co-author Cassandra Cross look at how cyber fraud victims are impacted.

In some cases, victims report feeling like they have been mentally raped in the aftermath of online fraud. The impact is comparable to a violent criminal attack. Others report that their view of the world has changed. They see it as broken.

Some turn inwards and blame themselves for not recognising the attack. Others get angry (especially males). They fantasise about hurting their attackers.

Here is a list of other reported consequences of getting victimised by cybercriminals (Button and Cross, 2017):

• problems in relationships;
• worse credit ratings;
• loss: financial loss, loss of pension, loss of home or employment;
• physical health problems;
• negative emotions, including:
  • stress;
  • ridicule and embarrassment;
  • loss of trust;
  • lack of confidence;
  • depression;
  • anxiety.

Many victims get into debt and struggle to pay their bills. They borrowed money or gave money they couldn’t afford to cybercriminals.

WHAT THE FUTURE HOLDS

What if, in the future, anyone you knew could be impersonated on a voice call and you couldn’t detect it? Advances in deepfake audio technology could make this happen.

Deepfake audio is a form of synthetic media. Altered and modified voices are used to imitate humans. Someone could easily listen to a stranger making a deepfake audio and mistake them for someone they know well. Rapid progress in the technology is increasingly making it harder to tell a synthetic voice from a real voice.

Today, deepfake audio is used for commercial applications. The film and advertising industry use it to mimic voices in their characters and animation. Customer services use it for virtual assistants. The same technology can unfortunately also be used by cybercriminals.

There is a wealth of information online cybercriminals can obtain about a person’s voice. Recorded conference calls, YouTube, social media updates and even TED talks can be used to copy the voice patterns of a company’s CEO. They can use an advanced machine learning engine to mesh it all together.

When combined with social engineering, deepfake audio technology will expand the cybercriminals’ toolkit. It is expected that as deepfake audio technology improves, it will become easier and cheaper for cybercriminals to deploy (Respeecher, 2021).

While deepfake audio isn’t good enough to mimic an entire phone call or messaging app, it’s getting there. It’s only a matter of time.

DEFENDING AGAINST IMPERSONATION CYBER FRAUD

Impersonation fraud has never been so easy. Cybercriminals can successfully commit this fraud with only email in many cases. The financial losses are astounding just from BEC attacks alone. As with all the cyber frauds though, once you know the cybercriminal’s techniques, you can see through their attempts more easily. Here are methods for doing just that.

Preventative measures

The best defense against impersonation cyber fraud is preventing it from happening in the first place. The prevention techniques below will help you to recognise a potential attack and stop it from occurring:

• Never trust a digital request to change your bank or other payment details. Call up the company directly and confirm the request made was legitimate. Do not call the number on the email. Use the phone number listed on their website, or that you have used previously and know to be genuine.
• Do not send money or gift cards to anybody unless you know them and you have confirmed their identity and that the request is legitimate – either with an in-person conversation or by phone. (If you have never seen them before, then by a video call at the minimum.)

• Do not supply login credentials or personal information in response to a text or email.
• Ask yourself questions like these:
  • Has this happened before?
  • Is this normal behaviour?
  • How can I confirm this is a genuine request?
• Get a second opinion before sending money to anyone.
• Enable multi-factor authentication where possible.

Warning signs

Here are some of the warning signs that indicate that you might be in the middle of an attack and not realise it yet:

• URLs or hyperlinks that contain misspellings of the sender’s name or domain name. These are signals of possible impersonation fraud.
• The person you are communicating with says they cannot have a video or voice call with you. Do not believe their excuses.
• There is a sense of urgency for you to act quickly.

If you think an impersonation fraud might happen, stop communicating and immediately talk to someone you know and trust, like the security department at your work or a family member or friend. Get a second opinion.

What to do if you are a victim

Sadly, becoming a victim could happen to almost anyone. The good news is there is support when it does. Speed is vital here. It is important to act as quickly as possible to try to reverse any fund transfers.

• Immediately contact your financial institution to request a recall or reversal of the funds that have been sent.
• In organisations, start an internal investigation to determine the compromise’s scope, cause and impact.
• Consider calling a reputable cybersecurity company to check if your computer or online accounts like email or social media have been compromised.
• Report the crime to your local police agency and get support. For the UK, use https://www.actionfraud.police.uk/; for the US, https://www.ic3.gov and https://www.usa.gov/stop-scams-frauds
• Be aware and alert that often, even when you realise you are a victim of impersonation cyber fraud, the attack is not over. Cybercriminals will continue to press for funds as long as possible.

