Remote work grew tremendously over the past few years, becoming standard practice for many companies. While remote work offers flexibility for employees, it creates new security concerns.
Shifting from on-site work and rapidly adopting cloud and SaaS apps significantly increased the attack surface area. Threat actors continue to develop advanced and organized tactics, techniques, and procedures (TTPs) to exploit new vulnerabilities and attack vectors. Classic phishing attacks evolved into sophisticated smishing attacks, where attackers can target employees with text or voice messages posing as trusted employees.
Remote work and the ongoing cybersecurity talent shortage also increased the demand for technology workers. As companies expand their talent pools and hire overseas to fill these roles, they risk hiring malicious actors posing as legitimate job seekers.
From utilizing imposter interviewers to gain unlawful employment to malicious actors using advanced machine learning (ML) technologies such as deepfakes for phishing, organizations must stay vigilant against external actors’ infiltration attempts. This blog will review some of the most common types of worker impersonation and how companies can best protect themselves against these attacks.
As phishing detection and awareness continue to improve globally, attackers keep developing innovative ways to impersonate internal workers. Education is a crucial first step in preventing and protecting against employee impersonation attacks. Some of the most common types include:
Phishing attacks are one type of social engineering attack that take many forms and vary in severity, including spear phishing, smishing, and vishing.
Spear phishing attacks are highly targeted and typically impersonate a person (such as the CEO of a company) or service (such as a bank) to trick victims into giving out sensitive information or downloading malicious files that give threat actors access to their device.
Smishing utilizes text messaging or SMS to execute attacks. For example, a threat actor might text a company impersonating the CEO, asking to send them money or reveal company passwords. Other attacks have seen threat actors impersonating banks and successfully stealing account and social security number.
Vishing attacks operate with a voice call that impersonates an automated message and asks victims to reveal personal data. One successful vishing attack impersonated an automated message from Microsoft, informing victims that their machine is infected with a virus and asking for credit card information to install updated anti-virus software. When successful, the attacker has the victim’s credit card info and can install malware to steal additional data.
BEC is one of most financially damaging online crimes costing an average of $4.89 million per breach. BEC is a specific type of phishing attack where a threat actor attempts to gain access to an executive’s email account, impersonate them, and transfer funds or steal sensitive information. Attacks typically take place in four phases:
Deepfake is a form of ML that creates lifelike hoax images, sounds, or videos. The term “deepfake” combines deep learning terminology with something that isn’t real. Deepfake technology is used today for various purposes, but recently threat actors are leveraging the technology more and more as tools in social engineering attacks.
Threat actors have already successfully leveraged deepfake technology in cybersecurity attacks. In 2019, a threat actor targeted a British energy company by impersonating its parent company’s German CEO. The threat actor successfully mimicked the CEO’s accent in a fake phone call to scam the company out of $243,000.
Hiring remote employees means companies are at a greater risk of the employee deceiving them. Threat actors can impersonate employees to infiltrate companies and steal sensitive information or money.
The U.S. Department of the Treasury, Department of State, and Department of Justice released a joint report warning American employers that contractors from the DPRK were posing as non-North Korean nationals to gain employment. The motivations of these workers vary, but typically the goal is espionage or to generate revenue that feeds the country’s illegal weapons of mass destruction and ballistic missile program. Although these DPRK IT workers commonly engage in IT work that isn’t malicious, they use their privileged access gained as contractors to enable other DPRK actors with malicious intent.
With so many different types of social engineering and employee impersonation tactics out there today, the key to successful prevention is a layered approach to security that incorporates many different capabilities, as well as ongoing employee education and training. Here a few ways businesses can protect against these employee impersonation tactics:
Companies need to ensure they’re continuously educating and testing their internal employees so they’re aware of the threat and keep guards on high.
Regular penetration tests expose vulnerabilities in controlled environments. From there, businesses can evaluate how to fill gaps and strengthen overall security posture. Routine cybersecurity trainings for internal employees, such as phishing tests, are also a good way to educate employees on common techniques threat actors use so they can help protect the company against phishing attempts and BEC.
As remote work becomes more prevalent, companies need to be aware of the warning signs of fraudulent contractors. Some of the key red flags to look for during hiring include:
Arming your company with knowledge is crucial, but you also need a strong security program protecting your company in the event of a breach. Some important elements to prevent employee impersonation attacks include:
Todyl’s single-agent platform spans prevention, detection, and response, utilizing the same capabilities that governments and large enterprises rely on. There are multiple modules within the Todyl Security Platform that defend against and detect employee impersonation, including ZTNA, Managed Cloud SIEM, and MXDR.
Todyl’s Office 365 Integration is another key element crucial to stopping BEC in its many forms. Once enabled, the Todyl Security Platform ingests and inspects all authentication requests, inbox rules, mail transport activity, and several other behaviors to identify signs of email compromise. Todyl leverages ML models to identify rare and suspicious logon activities, API calls, and many other characteristics to alert on common indicators of compromise within Office 365 tenants.
To learn more about how Todyl protects businesses against employee impersonation attacks, download our full threat intel report below or contact us to schedule a demo.
