What Is Online Impersonation?
You are probably familiar with the legal term of criminal impersonation, but how does this felony take place when it’s online? After reading this article, you will have a better understanding of the common strategies used by hackers or someone with malicious intent, as well as what to expect from such an attack. What are the potential implications, and what can you do when it happens to you?
Online Impersonation: Definition
Online impersonation refers to those cases when a malicious actor is using someone’s online identity in order to gain financial benefits (such as obtaining a loan in their name or asking their family and friends for money), or with the purpose of harassing, intimidating, or threatening their victim.
Who would do this? Easy. A disgruntled ex, or former employee, or simply someone out to get you can impersonate you just for the purpose of causing harm. Creating fake explicit profiles in your name (and with your pictures) on adult dating websites, or hacking into your social media accounts to post embarrassing updates are just a few examples of how this can go down. Sometimes, it’s entirely offline, although this takes considerably more effort to pull off.
What Forms Can Online Criminal Impersonation Take?
While criminal impersonation, in general, includes all offline and online activities pertaining to this type of behavior, online criminal impersonation is obviously restricted to just the digital aspects.
There are many ways in which you can become a victim of online impersonation (criminal or not) as an individual.
When hackers impersonate an individual, they can experience:
- Financial loss (opening up credit or new accounts in their name);
- Reputational loss (posting compromising things or using their faked identity to spread their operations further under its guise);
- Hacking into their workplace using their identity (the target here is the company, but their credentials are used for the hack, so they could be held liable for any wrongdoing);
When hackers are impersonating the victim’s conversation partner, we talk about:
- Catfishing (a type of social scam where a new romantic partner you’re chatting with is actually a hacker looking for financial gain);
- Spear-fishing and BEC (business email compromise) attacks, where hackers are impersonating an entity they trust, like their bank or a business partner;
- CEO fraud, where threat actors are impersonating the target’s boss;
- An attack where cybercriminals are impersonating a family member (by stealing their social accounts and phone, texting the target that they’re in trouble and need a large sum of money right away, for example);
More examples can follow; to cut a long story short, the bottom line is that hackers are always creative about finding new ways to exploit identity theft and online criminal impersonation.
For business entities, online impersonation can get much more sophisticated than for private persons, and the stakes are much higher, too. The impersonation is also almost always of a criminal nature since the attackers are aiming to gain a financial advantage or to harm the business.
This means that online impersonation can take many forms.
One of them is for the malicious parties to claim they are another company with which you are already working with, and send invoices to your company. If you expect those invoices and if the virtual identity of the hackers is almost indistinguishable from the one of the real companies they are impersonating, then you won’t be surprised by this.
The hackers may even send you invoices with the exact amounts you expected (if they managed to get into the systems of the company they are impersonating). Then, of course, after you pay up, the hackers disappear and you are left to deal with the real third party which still needs those invoices paid.
Do you think it sounds like something only rookies could fall for? Think again. A Lithuanian man has been caught (and pleaded guilty) for stealing 100 million from Google and Facebook using this method. If it can happen to tech giants such as Google and Facebook, it can happen to anyone.
Out of all these forms, Business Email Compromise (also known as BEC) is one of the hacker’s favorite ways of causing mayhem. What you need to understand is that this is a very lucrative business for hackers.
As explained by my colleague,
Business Email Compromise (BEC) is a type of targeted scam in which an attacker impersonates a company executive or high-level employee with the intent of defrauding or extracting sensitive data from the company or its partners. The end goal of a BEC fraud is to persuade the target to make a money transfer or send sensitive data to the attacker while believing they are executing a legitimate and regular business operation. Attackers achieve this by using different manipulating techniques in order to trick users into providing money or data.
Is Online Impersonation the Same as Identity Theft?
Identity theft is a somewhat similar crime, although it usually entails a more serious legal violation. The purpose of online impersonation is typically to harass, threaten, or scare the targets. Identity theft, on the other hand, involves the actual misuse of personal information, such as Social Security numbers or financial data, in order to commit fraud.
Online impersonation can include sending messages pretending to be someone else. Identity theft typically entails purchasing goods or financial transactions using another person’s identification information. This is why identity theft is typically prosecuted more harshly and can result in long jail sentences.
What to Do If You Have Been Impersonated Online
We get it! It’s terrifying to see someone claiming to be you online. An impersonator can jeopardize your reputation, relationships with friends, and even your professional life. You may panic at first, but it is critical to remain calm to work quickly in order to find a solution. Here is what you can do next:
- Make sure you know every friend you have on social media. Keep in mind that is recommended you only connect on social media with people you know, are friends with, or can at least trust. Attackers frequently send friend requests to users to get information regarding their lives, which they can then use for malicious purposes.
- Immediately inform your contacts. Inform all the people you know on social media right away about what’s going on and instruct them to avoid interacting with the impersonator. It would be even better if you called your family and friends to inform them of the situation, as they will most likely be the attacker’s first targets.
- Take screenshots. This can be very helpful later if you are involved in a criminal or civil lawsuit with a malicious actor who has intentionally harassed you.
- Don’t interact with the scammer. It is obvious they want to harm you or try to make some money out of this scam. They will probably not listen to what you have to say, and you’ll waste precious time instead of dealing with the actual problem.
- Contact the social media platforms and try and get them to delete the impersonated profile.
- Pay attention to your other account too. You should probably double-check that they’re accessible to you, that they haven’t been hacked, and that the fraudster hasn’t set up any additional phony accounts.
- Remain vigilant. Just because one false account was shut down you should not rule out the possibility of others. Look up your name on all of the social media platforms you use. Also, ask someone else to do the same in case the impersonator blocked you.
How Can Heimdal™ Help You?
HeimdalTM Security has developed two email security software aimed against both simple and sophisticated email threats (Heimdal™ Email Security, which detects and blocks malware, spam emails, malicious URLs, and phishing attacks and Heimdal™ Email Fraud Prevention, a revolutionary email protection system against employee impersonation, fraud attempts – and BEC, in general.
For example, you may want to consider HeimdalTM Security’s Heimdal™ Email Fraud Prevention, the ultimate email protection against financial email fraud, C-level executive impersonation, phishing, insider threat attacks, and complex email malware. How does it work? By using over 125 vectors of analysis and being fully supported by threat intelligence, it detects phraseology changes, performs IBAN/Account number scanning, identifies modified attachments, malicious links, and Man-in-the-Email attacks. Furthermore, it integrates with O365 and any mail filtering solutions and includes live monitoring and alerting 24/7 by our specialists.
Why would someone want to impersonate you? Well, the purpose is almost always negative: either the scammer is attempting to dupe your friends and family on social media into doing something that benefits them, such as sending them money, or they are trying to destroy your image as a form of revenge/cyberbullying. Remember to stay calm and follow our recommendations
Drop a line below if you have any comments, questions, or suggestions regarding the topic of online impersonation – we are all ears and can’t wait to hear your opinion!
This article was originally published by Miriam Cihodariu in April 2019 and was updated by Antonia Din in January 2022.