Cybercriminals use every trick in the book to scam businesses. One of the most common online scams that popular brands are especially vulnerable to is a brand impersonation phishing attack!

Phishing is a cyberattack that use emails as a weapon to trick the target. The target is made to believe that the message is from a trusted source and prompted to click on a link or to download an attachment that has malicious content in it.

According to Google Transparency Report 2018, the number of phishing sites detected per week has drastically increased from 3,800 in Nov 2007 to 49,696 in Nov 2017.
Graph 1 - Brand Impersonation

 

Don’t have time to read the whole guide right now?

No worries. Download the guide as a PDF and read it on the go.

 

Yes! Give me the PDF
 

 

What Is Brand Impersonation?

Brand Impersonation is a form of phishing attack where attackers pretend to be from a trusted brand/company. They send out emails that contain malicious content. These emails resemble a well-known bank, credit card company, an e-commerce portal, or even a government agency.

The aim of a brand impersonation attack is to gain confidential data of the targeted victim.

What are the motives of a hacker?

Some of the most common reasons for a brand impersonation attack are:

  • Using the target’s login credentials to access financial details as well as initiate fund transfers,
  • Stealing personal information like address or phone number to sell it to others, and
  • Ruining the trust of a service provider’s customers by charging them with false dues.

How do hackers impersonate a brand?

  • Source Forgery

Source forgery refers to the process of faking the ‘From’ address in an email. Hackers can easily manipulate the ‘From’ address in an email to make it look genuine. This can be done by using SMTP services and other online tools – like Kali Linux.

  • Links

Brand impersonation phishing attacks will have links embedded in the email that is designed to look reliable so that the potential target clicks on them. To make these links look genuine, hackers create false references. This can be done by using the <a href> of the webpage.

Usually, the attackers fake a company/brand website by using the following HTML code in their email:

<a href= http://fakewebsite.com> https://genuinewebsite.com </a>
For example: <a href= http://passinest.com*> https://support.google.com </a>
(*Disabled phishing link)

 
In the above example, clicking on https://support.google.com will take the user to http://passinest.com.
<a href> of the received email can be checked by the following steps :

  • Open the received email without clicking on any link.
  • Right-click anywhere in the email to see the options.
  • Select “Inspect” option to see the “Inspection View” of the email.

brand impersonation

  • Lookalike Domains

Hackers buy domains that look similar to the domain of a known brand. This makes it easier for the hackers to carry out brand impersonation attacks.

For example, the below image shows the domain names available in GoDaddy, which are similar to FedEx.
FedEx brand impersonation
A hacker is most likely to use fedexcare.com to fake “FedEx Cares” website (fedexcares.com) which is an official FedEx website.

We have analyzed a list of brands that are popular among scammers for carrying out brand impersonation attacks.
Icon chart - brand impersonation

1. Netflix Scam

Brands like Netflix have a higher risk of brand impersonation attacks because they have millions of subscribers worldwide.

Here is one such Netflix scam targeting its customers.

“We were unable to validate your billing information for the next billing cycle of your subscription,” the hoax email states. “We’ll suspend your membership if we do not receive a response from you within 48 hours.”

 
This Netflix email scam came to light when non-subscribers of Netflix started receiving such emails. Once the attack got reported, Netflix immediately issued a warning, urging its customers not to do any payment through such links.

But the attackers didn’t stop there!

A recent Netflix email scam shows that the hackers are now targeting the legitimacy of the website. This is done by using Transport Layer Security (TLS) certificates.
Netflix

2. Bank of America Phishing

Emails sent by banks are always on the top of everyone’s priority list, and that’s why they are always targeted by scammers.

Here is an example of a phishing attack targeting Bank of America.

Observe the image given below.
 
Signs of Green Flags:

  • Bank of America’s logo and address
  • Look-alike link
  • Signature and reference
  • Terms and Condition

Bank of America
Signs of Red Flags:

  • A sense of urgency
  • Common salutation
  • Warning of account suspension
  • Fake link – mouseover to see the original link

It doesn’t end there! Even the partner organizations associated with well-known brands – which are targeted by phishers – face high risks because these attacks can initiate a chain of cyber attacks that eventually target the partners as well.

3. LinkedIn Phishing

LinkedIn
In December 2017, a number of LinkedIn users received messages that had a malicious link in it. On clicking the link, users were taken to a fake Dropbox login page that asked for login credentials. Apparently, all the LinkedIn accounts sending out these malicious messages were hacked.

Isn’t it scary?

LinkedIn has around 546 million users worldwide. Even if 10% of users are targeted with such LinkedIn phishing email, 5.4 million users will be at risk.

Signs of Green Flags:

  • Personalized email
  • Genuine logo usage
  • Unsubscribe option – similar to the original LinkedIn emails

Signs of Red Flags:

  • Irrelevant suggested connections
  • Action to click over a link to follow or DM
  • Non-LinkedIn links
  • Not from “messages-noreply@linkedin.com” sender address

Such attacks can have the following effects:

  • LinkedIn holds your professional identity which can be used for IDENTITY FRAUD.
  • Professionals do maintain their LinkedIn ID with their business account. Hence, LinkedIn phishing attacks can result in DATA BREACHES.