SUMMARY

The internet has made it shockingly easy to pretend to be anyone. Individuals and organisations are falling victim to impersonation cyber fraud at disturbing rates that would be hard to imagine in pre-internet days. Understanding the social engineering methods and persuasion tools used is essential in defending against impersonation attacks.

The trend towards interconnectedness for organisations is going to continue. This will provide further opportunities to impersonate not just people in the organisation but their suppliers as well. It’s crucial that organisations put in place systems to confirm who they are transferring money to and who they are communicating with.

Be aware that large internet companies cannot always protect you. Fend for yourself and understand the different ways cybercriminals can come after you.

Defending against impersonation cyber frauds can be summed up with one question: do you know who you are talking to? It is as simple as that. Take away the psychological and technical tricks, and what you are left with is that question.

REFERENCES

Agari (2021) H1 2021 email fraud & identity deception trends. Available from https://www.agari.com/insights/ebooks/h1-2021-email-
fraud-identity-deception-trends-report/

Australian Competition & Consumer Commission (no date) Spot the scam signs. Available from https://www.scamwatch.gov.au/about-scamwatch/tools-
resources/online-resources/spot-the-scam-signs

Bauman, Ethan L. (2014) Congressional notification – Resignation of NSA employee. National Security Agency. Available from https://www.dailydot.com/unclick/nsa-employee-
resigns-edward-snowden-login/

Button, Mark and Cross, Cassandra (2017) Cyber Frauds, Scams and Their Victims. Abingdon: Routledge.

Cialdini, Robert B. (2007) Influence: The Psychology of Persuasion. New York: HarperCollins.

Cimpanu, Catalin (2019) Lithuanian man pleads guilty to scamming Google and Facebook out of $123 million. Zdnet. Available from https://www.zdnet.com/article/lithuanian-man-
pleads-guilty-to-scamming-google-and-facebook-
out-of-123-million/

Dmytryshyn, Basil (1991) Medieval Russia: A Source Book, 850–1700. San Diego, CA: Harcourt College.

Etters, Karl (2019) Almost $500,000 swiped in city of Tallahassee payroll hack. Tallahassee Democrat. Available from https://eu.tallahassee.com/story/news/
2019/04/05/almost-500-k-swiped-city-tallahassee
-payroll-hack/3379242002/

Europol (no date) Money muling. Available from https://www.europol.europa.eu/activities-services/
public-awareness-and-prevention-guides/
money-muling

Ewalt, David M. (2006) The counterfeiter: Frank W. Abagnale. Forbes. Available from https://www.forbes.com/2006/02/11/frank-
abagnale-money_cx_de_money06_0214abagnale.
html?sh=5a255d6ba99a

FBI (2019) Business email compromise: The $26 billion scam. Available from https://www.ic3.gov/Media/Y2019/PSA190910

FBI (2022) 2021 internet crime report. Available from https://www.ic3.gov/Media/PDF/AnnualReport/2021_
IC3Report.pdf

Fletcher, Emma (2021) Romance scams take record dollars in 2020. Federal Trade Commission. Available from https://www.ftc.gov/news-events/blogs/data-
spotlight/2021/02/romance-scams-take-record-dollars-2020

Frankenfield, Jake (2020) Machine learning. Investopedia. Available from https://www.investopedia.com/terms/m/machine-
learning.asp

Galivan, P. (1973) ‘The false Neros: A re-examination’. Historia, 22. 364–365.

Hadnagy, Christopher (2019) Social Engineering: The Science of Human Hacking. New York: Gildan Media.

Haines, Avery (2020) The ‘suckers list’: How scammers repeatedly target victims. CTV News. Available from https://www.ctvnews.ca/w5/the-suckers-list-how-
scammers-repeatedly-target-victims-1.5158048

Hannah, Felicity (2020) Fake emails, bogus calls, spoof texts. BBC. Available from https://www.bbc.co.uk/sounds/play/m000l80d

Holy Bible (2011) King James Version. Glasgow: Collins.

