Online Criminal Impersonation 101: Our Own Case of CEO Fraud
How This Type of Scam Works
You’re probably familiar with the legal term of criminal impersonation, but how does this felony take place when it’s online?
What is the usual approach employed by hackers or someone with malicious intent towards you personally?
What can you expect from it?
Are the impersonators risking anything?
How can you find out and protect yourself from its effects?
All these questions and more will be addressed below. In the following story, I’ll share with you the key facts of online criminal impersonation, as well as show you what happened in our own organization.
Wondering what you will learn from this post?
First, the ground facts on what is criminal impersonation in general and online criminal impersonation in particular.
Then, the basics of what is CEO fraud, how it usually works, how to spot it and how to prevent becoming a victim of it.
Finally, a look inside a real-life example from our own company. A group of not very smart hacker wannabes tried to impersonate our CEO in a bad attempt at CEO fraud. As much as we were amused, we know this tactic can be successful if you’re not careful, so we decided to share the story with you all, as a cautionary tale.
Here we go!
What Is Defined as Criminal Impersonation?
First of all, and this may be a bit of a surprise, you should know that it’s not always illegal to impersonate a person or business entity, or to claim you are them although you are not.
One of the virtues and curses of the internet is that some degree of anonymity and creative falsehood are always allowed. If a strict forbiddance would be set in stone about this, people could never perform satire, fantasy humor, role-playing and so on. These are all quasi-harmless activities but crucial for nurturing a climate of free speech.
As much as it can be dismaying to discover that pictures of you or your family members are used by fake profiles and the like, it’s not a criminal offense.
SECURE YOUR ONLINE BROWSING!Get Thor Foresight
At most, the platform where the fake profiles were created will take them down after you report the fraud. But the people who were behind it are not criminally liable (prosecutable).
There have been some attempts to redefine current laws in order to criminalize more hacking actions, such as breaking into IT systems, IP spoofing and the like. While it’s definitely on the table, it’s not a reality yet.
Ok… so what then counts as criminal impersonation?
Definition: Criminal impersonation refers to those cases of impersonation committed as part of an attempt to gain benefits, or to cause harm to their victim. For example, hackers could be looking to commit something illegal while posing as you or to gain financial benefits (such as obtaining a loan in your name).
In other cases, it’s not about what they can gain, but about what you can lose.
A disgruntled ex, or former employee, or simply someone out to get you can impersonate you just for the purpose of causing harm. Creating fake explicit profiles in your name (and with your pictures) on adult dating websites, or hacking into your social media accounts to post embarrassing updates are just a few examples of how this can go down.
Sometimes, it’s entirely offline, although this takes considerably more effort to pull off. In a very disturbing news story, it was reported that some men pose as police officers in order to coerce women. In other cases, real flesh-and-bone people pose as attorneys, accountants, private detectives, real estate agents and so on. They meet with you, offer preliminary consultation and charge you an advance fee. You’re convinced that it’s all legit. Nevertheless, they disappear with your money afterward.
What Is Online Criminal Impersonation and What Forms Can It Take?
While criminal impersonation, in general, includes all offline and online activities pertaining to this type of behavior, online criminal impersonation is obviously restricted to just the digital aspects.
There are many ways in which you can become a victim of online impersonation (criminal or not) as an individual.
If the hackers are impersonating you:
- Financial loss (opening up credit or new accounts in your name);
- Reputational loss (posting compromising things or using your faked identity to spread their operations further under its guise);
- Hacking into your workplace using your identity (the target here is the company, but your credentials are used for the hack, so you could be held liable for any wrongdoing);
If the hackers are impersonating your conversation partner:
- Catfishing (A type of social scam where a new romantic partner you’re chatting with is actually a hacker looking for financial gain);
- Spear-fishing and BEC (business email compromise) attacks, where hackers are impersonating an entity you trust, like your bank or a business partner;
- If hackers are impersonating your boss (like in the example of CEO fraud we’ll discuss below);
- If hackers are impersonating a family member (by stealing their social accounts and phone, texting you that they’re in trouble and need a large sum of money right away, for example);
More examples can follow; to cut a long story short, the bottom line is that hackers are always creative about finding new ways to exploit identity theft and online criminal impersonation.
Here’s a crunch-down on the most common ways in which the information of victims was misused in 2017, according to iii.org.
For business entities, online criminal impersonation can get much more sophisticated than for private persons, and the stakes are much higher, too. The impersonation is also almost always of a criminal nature since the attackers are aiming to gain a financial advantage or to harm the business.
This means that online criminal impersonation can take many forms.
One of them is for the malicious parties to claim they are another company with which you are already working with, and send invoices to your company. If you expect those invoices and if the virtual identity of the hackers is almost indistinguishable from the one of the real company they are impersonating, then you won’t be surprised by this.