4. PayPal Phishing

Paypal
In December 2017, a number of people received a PayPal phishing email.
Paypal Email
PayPal logo with the sender domain as service@paypal.com convinced many customers to click on the link to see the transaction details.

This attack was planned to acquire PayPal customer data such as:

  • Personal information: Name, street address, city, state, zip, country, phone number, mother’s maiden name, and date of birth.
  • Credit card information: name, number, expiration code, security code.

Signs of Green Flags:

  • PayPal logo
  • PayPal email structure
  • Use of regular PayPal email font

Signs of Red Flags:

  • A sense of urgency
  • Asking to download an attachment
  • Unauthorised access notification
  • ‘PayPal’ written as ‘Paypal’ (Some phishing emails)
  • Asking to fill an attached form

5. Google Docs Phishing

In May 2017, millions of Gmail users received a Google Docs phishing email. Once the users clicked on the link, they were directed to the following page:
Google
Since Gmail is a trusted brand, no one actually reads the “Permission Settings” before clicking on the “Allow” button. Hackers used this oversight to their advantage and created a fake page to get access to user’s emails and contacts.

1.2 million Gmail users were affected by this attack. Here is an official statement from Google on this attack.

Official statement:
“We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1 percent of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There are no further action users need to take regarding this event; users who want to review third-party apps connected to their account can visit Google Security Checkup”.

 
Signs of Green Flags:

  • Google logo
  • Use of similar email structure
  • Specific salutation

Signs of Red Flags:

  • Immediate action
  • Asking for access permissions

6. Amazon Phishing

Scammers impersonate E-commerce sites like Amazon and eBay to fraudulently access customer’s credit card details.

For example, an elderly couple received an Amazon phishing email in June 2018. In the email, they were asked to confirm their account details, by clicking on a link. Once the hackers got the login credentials, they placed an order from the couple’s Amazon account. Initially, both the bank and Amazon refused to refund the couple for the fraudulent transaction. It was only after verifying the IP address and order details that the bank decided to refund them the money.
Amazon
Signs of Green Flags:

  • Amazon logo used along with the order description
  • Use of regular Amazon email structure

Signs of Red Flags:

  • Immediate action
  • A sense of urgency

7. Telstra Phishing

Telstra is an Australian telecom brand that was impersonated to target a large number of their customers.

This attack was so sophisticated that it was difficult to differentiate between the original and fake Telstra Email Bill.
Telstra
Signs of Red Flags:

The primary motive behind this attack was to get the following details:

  • Credit card information
  • Billing address
  • Date of birth, driver’s license number, and mother’s maiden name

8. Facebook Phishing

Cybercriminals use social media to target a large number of people. With Facebook phishing attacks, one can target up to 2.19 billion people!

Fake Facebook login pages are the first step toward launching a Facebook phishing scam.

The example given below shows a fake Facebook login page that’s used for phishing:
Facebook
Now the question is: “Is it that easy to create a fake Facebook login page?”
The answer is YES! If you search ‘Facebook phishing page’ on Google, you will get the following results:
Facebook search results

9. Wells Fargo Phishing

Wells Fargo is an American bank with over 70 million accounts. Recently, people were targeted with a Wells Fargo phishing email that said, “We have Updated Your Contact Information.”

According to Wells Fargo policies, customers had to update their personal information periodically, and hence, this email actually made sense to them.
Wells Fargo
Signs of Red Flags:

  • Account number missing from the subject line
  • Use of ‘Common salutation’ instead of ‘Dear <name>’
  • The changes were not displayed in the email. Instead, the attackers asked the customers to log in to their account to view the changes

The motive of this Wells Fargo phishing attack was to gather:

  • Customer login credentials
  • Transaction details
  • Personal details

10. Apple Phishing

For Apple users, all of their data is stored in their iCloud account by default. The scammer sent out threatening Apple phishing emails to its customers warning them about their account suspension.

One such email is shown below:
Apple email
Signs of Red Flags:

  • Apple ID is not mentioned in the email
  • A sense of urgency
  • Call to action that leads to a phishing page
  • Apple support link is not embedded in the email

11. Dropbox Phishing

Hackers copy the Dropbox logo into their emails to add authenticity to the scams.

One such Dropbox phishing email is shown below where the potential target is asked to access the files sent via Dropbox.
Dropbox fake email
On clicking “Access File Here” link, a malicious file was downloaded into their system.
Dropbox original email
The above image shows how a genuine Dropbox email will look like.
 
