Impersonation emails are on the rise. What should you know?

There is a big upward trend in what is called Hybrid Vishing. It’s a type of phishing attack where the cybercriminal typically reaches out to their victims (businesses and private citizens) through email (or text), but instead of a malicious link within the message, they will provide a phone number.

Hybrid vishing emails and texts usually imitate a legitimate invoice, payment confirmations, fraud alerts, account suspensions, or sweepstakes prize winnings from a trusted source. They do this by stealing branding elements and modifying the sender names in their emails to impersonate the trusted organization or influential person. When you respond by calling or messaging back to rectify, dispute, or collect what the email promises, they gotcha!

These scams incite urgency. Who wouldn’t be concerned about the life savings they worked so hard to save? Once the communication starts between you and them, they know exactly what to say, and before   you know it, you’re providing personal and/or credit card information.

Impersonation emails are fast becoming the preference of cybercriminals because of the high likelihood they will be able to deceive you and the security tools designed to block them.

There are typically two categories of email impersonation: Credential theft and Response-based.

Credential Theft Emails

Credential theft emails redirect recipients to fake websites by having them click on a link or an attachment within the original email. In most instances they are then asked to log-in like they normally would, not realizing the website they were directed to was a mirrored replica of the real thing. The criminal now has the credentials, user names, and passwords to hack into the ‘real’ account.

Response-Based Attacks

Response-based attacks, otherwise known as hybrid vishing, require the victim to communicate directly with the sender through additional messaging or by phone.

As mentioned earlier, many response-based emails are unexpected online invoices for products or services with a phone number to call. The goal of the email is just that --- They want you to call! The most common brands impersonated for this type of scheme are Paypal and digital security software for either Norton or McAfee products.

If you call the number, the criminal will do one of three things:

1. They will agree to cancel the disputed (fake) charge, provided you can verify your personal details, like your social security number, home address, mother’s maiden name, and more. ---- This is ID Theft at its best.
2. You (the victim) will be asked to disclose /reshare your credit card number, expiration date, CVV code, and home address to receive a refund. ---- By providing this information, you can almost anticipate future credit card fraud. Don’t do it!
3. And finally, the criminal may request remote access to your computer to personally remove the software they pretended to upload to your device. When they are most likely adding some type of tracking software that will record for months your passwords and account numbers as you type it into your device on future occasions.

How do you spot an impersonation email?

Like other scams, there is an unusual or unwarranted urgency in an impersonation email or text. If you don’t recognize the phone number provided, be suspicious.

Even if an email doesn’t seem outright suspicious or out of place, always double-check before calling any numbers or clinking any links.

1. Visit the website or whatever authority the message claims to be from and look for the number there. If it’s not listed under an official source, it’s most likely a scam.
2. Compare the email sender’s domain to what’s listed on the authority’s official website to ensure it’s legitimate.

What should you do with an impersonation email?

• Do not open it.
• Do not download any attachments accompanying the message.
• Never click links that appear in the message.
  • If you opened a link on your computer, or followed instructions on how to install a software, you may have installed something malicious. Uninstall the program and run a full antivirus scan.
• Do not reply to the sender.
• Report it.
  • This is a global initiative. Forward these emails to ReportPhishing@apwg.org (an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies). Let the company or person that was impersonated know about the scheme.
  • Report the scam to the FBI’s IC3 Internet Crimes Compliant Center and/or the WI State Law Library
  • Report the scam to the social media platform that the cybercriminal used to engage you.
• Delete it.

What else can you do to protect yourself?

The question isn’t if an identity theft or online scam will happen, but when.

• Join the National Do Not Call Registry. It will help keep your cell phone number from suspicious sources. This will not stop all attacks, but it does reduce your risk of cybercriminals finding and using your number.
• If you have an online banking account, turn on your account notifications, specifically the Unusual Activity Alert, All Debit Transactions Alerts, and the Profile Change Alert.
• Acquire a free ‘Manage My Cards’ app for your credit and debit cards so that if needed you can instantly freeze (turn off) a card if you suspect fraud.

• Add dual authentication to your online banking accounts.
• Consider purchasing a credit monitoring and ID theft service. Some services will monitor (help keep safe) your minor children as well.

What should you do if you’ve been scammed and lost money?

• Immediately report the transaction to your bank or financial institution. Follow the instructions they give you.
• If the scam involved your credit card, call the number on the back of the card and report what happened. Follow the instructions they provide you as well.
• Save all correspondence and emails. Take screen shots/pictures of text messages. Document a timeline of what transpired.
• Call one of the three major credit reporting bureaus and ask that a fraud alert be put on your credit file. Fraud alerts are good for 90 days.
  • Equifax: 800-525-6285
  • Experian: 888-397-3742
  • TransUnion: 800-680-7289
• Stop all communication with the offender.
• Complete a report through your local police department and the FBI’s IC3 Internet Compliant Crimes Center, IC3.gov.
• Report the scam to the social media platform that they used to engage you.
• Change your passwords, to re-secure your online accounts.
• Visit https://www.fbi.gov/how-we-can-help-you/scams-and-safety for additional advice.
• Consider employing an ID theft service to assist in restoring your identity and credit.

If someone impersonates you on an email:

Report the scam to local law enforcement, the FBI’s IC3 Internet Complaint Crimes Center, and the Federal Trade Commission.

Yes, report this situation to all three organizations.

In Conclusion: Follow these general prevention cyber security tips

Stay diligent when using personal email. Most of us have become accustomed to recognizing “junk” mail in our US Postal mailbox and simply discard it without even opening. Apply this same logic to email, text messages, and phone calls from strangers and unknown sources.

• Major software companies DO NOT monitor your computer, if you are contacted by a “representative” it is likely a scammer.
• Whenever Bitcoin is used for payment, it is highly likely a scam.
• If you feel your banking information has been compromised, call your bank, there are steps that can be taken to insure your accounts are secured.
• Set your computers firmware and software to automatically update.
• Use strong passwords unique to each application.
• Be cautious of building online-only Friendships.

Recognize the warning signs of Social Engineering tactics. A few of the warning signs are:

• Asking for immediate assistance.
• Asking to verify your information.
• Acting overly friendly or eager.
• Acting nervous when counter questioned.
• Overemphasizing details.
• Luring with too good to be true offers.
• Threatening reprimands if their requests are ignored.