The hackers may even send you invoices with the exact amounts you expected (if they managed to get into the systems of the company they are impersonating). Then, of course, after you pay up, the hackers disappear and you are left to deal with the real third party which still needs those invoices paid.
Do you think it sounds like something only rookies could fall for? Think again. A Lithuanian man has been caught (and pleaded guilty) for stealing 100 million from Google and Facebook using this method. If it can happen to tech giants such as Google and Facebook, it can happen to anyone.
Out of all these forms, business email compromise (also known as BEC) is one of the hacker’s favorite ways of causing mayhem.
What you need to understand is that this is a very lucrative business for hackers.
Well, according to the FBI, malicious hackers managed to make over $3 billion from this type of B2B scam from October 2013 to May 2016. Since then, the numbers are probably much higher.
And you know what?
That’s just the amount of money with which they managed to get away with. As I said, it’s a very lucrative business, and if you’ve been following our blog you’re aware that malware is getting more and more creative.
What Is CEO Fraud?
CEO fraud is a particular type of BEC (business email compromise) and online criminal impersonation. It’s when you receive an email that seems to be from your top boss (or CEO), asking you to do something on their behalf and keep it secret.
If you’re not paying attention and you fall for it, hackers will be able to either gain access into the company’s systems or steal money from accounts and so on.
That email was not actually from the CEO. But sometimes, it can be difficult to tell and you don’t want to appear silly or to waste your boss’s time by asking for a confirmation or questioning the info.
Do you know what this is called?
Social hacking or social engineering.
It’s precisely because hackers are anticipating these all-too-human reactions (shame, fear, doubt, the desire to be helpful and ingratiate yourself with the boss) that they get their way. They are counting on our ability to be social (hence the name of social hacking).
But don’t fear and practice critical thinking. Educate yourself. Subscribe to our blog. Get a second opinion. It never hurts to be extra cautious.
How to Spot CEO Fraud: Tell-tale Signs
Here are a few ways in which you can immediately tell that you’re dealing with CEO fraud:
- The email address is not the legitimate one, with the exact domain name. Be extra mindful of typos, since almost accurate domain names are a hackers’ favorite.
- The CEO is asking you to handle something in secret. If it was really such a sensitive issue, wouldn’t they ask you this in person? Use your better judgment.
- They are asking you to disclose a piece of particular informatio, or to install something on your computer.
- The message is written with some mistakes since English is not really the strong suit of most cybercriminals.
Remember, sometimes the CEO fraud is a really good one, with perfect English and the right email address. It still doesn’t mean it’s legit and it never hurts to check with the boss in person.
What to Do If You’re a Target of CEO Fraud or Online Criminal Impersonation
First of all, do not engage with the fake account in any way. Do not give in to ransom attempts or do what they ask.
If it’s a simple matter of CEO fraud, just report it to your company executives and to the authorities.
If it seems to be a more serious matter of online impersonation, do your best to recover your accounts, and get in touch with all possible parties to alert them about this (your family, your employer, your bank, the police).
Here is where you can report identity theft:
The Heimdal Security Case: Hackers Pretended to Be Our CEO Morten Kjaersgaard
As I mentioned above, it recently happened to us too. Several of our employees received emails which seemed to come from our CEO, asking them to reply to them with some financial data. Of course, the text mentioned the urgency and secrecy of the project.
But upon a closer look, everyone could tell that even though the name of the sender is that of our CEO, the address it was coming in from was email@example.com. That is in no way a legitimate address.
Furthermore, if you look carefully, the email contains several spelling mistakes which are tell-tale signs of foul play.
Good morning [employee name] ,
I need you to manage a high priority situation with my Attorney [lawyer name].
It’s about a prime concern deal for the group, regarding a foreign corporation bid acquisition.
[Lawfirm name] lawyers offices ordered me that do not treat this case from Headquarters but use a foreign subsidiary to avoid leaks and insiders trading.
I did choose you to take control this operation with my lawyer and I.
No one else except us must be informed at this time.
Regarding this case the Financial Markets Authority has warned us that we must communicate only by email until the public announcement should made within the next few weeks.
First of all [employee name] provide me immediately the available cashflow of our bank account in UK.
Also give me another phone number which on you are comfortable to talk with him.
As soon as I receive those information, I will share with you further instructions.
Take a look at the text we replaced in the brackets. The hackers were using the names of very prominent (and legitimate) attorneys and law firms, as a way of adding credibility to the claim.
In other wide-spread cases, hackers simply invent law firms to start with. This way, if you contact the so-called attorneys to verify the claim, you’re talking to the initial hackers and, of course, they will confirm their own story.
In our case, this attempt of CEO fraud was a poorly executed one. The email of our CEO was not correct, the text was full of mistakes and the pretext laughable. But attacks like these still manage to go through, and businesses lose money and sensitive data to such attackers every day. Stay vigilant, informed, and safe.