Signs of Green Flags:

  • Email from “no-reply@dropbox.com”
  • Dropbox logo
  • File name with sender details
  • Dropbox team signature

Signs of Red Flags:

  • Dropbox text icon
  • No file details
  • No file owner details
  • Link to access the file

12. Yahoo Scam

Yahoo! has around 350 million active subscribers and scammers love targeting Yahoo!.
For example, in the image given below, you can see a “Yahoo Account Disabled” email.
Yahoo!
Signs of Red Flags:

  • The email is marked to 50 people
  • There is a warning to delete the account along with emails, contacts, and other data
  • The “Sign in and verify it” link points to a phishing site

Remember: Your bank, credit card company, or email service provider will never loop you into a group email. They will only communicate with you through personal email.

13. Microsoft Phishing

Microsoft attack
Recently, in a Microsoft Outlook phishing scam spotted in the UK, users were attacked by an email that said:

“Your password reset is in process and your current password will be disable shortly the password reset link will be forward to the new optional email submitted”.

 
On clicking the reset link, users were redirected to a fake Outlook login page. On entering the credentials, an error message showed up and sent the user credentials to the hackers.

14. Chase Fraud

JPMorgan Chase is a well-established American investment bank and financial services company. In a recent cyber attack, scammers targeted Chase customers with an email that read:

“Many of our banking improvements are inspired by customers’ requests.”

 
This Chase fraud email urged the customers to do a security update. The “SECURITY UPDATE” button was enabled with a fake link that was designed to fetch the victim’s Chase bank account credentials.

Chase email15. Comcast Scam

Comcast has a customer base of around 22 million subscribers.

In 2017, they were attacked by brand impersonating emails, wherein the subscribers were asked to unlock their account through a link.
Comcast
In this Comcast phishing email, the “Unlock” link redirects the subscribers to a malicious site that mimics Comcast (Xfinity) login page. This was done to collect user credentials.

In another Comcast phishing attack, scammers tried to fake the “Xfinity Billing Email.” Here, the hackers used a proper credit card and billing template along with a proper invoice number.
Comcast bill
On clicking the link, the users were taken to a fake Comcast login page.

16. AT&T Phishing

AT&T is a popular choice for brand impersonation attacks.
AT&T
The above AT&T phishing email says,

Dear Valued Customer
You are advised to verify and re-confirm your AT&T online account to enable us upgrade your account. Any AT&T member who fails to respond or upgrade his or her account will automatically loose the AT&T account. Response to this urgent mail would enable us to upgrade our data system for your security.
To verify that your account is valid and active, simply click on the link below:
Click here to verify your account now

 
Signs of Red Flags:

  • Bad grammar
  • Common salutation: “<Dear Valued Customer>”

Other similar attacks impersonating AT&T were designed to alert potential victims about pending dues and warn them about account shut down.

How Can Brands Protect Themselves and Their Customers?

Brand empowers a business!

It takes years to establish a brand and to build trust among its customers.

The reputation of the organization relies solely on the brand. Once the customer is attacked by a brand impersonation email, the customer’s trust on the brand is lost forever.

“Hacking of customer data could cause 80% of consumers to abandon your brand”

Moreover, it also affects market reputation, directly impacting the brand equity

Understanding Brand Impersonation

Having an understanding of brand impersonation attacks is the first step to stop these attacks from succeeding. Here is a snapshot of some of the key aspects of a typical brand impersonation attack.

Attack summary

Secure Internal Process

Securing internal processes will help in preventing leakage of crucial information including email addresses that can be used for phishing attacks.
This can be done by:

  • Restricting database access to authorized users/employees only. This helps in reducing the chances of infection by brand impersonation attacks,
  • Creating awareness among the employees handling customer data. They should be aware of confidentiality requirements and risks of data breach,
  • Identifying and reporting brand impersonation emails,
  • Encrypting sensitive information when it is transmitted electronically over networks or stored online. Data encryption is always a safer and better way to transmit the data, and
  • Implementing anti-phishing software solutions.

Customer/Employee Awareness

It is essential that organizations create awareness about phishing attacks among its employees and leverage technology to prevent such attacks.

Educating customers to help them identify and report phishing attacks should be a key action item in an organization’s strategy in preventing brand impersonation.

Here are few best practices that employees should be made aware of:

  1. First, when something seems too good to be true, always suspect it.
  2. Second, social media has its own way of marking the ‘verified’ brands. Communicate with ‘verified’ brands only.
  3. Third, look for grammatical mistakes. Fraudsters are really not good with grammar.

When you are dealing with brands over email, remember the following points:

  • No online service provider will ever ask you to provide your username, password, credit card number, full name, bank account number, etc. through emails.
  • Genuine emails will not contain any embedded links in it. They will never ask the users to fill information in forms.
  • They will never ask the user to download software programs from other sites or ask them to go to other sites apart from a known business site.
  • You should always visit the website by directly typing the address in the browser.
  • You should be suspicious of any email that has urgent requests for your personal information.

Interested in finding out actionable techniques to stop phishing attacks? Click here.

 

Leave a Reply