Have you ever received an email from a trusted company saying that your account needs maintenance? The only problem, you don’t have an account with that company. So why are they sending you an email? Most likely, it’s scammers using a popular technique called brand impersonation.
Brand impersonation has become so popular that 83% of all spear phishing attacks use this tactic. A scammer sends a very legitimate looking email, complete with logo and, what appears to be, legitimate email address. The goal is to get you to give up credentials or click on a malicious link. Some links take you to, again, what looks like a real website asking you to enter your login information to “fix” your account. These websites are actually hosted by the cybercriminal, and once you enter in your data, they have it. Nearly 1 in 5 attacks involve the impersonation of a financial institution, in order to gain access to your login, account numbers and other personal information. The highest impersonated company though is Microsoft, being used for 32% of known attacks.[1] If the cybercriminal can gain access to your email, they can monitor it without you knowing. Then they can learn details about you, send password resets from you valuable accounts and capture the email to login.
What to look for
- Misspellings or questionable domain name in sender’s email
- Misspellings or questionable domain name in any of the hyperlinks
- Vague description of the “issue” with your account
- If you click a link, check the web address it sends you to
- Is this normal practice for the company to communicate with you?
Best practices to protect yourself
- Make sure the information presented in the email actually matches your use of that product. (i.e. if you receive an email about an iTunes purchase, but haven’t made any purchases)
- If you want to check your account, do not follow links in the email. Go to the company’s website directly to log in
- When in doubt, call the company to ask about your account
- Send the fake email to the legitimate company. Many companies invest in the protection of their customers and will investigate brand impersonations.
- If you do make a mistake and type in your user id and password to an impersonating web site, immediately go to your real account and change the password.
[1] SPEAR PHISHING: TOP THREATS AND TRENDS • US 1.0 • Copyright 2019 Barracuda Networks, Inc. • barracuda.com