Impersonation scams targeting small businesses spiked following the CrowdStrike outage
WASHINGTON – Today, U.S. Senator John Hickenlooper, Chair of the Senate Subcommittee on Consumer Protection, Product Safety, and Data Security, sent a letter to Federal Trade Commission (FTC) Chair Lina Khan calling on her to protect consumers by investigating bad actors impersonating CrowdStrike employees to target small businesses.
“The Federal Trade Commission (FTC) is responsible for protecting and educating consumers and businesses on methods to avoid falling victim to potential scams, fraud, and abuse,” wrote Hickenlooper. “The same day as the outage, CrowdStrike notified customers of ‘malicious activity leveraging the [outage] as a lure’ to gain access or obtain information from affected businesses.”
Hickenlooper continued: “Individuals and small businesses can be the most vulnerable to scams and fraud. I encourage you to keep individuals and small businesses front and center when taking action to prevent and mitigate impersonation scams.”
The letter comes after the alarming spike in impersonation scams targeting small businesses following the CrowdStrike outage. On July 19th, cybersecurity provider CrowdStrike released a faulty software update which caused 8.5 million Windows computers to crash and fail to restart successfully. The outage crippled airlines, hospitals, banks, and telecommunications causing thousands of flights to be canceled and non-essential medical procedures to be postponed.
CrowdStrike released guidance to help organizations recover from the disruption. However, scammers quickly sprang into action impersonating CrowdStrike employees and targeting businesses – especially small businesses – and consumers with fake websites and malicious software claiming to fix the faulty software update. For example, a scam website hosted on “crowdstrikeclaim[.]com” impersonated a law firm and claimed to offer legal services for businesses affected by the outage.
In his letter, Hickenlooper called on the FTC to address the following questions about how to prevent impersonation scams and mitigate their impact on small businesses:
- How does the FTC help prevent and mitigate impersonation scams following major cybersecurity or data security incidents?
- How does the FTC collect and respond to reports from individuals or businesses who are targeted by or fall victim to impersonation scams?
- How does the FTC leverage its authorities under the FTC Act to hold bad actors perpetrating impersonation scams accountable?
- Would additional authorities under the FTC Act enhance the FTC’s capacity to hold bad actors perpetrating impersonation scams accountable?
- How does the FTC collaborate with other federal agencies like the FBI to disrupt bad actors and hold them accountable?
- What guidance does your agency provide to individuals and small businesses to engage with the FTC and improve their security and resilience to impersonation scams?
Hickenlooper has championed efforts to help small businesses fight against cyberattacks and protect consumer data. He previously chaired a Senate Commerce Committee Subcommittee on Consumer Protection, Product Safety and Data Security hearing on methods to safeguard consumers’ data and reduce harms from increasing amounts of devastating data breaches. He also chaired a field hearing of the Senate Committee on Small Business and Entrepreneurship in Colorado Springs to explore how to support the cybersecurity needs of small businesses across the country.
Text of the letter available HERE and below.
Dear Chair Khan,
On Friday, July 19, cybersecurity provider CrowdStrike released a faulty software update which caused some of their customers’ Windows computers to crash and fail to restart successfully. Businesses that discovered their computers were impacted had to take quick action to recover. The necessary steps to recover involved technical interventions, sometimes requiring physical access to individual machines, in order to get them back up and running.
While CrowdStrike officially issued detailed technical guidance for organizations to recover from the disruption, scammers were also springing into action. The same day as the outage, CrowdStrike notified customers of “malicious activity leveraging the [outage] as a lure” to gain access or obtain information from affected businesses. Since then, the company has issued multiple notices describing malware, phishing, and fake technical manuals that were all developed by scammers trying to take advantage of the original incident.
This is not the first time that scammers have impersonated CrowdStrike. The company issued a notice in 2022 describing bad actors distributing malware by impersonating CrowdStrike and other cybersecurity companies. The Federal Trade Commission (FTC) is responsible for protecting and educating consumers and businesses on methods to avoid falling victim to potential scams, fraud, and abuse. The FTC is already taking action on impersonation scams, including by publishing data showing recent increases in these scams and starting enforcement of a new rule to combat impersonation scams that took effect in April of this year. The data highlights that scammers often impersonate not only well-known brands and cybersecurity providers, but also federal government agencies and employees. The Cybersecurity and Infrastructure Security Agency (CISA) even notified the public of phone scams impersonating CISA and its officials in June of this year.
Individuals and small businesses can be the most vulnerable to scams and fraud. I encourage you to keep individuals and small businesses front and center when taking action to prevent and mitigate impersonation scams.
I request your response to the following questions to help inform our collaboration to combat scam and fraud impacting consumers and businesses,
- How does the FTC help prevent and mitigate impersonation scams following major cybersecurity or data security incidents?
- How does the FTC collect and respond to reports from individuals or businesses who are targeted by or fall victim to impersonation scams?
- How does the FTC leverage its authorities under the FTC Act to hold bad actors perpetrating impersonation scams accountable?
- Would additional authorities under the FTC Act enhance the FTC’s capacity to hold bad actors perpetrating impersonation scams accountable?
- How does the FTC collaborate with other federal agencies like the FBI to disrupt bad actors perpetrating impersonation scams and hold them accountable?
- What guidance does your agency provide to individuals and small businesses to engage with the FTC and improve their security and resilience to impersonation scams?
I thank you for your attention to these issues and for your continued efforts to combat scams, fraud, and abuse.
Sincerely,
###