Cybercriminals know that one of the easiest ways to sneak under the radar is to pretend to be a brand people know and trust. These are companies that have spent years on marketing, customer service, branding and consistency to build a trustworthy reputation that cybercriminals want to exploit. Read on for a peek into some of the tricks they use, how to recognize them and what you need to do to protect yourself.
Deceptive URL Tricks
Cyber thieves set up URLs that look incredibly similar to the real company’s website.
Hackers can make simple switches that can be easily overlooked, such as:
- Switching out a zero for the letter “O” or a capital “i” for a lowercase “L”
- Adding in a word that seems like it could be a subdomain of the real company, like “firstname.lastname@example.org”
- Using a different domain extension, like "email@example.com"
Scammers can set up a web page that looks identical to that of the real website. When someone clicks the link – via e-mail, SMS or even through social media – several dangerous results can occur.
The first is that malware can be installed. Clicking a bad link can set off an automatic malware download that contains malicious files with the ability to collect personally identifiable information from the device, like usernames, credit card, or bank account numbers and more.
The second is the fake website will have a form to harvest your information. This could be login credentials, passwords and, in some cases, credit or bank information.
The third common issue is an open redirect. The link might look legitimate, but when you click on it, you’re redirected to a malicious website where the intent is to steal your information.
According to Check Point's Brand Phishing Report, there are 10 companies that top the chart in overall appearance in brand phishing attempts.
Here are the top 10 most frequently impersonated brands in phishing attempts in Q2 of 2023:
- Microsoft (29%)
- Google (19.5%)
- Apple (5.2%)
- Wells Fargo (4.2%)
- Amazon (4%)
- Walmart (3.9%)
- Roblox (3.8%)
- LinkedIn (3%)
- Home Depot (2.5%)
- Facebook (2.1%)
These are large companies that are widely recognized and send regular e-mail communications, making them prime targets for criminals to mimic. They know what types of messages will work best for each company to get a user’s attention.
Common Phishing Attacks
“Phishing” is a type of cyberattack and social engineering technique that involves tricking individuals into revealing sensitive or confidential information.
Here are three common phishing email attacks cybercriminals have used under the guise of the brands above to gain access to private information:
- Unusual Activity – This is an email that will suggest that someone gained access to an account and the user needs to change their password quickly. Scammers leverage fear so people will click without thinking, hurrying to change their password before they’re a victim of the attack. They usually have buttons that say, “Review Recent Activity” or “Click Here To Change Your Password.” These e-mails might also show fake login information detailing the region, IP address, time of sign-in and more to convince you to click.
- Fake Gift Cards – These e-mails suggest that someone sent an e-gift card. When a user opens the e-mail, they are either redirected to a fake website to “claim the gift card” or have a button to “redeem now.”
- Account Verification Required – These messages suggest that the account has been disconnected and they need the user to verify their information. Once the login credentials are disclosed, the hacker has access.
Phishing attacks aim to exploit human psychology and often use fear, urgency, or curiosity to manipulate individuals into taking action. Attackers may use various tactics to make their messages seem legitimate, such as using company logos, official language, or forged email addresses.
The consequences of falling victim to a phishing attack can be severe, including financial loss, identity theft, data breaches, and compromised online accounts.
Secure Your Network
Phishing is a pervasive threat, and staying vigilant and informed is essential to avoid falling prey to these types of attacks.
There are multiple steps to making sure your network is secure:
- Use an email protection tool, such as Proofpoint, to catch threats before they reach a user’s inbox.
- Always be cautious of unsolicited messages and verify their authenticity by directly contacting the organization.
- Look for common signs of phishing, such as misspelled words, unusual email addresses and suspicious links.
- Train employees to know what to look for and how to report it.
Want to learn more about cybersecurity solutions for your business?