How can you prevent impersonation fraud?

What is impersonation fraud?

Impersonation fraud is the practice of impersonating another person in order to withdraw money from an organization or individual.

Fraudsters may pretend to be members of your company’s administration or one of its suppliers. They start by sending you an email, a text message (phishing) or even by calling you on the phone. If you take the bait, they may ask you to transfer funds under false pretences. They may also try to get their hands on confidential information, such as bank details, staff lists, customer lists, logins and passwords, which they then use to embezzle funds. Another common tactic is to trick you into making purchases, such as gift cards or prepaid credit cards, and then getting you to give them the codes.

While you may think you have the wherewithal to avoid falling into their trap, remember that cybercriminals are cunning. They can use a variety of tactics to create a sense of urgency, play on your emotions or even develop a bond of trust with you. There’s a reason why the most common corporate frauds are CEO fraud and fake supplier fraud.

CEO fraud 

CEO fraud is a form of social engineering. In this type of scam, malicious individuals pretend to be a member of management and target a key party in an organization (often someone with the necessary access), making an urgent request or asking them to carry out a specific task. 

The fraudster begins by gaining the victim’s trust before asking them to carry out a task, often involving money. The nature of this task varies and may involve buying gift cards or other rewards to congratulate the team after a major project at work. The victim, who then feels lucky to have been chosen by a superior or line manager, may easily fall for the scam.

And how do fraudsters know who to target? Among other things, they can: 

• Scour the internet, social media and company websites
  
• Contact someone in advance on social media 
  
• Interact with the victim and gather information to make their request as credible as possible
  

Once the right person has been identified, the scammer sets up a carefully crafted scenario so that a transfer or disclosure of confidential information is carried out without the victim ever suspecting that it’s a fraud. 

Fake supplier fraud 

This kind of fraud is also used to extract information from a key person in a company. Rather than posing as a member of management, like in CEO fraud, the fraudster poses as one of the company’s suppliers. 

This person contacts a company to inform them that one of their suppliers is changing its banking details. Once the supplier’s information has been changed, any transfers intended for them are directed to the fraudster’s bank account instead. 

And how does this person successfully impersonate the real supplier? By using social engineering to collect data and impersonate them. This data enables them to manipulate the person they contact by, for example, creating an email address that mimics that of the real supplier. They can also copy the formatting of the supplier’s emails and invoices, or even imitate their voice over the phone using artificial intelligence. 

How can you protect yourself against impersonation fraud?

Constant virtual exchanges and the large amount of sensitive data that circulates online make businesses vulnerable. Being vigilant and making your teams aware of the different types of fraud can help protect your organization from cyber attacks.  

1. How can you safeguard your organization?

Get your teams involved and give them a sense of responsibility. Frequently remind them to be cautious on social media, both for private and professional purposes. 

Tell them not to divulge information or share stories about the organization’s operations, explaining that this information could be used by fraudsters. Take the time to inform them of the different types of fraud, and don’t forget to raise awareness among new recruits and interns.

In addition to involving and educating your team, don’t forget to keep your IT security system up to date. Implement internal verification processes, authentication measures and multiple sign-offs for international transfers and payments.

You can also use technological tools to detect fraudulent emails and suspicious activity. Even if fraudsters manage to bypass the technology, having the right software could be enough to block a good majority of fraudulent communications.

2. How to avoid fraud

Because cybercriminals play on a sense of urgency, emotions and building trust with their victims, the following three actions can help counter their strategies: stop, analyze and doubt.

Avoiding CEO fraud

• Don’t give in to pressure from a member of management who sends you an urgent request for payment. If in doubt, immediately refer the matter to your direct manager. Remember that no matter the situation, you should never take any action such as transferring funds on the basis of a single communication. Always ask questions. 
  
• Take a critical look at any unusual transmission of new contact information. Contact the executive directly using the contact information you already have on file.
  
• In their communications, fraudsters often include a phone number to contact. Never use this number for validation purposes. 
  
• Use caution. Instructions on how to make the transfer may be sent in a second email from a lawyer or an accountant offering financial assistance. This is another deception designed to make the request appear more legitimate.
  

Avoiding fake supplier fraud

• Check that the supplier’s email address and contact information match those used in previous correspondence. Make sure that the email subject and attachment name aren’t unusual.
  
• Compare the layout of the invoice with the formatting, style and spelling of previous communications from the supplier.
  
• Ask yourself whether you were expecting an invoice from the supplier and whether the financial details are the same as on previous invoices. 
  
• Is this a request to change banking information? Check whether the supplier has recently changed theirs. 
  
• Validate the request by contacting the supplier at a previously used phone number or email address on file.
  

I’ve been a victim of fraud. What should I do?

Cybercriminals are constantly adapting their schemes and looking for potential loopholes. That’s why everyone, at one time or another, can fall victim to fraud. Here’s what to do if it happens to you.  

First of all, it’s important to understand that it can be very difficult to reverse a fraudulent transfer that has already been made. Contacting your financial institution is your first step. They may try to block the funds before they reach the fraudster’s account. 

It’s also important to notify your IT department to avoid any further fraud within your organization and ensure that appropriate vigilance is maintained. 

In the case of fake supplier fraud, notify the supplier immediately, as it’s highly likely that their identity has been used fraudulently with other companies. If the fraudster is identified, you may have legal recourse. 

If you’ve been a victim of fraud, you can play an active role in helping to put an end to it by taking the following steps:

• File a complaint with your local police department. Describe the incident as CEO fraud, fake supplier fraud or wire fraud. Make sure you can provide full details of the incident.
  
• Report the incident to the Canadian Anti-Fraud Centre.
  

Don’t forget: For the best chance of success, a company needs to protect itself against fraud from the outset. Prevention remains the best strategy for avoiding impersonation scams. 

Want to find out more? Read our tips and check out our tools on fraud prevention.