What is impostor fraud?
Impostor fraud is one of the most common types of fraud. Although it may take multiple shapes, it usually works in the same fashion: the fraudster is impersonating a trusted figure or entity, to convince a victim to send him money, or to get him to do something on his behalf. According to the U.S. Federal Trade Commission (FTC) 2021 data, more than USD 2.3 billion were lost to imposter scams in 2021, up from USD 1.2 billion in 2020 (+91%).
Impostor fraud is the second most reported fraud in the United States, with 984,756 complaints alone in 2021 (17.2% of all frauds reported). In this report, 1 out of 5 people reported money losses, with an average USD 1,000 loss. This type of scam encompasses different types of fraud, such as romance scams (sometimes as part of an Authorized Push Payment fraud scheme) or business email compromise.
FTC highlighted five main categories in regards to impostor fraud:
- Government imposters (around 396,000 reports in 2021);
- Business imposters (394,000 reports);
- Tech support scams (113,000 reports);
- Romance scams (77,280 reports);
- Family and friends imposters (35,00 reports).
How does impostor fraud work?
To be successful, the scammer will follow a simple procedure:
He’ll first try to identify the figure that would have the most traction on you, by conducting an open-source intelligence investigation.
Then, he will select an appropriate method to contact the victim, either by phone, email, fax, or even mail. The first contact is most of the time unsolicited. If we take the example of emails, they will look and feel genuine, will not include any malicious link so not to raise any red flag, and are sent with parsimony, in order not to trigger any anti-spam tools.
By using his impersonated figure or entity, the scammer will then, under motives that may appear legitimate, get the victim to do something, such as wiring money, or conducting a specific action. By mixing with social engineering techniques, the impostor will exploit fears, emphasize on the urgency of a situation, or leverage his position of authority to conduct his fraud, leaving little room for the victim to think.
A plausible use case for impostor fraud.
This is what impostor fraud could look like in real life.
A fraudster may claim to be a tax agent, and call your number a month after the tax report payment deadline. Knowing that you likely paid your taxes before the deadline, he’ll claim that something was wrong with your wire transfer and that the tax authority has not received any payment. He’ll offer you a “second chance” and send you new instructions directly to your personal email. Thus, you will receive an email using the fiscal authority’s usual template, not to raise any eyebrows. The latter will be accompanied by a link that will redirect you to a spoofed website offering direct payment methods. Guiding you through the steps, the tax agent will push you to do that over the phone. As the matter is urgent, the scammer may claim that you will be fined an additional percentage of the total amount after failing to submit your initial payment in due time. The timeline of this kind of scam is short, as the scammer wants to obtain quick hits and then disappear.
How to prevent impostor fraud and social engineering as a financial or governmental institution
The success of impostor frauds as well as social engineering techniques largely relies on the vulnerabilities of the persons and institutions targeted. In order to protect against those types of frauds, companies must implement mitigation schemes to prevent risks and financial losses including:
- Training and awareness presentation: As anyone can be a target, from top management to employees, raising awareness on those attack vectors is essential to avoid being scammed by an impostor;
- KYC processes: With the implementation of robust KYC processes, combining various layers of security and identification techniques (AI-based, live detection, etc…), financial and governmental institutions largely avoid such pitfalls. In addition to allowing companies to comply with regulatory requirements, KYC processes assess users’ legitimacy and drastically limit business risks, especially when the institution uses top-notch KYC technologies;
- Setup and communicate on alert mechanisms: When targeted by impostors, a mechanism should be present for collaborators to report it to whom it may concern. Therefore, broad internal communication about those mechanisms should be conducted to raise awareness.