Managed Detection and Response
How Threat Actors Leverage Corporate Executives’ Likenesses to Scam Social Media Users
October 4, 2023 | 5 min read
Netta Salomon
Cyber Threat Intelligence Analyst
Any longtime social media user knows the perils of impersonation, whether your account has been used as part of an attack, you’ve been tricked by a scammer pretending to be someone else, or you’ve seen someone else’s likeness used to misrepresent them. The reason social media impersonation is so prevalent is that it’s easy for threat actors to carry it out – and potentially very lucrative for them, in terms of either financial assets or sensitive data.
It stands to reason, then, that corporate executives and VIPs are prime targets for attackers. Hackers can take advantage of their notoriety to dupe unsuspecting users into interacting with an impersonating executive profile and providing PII, payment information, or otherwise falling victim to the scam and sharing personal data or transferring money to the threat actors.
BlueVoyant’s cyber threat analysts have been tracking this type of social media impersonation campaign and have put together a comprehensive report that demonstrates the scope of the trend, the methods used by threat actors, and a case study showing an attempted attack in action. Download the report or keep reading for some of the highlights and key takeaways.
Why Executive Social Media Impersonation?
Social media impersonation of individuals is a type of identity theft, a technique used in social engineering. It typically involves creating an account, profile or page that uses the name, image, and other identification features of a person or company to carry out fraudulent activities. It is especially worthwhile for threat actors spoofing a high-profile persona, celebrity, or corporate executive. Obtaining photos of public figures is simple, and the potential reward for a successful attack could be very cost-effective.
When impersonating an executive, threat actors can reach out to potential business partners or the executive’s employees, attempting to use the executive’s credibility to trick them into sharing sensitive information or transferring money. Innocent users on social media may feel they can trust a profile of a well-known persona, even if they do not know them personally, and may be more inclined to respond positively if asked to do something for them. Furthermore, cybercriminals do not need to concern themselves with firewalls, spam filters, antiviruses and other computer security mechanisms while they are working their charm on an oblivious user.
Where Do These Attacks Take Place?
BlueVoyant set out to determine which platforms are used the most by threat actors when impersonating executives. Our proprietary system has examined more than 1000 impersonated executive profiles on Facebook, Instagram, Twitter, and LinkedIn, as depicted in the chart below.
As you can see, Facebook and Instagram represent the lion’s share of these attacks. Possible explanations for the prominence of executive social media on these platforms include the volume of usage as two of the most popular social media platforms, the consumer and influencer-oriented nature of each platform, and the relative ease of setting up new accounts.
How Threat Actors Design Their Attacks
Social engineering is a critical component of any successful social media impersonation scam. Hackers must do some degree of due diligence on their targets – not just copying their photos and bio information, but also ensuring they can recreate their writing style, naming conventions, and posting cadence to avoid suspicion. Acquiring bot followers for cheap can help establish credibility with actual users, who may not suspect a scam if the fraudulent account appears to have a large following.
In the event that public information about a targeted executive is hard to come by (i.e., they have no existing social media presence to mimic, and they’ve been diligent about releasing personal information publicly), there are several ways threat actors can still find what they need to create a spoofed account.
- Gather information regarding the executive from friends and family's social media profiles.
- Acquire exposed private information from databases or documents that may be leaked during data breaches.
- Leverage public records websites to gain access to private information. her data brokers.
Once a threat actor has completed the reconnaissance phase, they can add the appropriate information and proceed to start using the impersonating profile they created, making it look more convincing by generating activity and gaining followers.
The Scam in Action
BlueVoyant’s analysts encountered many examples of social media impersonation using corporate executives as bait. We decided to spring the trap and see how the threat actors would engage with us. Below are some of the traits we observed during our interactions with the attackers. To see a step-by-step breakdown of the scam in action with screenshots of our conversations, download the full report.
We investigated profiles impersonating an American cryptocurrency executive and observed several characteristics. Many profiles were likely created by the same threat actor or group, they were often old and had been recently updated to impersonate the executive. Once activated, the profiles quickly gained followers, likely through bots, and began posting cryptocurrency-related content copied from the executives' official profiles, making them appear more trustworthy. The impersonators then targeted inexperienced crypto investors, and upon establishing contact with a potential victim, directed them to a fraudulent investment website promising high returns.
How to Prevent Executive Social Media Impersonation Attack
Despite social media platforms’ best efforts at preventing impersonation attempts – using verification systems, bot detection, and other preventative measures – attackers continue to evade security protocols and successfully set up fraudulent executive profiles.
Given the lack of oversight social media platforms have into accounts on an individual level, it’s incumbent on security teams to increase awareness of this type of attack. Companies should provide regular training for their employees and should be guarded when it comes to publicizing executives’ personal information beyond anything surface-level. Security teams should also emphasize preventative actions – reporting suspected impersonation attempts, encouraging employees and customers to do the same, etc.
Finally, the most effective way to prevent this type of attack from being successful is to continuously monitor for online impersonation of executives and other VIPs. Learn about how BlueVoyant’s Executive Cyber Guard solution can safeguard your company’s most important assets – its people.
Related Reading
Digital Risk Protection
From Zelle to Your Wallet: The Mechanics of Third-Party Phishing
September 12, 2024 | 3 min read
Managed Detection and Response
Forrester Study: BlueVoyant MDR Delivered a 210% Return on Investment for Clients Through Effective Threat Detection and Response, Optimized SecOps Spending, and Reduced Breach Incidence
September 10, 2024 | 5 min read