Ilascu, Ionut (2019) FBI warns of romance scams turning victims into money mules. BleepingComputer. Available from https://www.bleepingcomputer.com/news/security/fbi-
warns-of-romance-scams-turning-victims-
into-money-mules/

Johnston, Bruce (2021) An epidemic of fake LinkedIn profiles. LinkedIn.com. Available from https://www.linkedin.com/pulse/epidemic-fake-linkedin-
profiles-bruce-johnston

Jones, Rupert (2020) I lost £95,000 in a bank scam after my solicitor’s email was hacked. The Guardian. Available from https://www.theguardian.com/money/2020/feb/29/bank-
scam-solicitors-email-hacked

Keller, Zachary A. (2019) FTC sues owner of online dating service Match.Com for using fake love interest ads to trick consumers into paying for a Match.Com subscription. Federal Trade Commission. Available from https://www.ftc.gov/news-events/press-releases/2019/
09/ftc-sues-owner-online-dating-service-
matchcom-using-fake-love

KnowBe4 (2021) Q4 2020 KnowBe4 finds work from home-related phishing email attacks on the rise. Available from https://blog.knowbe4.com/q3-2021-top-clicked-
phishing-report-infographic-with-global-data

Lovemoney (2021) HMRC tax refund scams 2021: How to spot a fake refund email or text. Available from https://www.lovemoney.com/guides/15794/
hmrc-tax-scams-refund-rebate-frauds-email-
text-is-this-real-fake-uk

McLeod, Saul (2007) Obedience to authority. SimplyPsychology. Available from https://www.simplypsychology.org/obedience.html

Muncaster, Phil (2022) Romance scammers stole £92m from victims last year. Infosecurity-magazine.com. Available from https://www.infosecurity-magazine.com/news/romance-
scammers-stole-92m-victims

NCSC (2019) Phishing attacks: Defending your organization. Available from https://www.ncsc.gov.uk/guidance/phishing

NCSC (2020) Business email compromise – Dealing with targeted phishing emails. Available from https://www.ncsc.gov.uk/files/Business-email-
compromise-infographic.pdf

Pall Mall Gazette (1893) An American ‘confidence man’. Available from https://englishhistoryauthors.blogspot.com/2016/
03/the-19th-century-confidence-man.html

Proofpoint (no date) What is email spoofing? Available from https://www.proofpoint.com/uk/threat-reference/
email-spoofing

Respeecher (2021) What is synthetic film dubbing: AI deepfake technology explained. Available from https://www.respeecher.com/blog/synthetic-film-dubbing-
ai-deepfake-technology-explained

Solon, Olivia (2017) Frank Abagnale on the death of the con artist and the rise of cybercrime. Wired. Available from https://www.wired.co.uk/article/frank-abagnale

Steiner, Peter (1993) On the internet, nobody knows you’re a dog. The New Yorker. Available from https://en.wikipedia.org/wiki/On_
the_Internet,_nobody_knows_you%27re_a_dog

Strohmetz, David B., Rind, Bruce, Fisher, Reed and Lynn, Michael (2002) ‘Sweetening the till: The use of candy to increase restaurant tipping’. Journal of Applied Social Psychology, 32 (2). 300–309.

Stupp, Catherine (2019) Fraudsters used AI to mimic CEO’s voice in unusual cybercrime case. Wall Street Journal. Available from https://www.wsj.com/articles/fraudsters-use-ai-
to-mimic-ceos-voice-in-unusual-cybercrime-case-
11567157402

Sussman, Bruce (2019) $18.6 million in a week: Business email compromise at a whole new level. Available from https://www.secureworldexpo.com/industry-news/
business-email-compromise-bec-case

Tokazowski, Ronnie (2018) How do you fight a $12b fraud problem? One scammer at a time. KrebsonSecurity. Available from https://krebsonsecurity.com/2018/10/how-
do-you-fight-a-12b-fraud-problem-one-
scammer-at-a-time/

Trend Micro (2020) Trend Micro cloud app security report 2019. Available from https://www.trendmicro.com/vinfo/us/security/research-
and-analysis/threat-reports/roundup/trend-micro-
cloud-app-security-report-2019

Wilson, John (2018) 5 big reasons BEC scams are getting easier to pull off. Agari. Available from https://www.agari.com/email-security-blog/5-
reasons-bec-scams-easier/

Zorz, Zeljka (2018) BEC scammers stole €19m from film company Pathé. HelpNetSecurity. Available from https://www.helpnetsecurity.com/2018/11/
14/pathe-bec-scam/