The Various Forms of Impersonation and How to Combat Them

Whilst most recent headlines around impersonation focus on generative AI or deepfakes, it is worth noting that there are also other, far less sophisticated impersonation methods that are costing institutions, mainly banks and their customers, substantial amounts in fraud. Although deepfake losses are substantial and may exceed other forms of impersonation over time, these more basic forms will continue to cause losses if not prevented.

All impersonation scams involve someone pretending to be someone else, but generally that’s where the similarities end. The variations within the scams include the granularity of the impersonation as well as the intended end result or purpose of the impersonation.

The Three Levels of Impersonation Fraud

Level 1: Impersonating a Generic Employee or Institution

Regarding granularity, there are three common levels, the third and most granular being deepfakes. The first level and the least granular is impersonating a non-specific individual of an entity, such as a bank. The non-specific individual may claim to work for the entity’s fraud department, for instance, and does not attempt to provide any proof of their claimed identity, just their role in the entity. This impersonation scam relies solely on social engineering and uses a sense of urgency and the threat of imminent financial loss as the keys to success.

Level 2: Impersonating a Real Customer Using Stolen Data

The second level is more granular and involves the scammer impersonating a real person to an entity, such as a bank’s contact center, using knowledge and information pertaining to the real person. The impersonator is therefore trying to convince an entity that they are a specific identity, and they have all the information required to prove it. At its most basic level, simply having access to a person’s internet banking User ID and Password would be enough to convince a system that a fraudster is that person. This form of impersonation, therefore, relies solely on information, however acquired.

Level 3: Deepfake and AI-Driven Impersonation

The third and most recent level is based on generative AI or deepfake technology. This is the most granular form of impersonation because it does not rely on knowledge and information about a person to execute the impersonation; it relies on physical or biological likeness to a real person, whether that be audible, facial, or both. As with the other forms of impersonation, it is done remotely, whether over a telephone, a social media app, or any form of video communication such as online conferencing.

Unlike the other forms of impersonation, where the impersonator and the target do not actually know each other, the target in a deepfake scam is known personally to the person being impersonated. This could be a family member or, as has already been witnessed, a work colleague or boss.

The Goals Behind Impersonation Scams

To understand how to combat each of these scams, we need to know what they are trying to achieve and how they are trying to achieve it. We also have to understand that it is nigh on impossible to prevent someone from being scammed through the likes of social engineering. Therefore, if you can’t stop someone from providing a scammer with critical information, such as a password, you need to ensure instead that the password can’t be used by the scammer.

How Scams Bypass Security

In the first example of the non-specific bank employee, this is typically an impersonation scam to get around a bank’s multi-factor authentication protection. The scammer already has everything needed to perform an online financial transaction, such as a funds transfer, but will also require the OTP that the bank will send to the customer’s mobile phone. The scam is all about obtaining the OTP from the customer to complete the fraudulent transaction. Because you can’t prevent the customer from giving the scammer the OTP, you need to render it useless.

In the second example of the scammer using supposedly secret or personal information to impersonate a genuine customer, the aim is to get the entity, such as a contact center employee, to perform some fraudulent transaction on the scammer’s behalf. Because the scammer may have all the information required to pass the security checks, you need to render that information useless.

Advanced Voice Biometrics and AI Voice Security

In both cases, voice biometrics is the tool that renders both the OTP in the first example and the personal information in the second example useless. Useless, that is, unless used by the legitimate customer. Speaking the OTP into a browser, rather than typing it, means it is only usable by the genuine customer; it is useless to the scammer. Similarly, speaking to the contact center employee, whether or not personal information is even required, renders personal information useless when provided by a scammer. In both cases, voice biometric authentication prevents the impersonation scams from being ultimately successful.

The third example, that of deepfake, poses a different threat as it can be used on channels that may not be designed for authentication methods. If an employee receives a call from the CEO, for instance, and the CEO sounds exactly as expected, or it is on a Zoom conference call and the CEO looks exactly as they should, then there would be no reason to doubt it is the CEO.

On channels where voice biometric authentication can be used, it should still be used, but in conjunction with deepfake detection. On channels where there is no authentication, then standalone deepfake detection is the protection to combat this form of impersonation. Knowing immediately, you are not dealing with a human is all you need to know.

So, whilst all the talk is around deepfake impersonation, organizations need to be aware that not only is there a solution for deepfake detection, but there are other forms of impersonation out there that can lead to major losses, which can be easily combatted using the right voice biometric technology. Voice technology like what we offer at ValidSoft that combines AI voice security with trusted identity assurance.