How to Protect Your Business Against Employee Impersonation

Aaron Goldstein
December 13, 2022

Remote work grew tremendously over the past few years, becoming standard practice for many companies. While remote work offers flexibility for employees, it creates new security concerns.

Shifting from on-site work and rapidly adopting cloud and SaaS apps significantly increased the attack surface area. Threat actors continue to develop advanced and organized tactics, techniques, and procedures (TTPs) to exploit new vulnerabilities and attack vectors. Classic phishing attacks evolved into sophisticated smishing attacks, where attackers can target employees with text or voice messages posing as trusted employees.

Remote work and the ongoing cybersecurity talent shortage also increased the demand for technology workers. As companies expand their talent pools and hire overseas to fill these roles, they risk hiring malicious actors posing as legitimate job seekers.

From utilizing imposter interviewers to gain unlawful employment to malicious actors using advanced machine learning (ML) technologies such as deepfakes for phishing, organizations must stay vigilant against external actors’ infiltration attempts.  This blog will review some of the most common types of worker impersonation and how companies can best protect themselves against these attacks.

Common employee impersonation tactics

As phishing detection and awareness continue to improve globally, attackers keep developing innovative ways to impersonate internal workers. Education is a crucial first step in preventing and protecting against employee impersonation attacks. Some of the most common types include:

1. Phishing, smishing, and vishing

Phishing attacks are one type of social engineering attack that take many forms and vary in severity, including spear phishing, smishing, and vishing.

Spear phishing attacks are highly targeted and typically impersonate a person (such as the CEO of a company) or service (such as a bank) to trick victims into giving out sensitive information or downloading malicious files that give threat actors access to their device.

Smishing utilizes text messaging or SMS to execute attacks. For example, a threat actor might text a company impersonating the CEO, asking to send them money or reveal company passwords. Other attacks have seen threat actors impersonating banks and successfully stealing account and social security number.

Vishing attacks operate with a voice call that impersonates an automated message and asks victims to reveal personal data. One successful vishing attack impersonated an automated message from Microsoft, informing victims that their machine is infected with a virus and asking for credit card information to install updated anti-virus software. When successful, the attacker has the victim’s credit card info and can install malware to steal additional data.

2. Business Email Compromise (BEC)

BEC is one of most financially damaging online crimes costing an average of $4.89 million per breach. BEC is a specific type of phishing attack where a threat actor attempts to gain access to an executive’s email account, impersonate them, and transfer funds or steal sensitive information. Attacks typically take place in four phases:

  • Identifying targets by exporting information available online about a company and its key executives
  • Selecting a target and attempting to gain access to their email account
  • Launching attacks directly from the executive’s email account to convince victims that they need assistance with a “legitimate” business transaction
  • Directing money via a wire transfer into a bank account linked to their organized crime group to complete the attack

3. Deepfake technology

Deepfake is a form of ML that creates lifelike hoax images, sounds, or videos. The term “deepfake” combines deep learning terminology with something that isn’t real. Deepfake technology is used today for various purposes, but recently threat actors are leveraging the technology more and more as tools in social engineering attacks.

Threat actors have already successfully leveraged deepfake technology in cybersecurity attacks. In 2019, a threat actor targeted a British energy company by impersonating its parent company’s German CEO. The threat actor successfully mimicked the CEO’s accent in a fake phone call to scam the company out of $243,000.

4. Remote employee fraud

Hiring remote employees means companies are at a greater risk of the employee deceiving them. Threat actors can impersonate employees to infiltrate companies and steal sensitive information or money.

The U.S. Department of the Treasury, Department of State, and Department of Justice released a joint report warning American employers that contractors from the DPRK were posing as non-North Korean nationals to gain employment. The motivations of these workers vary, but typically the goal is espionage or to generate revenue that feeds the country’s illegal weapons of mass destruction and ballistic missile program. Although these DPRK IT workers commonly engage in IT work that isn’t malicious, they use their privileged access gained as contractors to enable other DPRK actors with malicious intent.

Three ways to protect your business

With so many different types of social engineering and employee impersonation tactics out there today, the key to successful prevention is a layered approach to security that incorporates many different capabilities, as well as ongoing employee education and training. Here a few ways businesses can protect against these employee impersonation tactics:

1. Invest in ongoing employee education

Companies need to ensure they’re continuously educating and testing their internal employees so they’re aware of the threat and keep guards on high.

Regular penetration tests expose vulnerabilities in controlled environments. From there, businesses can evaluate how to fill gaps and strengthen overall security posture. Routine cybersecurity trainings for internal employees, such as phishing tests, are also a good way to educate employees on common techniques threat actors use so they can help protect the company against phishing attempts and BEC.

2. Look for remote contractor red flags

As remote work becomes more prevalent, companies need to be aware of the warning signs of fraudulent contractors. Some of the key red flags to look for during hiring include:

  • Inconsistencies in name spelling, nationality, work location, contact information, educational and work histories
  • Extremely simple portfolio websites and social media profiles that don’t reveal any personal details
  • Incorrect or changing contact information, specifically email and phone number
  • Inability to conduct business during required business hours, and an inability to complete or respond to tasks in a timely manner

3. Implement essential security tools

Arming your company with knowledge is crucial, but you also need a strong security program protecting your company in the event of a breach. Some important elements to prevent employee impersonation attacks include:

  • Zero Trust Network Access (ZTNA) prevents access from unverified devices and stops lateral movement to other devices or systems on a network in the event of a successful social engineering attack.
  • Secure Information and Event Management (SIEM) provides crucial visibility by continuously logging data from multiple systems to monitor normal activity and alert when users attempt suspicious actions.
  • Managed eXtended Detection and Response (MXDR) adds an additional layer of security with a team of security analysts who detect and block suspicious activity earlier. An MXDR team brings their support, experience, and expertise with common employee impersonation attacks to respond quickly and prevent serious damage.

How Todyl defends against and detects employee impersonation attacks

Todyl’s single-agent platform spans prevention, detection, and response, utilizing the same capabilities that governments and large enterprises rely on. There are multiple modules within the Todyl Security Platform that defend against and detect employee impersonation, including ZTNA, Managed Cloud SIEM, and MXDR.

Todyl’s Office 365 Integration is another key element crucial to stopping BEC in its many forms. Once enabled, the Todyl Security Platform ingests and inspects all authentication requests, inbox rules, mail transport activity, and several other behaviors to identify signs of email compromise. Todyl leverages ML models to identify rare and suspicious logon activities, API calls, and many other characteristics to alert on common indicators of compromise within Office 365 tenants.

To learn more about how Todyl protects businesses against employee impersonation attacks, download our full threat intel report below or contact us to schedule a demo.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Why I joined Todyl: Mike Hanauer
How to increase trust with cyber insurance carriers
Why MDR platform breadth and depth matters

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.