Beware of Criminals Posing As 'Fellow Employees'

Impersonation is a favorite weapon in the social engineer’s arsenal.

May 09, 2012
/ PRINT / ShareShare / Text Size +

Finding a target

These sites are designed to aggregate all of the staff members related to a particular company onto a single page. They display relevant contact information like personal and business email addresses, direct phone numbers, social networking connections, and more.

This can help a criminal narrow down the list of staff members that would make good targets for impersonation.

For example, employees having area codes different than the business’ primary number may indicate they work from a satellite office and probably do not have close contact with their coworkers at headquarters.

After a “short list” of potential employees has been compiled, their individual social media sites may be data-mined for personal details which could add another layer of credibility to the pretext.

Additional tactics

Prior to attempting an attack on the targeted company, a social engineer will usually employ additional tactics to further sell their believability.

A common approach involves sending the employee(s) they intend to contact a phishing email that is carefully formatted to resemble other legitimate corporate email correspondence.

These messages are intended to set up the attacker’s pre-text by outlining the reasons why they need assistance, or in some cases, makes a direct request for the desired information. Of course, the reply-to email address would be spoofed, as would the contact information contained in the email signature and footer.

Another clever trick con artists use prior to initiating the phone call attack is to spoof their caller ID to match a department within the targeted company–the necessary equipment can be legally purchased and is surprisingly easy and nontechnical to use.

When these techniques are combined with a convincing pretext, there is little reason for an employee to doubt that the attacker is not a legitimate coworker. And, voila, trust is established and the hook is set.

The best defense

From that point it is relatively easy to persuade or manipulate the real employee into changing passwords, divulging sensitive corporate information, or–in a worst case scenario–activating malware sent in a follow-up email that allows the attacker to gain access to the company network.

The best defense against the “fellow employee” tactic, as well as virtually every con artist threat, continues to include the following:

  • Staff trained to recognize and react to malicious techniques;
  • Comprehensive policies and procedures;
  • Frequent security awareness training; and
  • Periodic social engineering testing that verifies the effectiveness of policies, training, and other controls.

DAVID BLAZIER is marketing manager for TraceSecurity, a CUNA Strategic Services alliance provider Contact him at 225-612-2121, ext. 31062.

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory ( will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive