The heart of a good scam is pretending to be someone you are not. This form of social engineering is known as the impostor scam or impersonation scam. Impostors can take different forms, and may show up on a phone call, or as an email from a trusted friend or family member, business associate, customer or coworker. Often they arrive with a position of authority such as you boss, or a law enforcement officer, an IRS agent, a Social Security employee, an employee of the electric utility, your mobile phone company, or your bank.
In order to avoid falling for these impostors, it is important to develop a skeptical mindset. There are some rules to bear in mind:
- Did they call you? If they called you, do not believe them without proof. They will offer “proof” like an employee or badge number. This is a sign this is fake. You can always check out their story by going to the website of the company they claim to be calling from. Is the person on LinkedIn or Facebook? If not, they are probably fake. Do not trust, always verify. Hang up, and call the company directly.
- Do not say “yes” – Sometimes a scammer will try to get you to say the word “yes” so they can slip it into a recorded online approval process. This is a hard one to learn, but with practice you can get good at this one.
- Do not provide personal information – Also tough to do without practice. Avoid giving any information to anyone who called you. If you got any email with a link, watch out for the web page with a form. Do not give away your name, address, phone number, user ID and password, the answers to any security questions, credit card numbers, Social security number, medical insurance or Medicare numbers, or bank account numbers.
Here are some of the more common impersonation scams:
- Email Account Hijack Scams – If an attacker hijacks an email account of someone you know, they have a perfect platform for impersonation. When they send an email, it is on the legitimate email account of the person whose account was hijacked. This type of impersonation scam can look like a friend or family member who needs a short term loan because they got mugged while on vacation. It can look like an invoice from someone you do business with. It can look like a multi-million dollar wire-transfer request from your boss. Or his wife. These scams are tough to detect unless you verify the requests buy calling them on the phone to verify the money request.
- IRS Tax Scams – It’s tax season again, and with it comes the annual tax scams. The IRS will never call or email you, they communicate by postal mail only. File early to reduce the chance for refund fraud. Check IRS.gov for more information about these scams.
- Social Security Scams – The Social Security Administration also never calls. They don’t need you to tell them your Social Security Number. And they most certainly do not issue warrants for your arrest, or send US marshals, sheriffs deputies, or police officers to arrest you. What they are saying is designed to frighten you into sending them money. Take a moment, does it just sound crazy? Hang up. Check with SSA.gov for more information.
- Utility Company Scams – They may direct you to a web page to pay, and it will look perfectly legitimate. Or they may insist on gift cards because “the credit card system is down.” Hang up the phone and call your utility company to verify whether you are really past due or not.
- Mobile Phone Company Scams – A call from your mobile service provider asking you to confirm your security questions, password, or PIN number, can be the beginning of a SIM card swap scam. Armed with the information you gave them, they can go into a mobile phone store, claim to be you, provide your credentials and PIN, and get replacement SIM card in a new phone. Your phone will stop working, and they will be getting your phone calls, emails, and password reset request text messages. From there they can hijack your other online accounts, and impersonate you big time.
- Tech Support – They often pretend to be “from Microsoft.” They often have a foreign accent. They have a playbook to walk you through that seems technically convincing. Never let them connect remotely to your computer. They most certainly will infect your computer with something if you do. Hang up on these people. Especially if you have your own tech support guy. Just give him or her a call.
- It’s the Cops – This is common in the Grandkid Scam. A “police officer” calls. Your grandchild has been arrested on drug possession or a traffic violation. Usually they won’t have a name until you give it to them, so watch what you say. Or there has been a terrible accident, and the hospital needs you to wire money. Or there is a warrant issued for arrest and the whole thing can go away if you can just send some money. Hang up the phone and call your grandchild or their parents (your children) to confirm the story. This is not how the police work. You can’t make a crime disappear by paying a police officer with an iTunes gift card.
Life seems to have become more dangerous, and it appears impossible to keep up with all the scams, frauds, and cyber-threats in the online world. I can’t argue against that, but crime has been with us forever. A lot of these scams are old school cons dressed up for the Internet age, using technical tools. The electronic age may make it more challenging to be aware of when something bad is happening to us, but hopefully, articles like this one and the previous two have helped you become aware of what to guard against. Good luck and may The Force be with you.
More information:
ShareMAR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com