Impersonation attacks rising — including sophisticated phone scams

The US Cybersecurity & Infrastructure Security Agency (CISA) issued an alert in June warning of increasing numbers of impersonation scams that pretend to come from government employees, including CISA employees.

This serves as an excellent reminder that security awareness has to go beyond being able to spot email-based impersonation scams and extend that awareness to the dangers posed by phone calls. 

And while the CISA-staff impersonation scams may be especially effective, they are only a small fraction of a threat type that is harvesting more ill-gotten gains every year.

FTC data: a bracing call to action

According to data presented by the US Federal Trade Commission (FTC) in April of this year, total reported losses from business or government imposter scams have increased steadily, from $310M in 2020 to $1.1B in 2023. About 1 in 5 people were robbed of money by imposter threats over that period.

The number of phone-based impersonation scams has declined 2020 – 2023, from 202K to 148K, but they still make up the biggest category at 32%, compared to 26% for email.

The top five reported forms of imposter scams are:

1. Fake account security alerts, where a message appears to be from your bank or from Amazon or another company where you have a potentially costly account.

2. Phony subscription renewals, which look like routine email notices that an account you don’t recall subscribing to will be auto renewed, and that you’ll be charged a lot of money.

3. Fake offers of giveaways, discounts, or money to claim, which can impersonate well-known companies as well as government agencies.

4. Made-up legal problems, often involving a claim that your identity has been stolen and used in a crime.

5. Fake package delivery problems, in which a well-known delivery company appears to be telling you there’s a problem with a package addressed to you. 

The importance of urgency

One thing they all share is a strong sense of urgency. If you don’t respond right away, you will lose your identity, or your package, or your money. Or you may even be arrested. 

Despite increasing sophistication and AI enhancement, it isn’t all that hard to spot these scams if you’re reasonably vigilant and not prone to panic or urgency. But what if your credit card had been used fraudulently the previous day? Or you had ordered something expensive from a maybe-sketchy overseas outfit? Or your taxes got audited last year?

The truth is, almost any kind of intense distraction or pre-existing sense of alarm can make us far more likely to fall for an imposter scam that successfully gets us to feel a sense of urgency. Which is why they all try to do it.

Hybrid imposter attacks—maximizing urgency

My colleague Christine Barry wrote recently about the Black Basta cybercrime group, or network. Among the nasty new tactics they’re deploying, she described one that uses a phishing storm to ramp up the sense of alarm among the staff, making them much more susceptible to the subsequent imposter phone attack. 

“Since April 2024, a threat actor known as Storm-1811 has been observed using a new procedure to gain access to high-value networks. These attacks begin with a massive phishing attack sent to employees of the target company. The attack floods the inboxes and leaves employees frustrated and overwhelmed. While this phishing/spam attack is underway, Storm-1811 launches a voice phishing (vishing) attack in which the caller poses as tech support. If successful, the caller tricks the employee into providing remote access to the system via Microsoft Quick Assist.”

The right response, as in pretty much every type of suspected impersonation attack, is to certify, in this case by saying “What’s your name again? I’ll call you right back,” and looking them up in the company directory. 

But in the midst of an apparently overwhelming spam attack, how many of us wouldn’t fall for an urgent call from a person who says they’re with IT?

Train, drill, reward

An email security solution that can detect and filter impersonation attacks as much as possible is very important for reducing your impersonation-attack risk. 

But as attackers keep coming up with new ways to build urgency, the best way to counter that is to improve your users’ ability to keep a cool head and respond carefully and wisely to any potentially deceptive communication. That requires frequent, well-designed security awareness training. A modern automated training solution should include:

• Constantly updated, reality-based simulation templates for multiple phishing types, including voice phishing, or “vishing”

• Expert-designed training materials that make it easy to focus training on the most vulnerable users 

• Gamification tools to make it easy to promote engagement—and effectiveness

• Customizable simulation and campaign templates to ensure you can tailor training to your company’s specific needs

Barracuda Email Protection is an advanced security platform that delivers both. It can detect and block a large percentage of impersonation attacks using its powerful AI-based Phishing and Impersonation Protection capability. 

And it also includes Security Awareness Training, which includes all the capabilities listed above, and more. 

As technical security solutions make it harder for attackers to sneak malware in, the ongoing rise in phishing, vishing, and other deceptive impersonation attacks is bound to continue. Building the best defenses you can—both technical solutions and an empowered, aware user base—is critical to minimizing the risk to your organization. 

Find out what Barracuda offers. (And be careful next time you pick up the phone.)