Organizations are more vulnerable to cyberattacks as users increasingly connect to more technologies, systems, and networks. An organization’s employees are typically the first line of defense against cyberattacks, making them prime targets for threat actors attempting to exploit human weaknesses. Threat actors first perform reconnaissance to gather information about a target organization and identify potential vulnerabilities, including details of key employees. They target legitimate and trusted individuals through various social engineering schemes, including email, text messaging, and phone calls, to initiate fraudulent requests to convince the target to divulge sensitive information, such as account login credentials.

The NJCCIC reported on various scams in the past in which threat actors targeted and impersonated executives, the human resources department, the information technology (IT) department, fellow employees, and more. Threat actors continue to target and impersonate legitimate and trusted individuals in an organization, including state and government employees. For example, threat actors impersonated representatives in the Attorney General’s Office in Oklahoma. They targeted Oklahoma citizens via fraudulent phone calls to inform them that they had won a monetary prize and had to pay a fee to obtain the award. The US Department of State also warned of a fraudulent scheme in which threat actors targeted payroll accounts via phishing, email account takeovers, and social engineering. The scheme first targeted annuity accounts linked to employees’ pension plans. The threat actors created and spoofed the annuitants’ email accounts to request changes to the direct deposit accounts. The scheme later targeted employees to obtain information and compromised employee accounts to change the bank deposit information. The threat actors redirected payroll deposits from the annuitants’ and employees’ bank accounts to attacker-controlled accounts.

Threat actors employed sophisticated social engineering techniques to target IT help desks to gain unauthorized access to systems. They made phone calls from an area code local to the target organization and claimed to be an employee in a financial role. The threat actors verified the impersonated employee’s identity by providing sensitive information, most likely obtained from professional networking sites, publicly available information sources, and data breaches. The threat actors claimed their phone was broken and convinced the IT help desk representative to enroll a new device in multi-factor authentication. After enrolling and gaining access to business resources, the threat actors targeted login information for payer websites to divert legitimate payments to attacker-controlled US bank accounts, which were later transferred to overseas accounts.

Threat actors also utilized social engineering and artificial intelligence to generate audio deepfakes in executive impersonation fraud campaigns to target employees. A LastPass employee received numerous phone calls, text messages, and a voicemail of an audio deepfake from a threat actor impersonating their CEO. However, the employee realized it was a scam and did not fall victim because the communications were conducted through WhatsApp, which is not a typical business platform. Instead of responding to the messages, the employee ignored the communications and reported the incident. This example highlights not just organizations becoming victims of cyberattacks but how victim organizations can potentially impact other organizations that depend on them as third-party vendors or critical infrastructure services.

Reported losses to business and government impersonation scams topped $1.1 billion in 2023, more than three times the amount reported in 2020. Due to the increased number of reported scams and losses and the emerging AI technology used in impersonation scams, the FTC recently finalized a rule on business and government impersonation so that it can file federal court cases seeking monetary funds for victims and civil penalties for rule violators.