Research Reveals 265 Different Brands Impersonated in Phishing Attacks

This week, we released our H2 2022 Email Threat Report, which explores the latest email attack trends, including the rise of brand impersonation in phishing attacks.
August 11, 2022

Over the past three decades, malicious emails have evolved from low-value, low-impact threats like spam and simple phishing to targeted high-value, high-impact attacks like ransomware and business email compromise. Easily evading traditional security solutions like secure email gateways (SEGs) and yielding significant ROI for threat actors, these socially-engineered attacks aren’t going anywhere.

This week, Abnormal released our H2 2022 Email Threat Report, focused on data from January to June 2022. The report explores the current email threat landscape and provides insight into the latest advanced email attack trends, including the rise of brand impersonation in credential phishing attacks.

Brands Remain King of Credential Theft

As with most modern email threats, credential phishing attacks have become progressively more complex in recent years and, therefore, more convincing. With increasing frequency, cybercriminals are using impersonation to leverage the familiarity and reputation of well-known brands and fool targets into providing their login credentials. In the first half of 2022, threat actors impersonated brands in 15% of phishing emails.

H2 2022 Threat Report Blog Percentage of Brands Impersonated

To make things even easier for attackers, the number of platforms and apps we use is always growing—as is the number of accounts we create for online portals. A report from LastPass found that employees at large enterprises manage an average of 25 passwords; at smaller organizations that number jumps to 85. And, as much as employers discourage it, the report revealed that employees reuse one password an average of 13 times.

Every software and website that requires you to provide your email address for access represents a phishing opportunity for cybercriminals—and they know it. And once they have access to the account, they can use it for all types of nefarious activities, from infiltrating additional platforms to stealing money from the account to buying products using your credit card.

Social Networks and Microsoft Products Most Impersonated

Of the more than 425,000 credential phishing attacks in which a brand was impersonated in the first half of 2022, 32% involved the impersonation of a social network, with LinkedIn being the most impersonated platform.

Because LinkedIn often sends emails with updates about profile views and search results, users are accustomed to receiving occasional, unsolicited emails from the platform. This means that in addition to more standard phishing emails that claim there is a problem with the account, threat actors can also recreate these other types of LinkedIn emails and include a link to a phishing site.

H2 2022 Threat Report Blog Linked In Phishing Email

After social networks, Microsoft products were the second most impersonated, with Outlook, OneDrive, Microsoft 365, and the parent company appearing in 20% of incidents. One of the reasons organizations use Microsoft is that the company provides a large suite of solutions applicable to every business use. The downside of this is that attackers will leverage that ubiquity and authority to convince employees they’re at risk of losing access to their inbox or important files.

And perhaps most concerning about Microsoft credential theft is that compromise of these accounts allow bad actors to use that email address to send other email attacks, impersonating real employees and hijacking ongoing conversations to redirect payments or request new fund transfers.

H2 2022 Threat Report Blog Microsoft Phishing Email

Attackers Favor Impersonating Brands with Best Potential ROI

Of the 265 individual brands that attackers impersonated, nearly one in four were in the financial services industry—including banks, credit card providers, and online payment processors. Fan favorites included American Express, PayPal, and Wells Fargo.

While this is somewhat unsurprising, it is still concerning. Gaining access to an organization’s banking or payment portal allows threat actors to transfer money to their own accounts, redirect incoming payments, send fraudulent payment requests, and steal sensitive financial information to use in future attacks.

H2 2022 Threat Report Blog Brands Impersonated in Each Category

Further, victims of such attacks may not be able to easily resolve the situation, and their accounts could be closed permanently. Not only does this impact their ability to use any other platforms connected to the account, such as billing and accounting software, but the company will also have to dispute fraudulent charges with their bank and pay any additional fees that result from the attack.

One other interesting thing to note is that of the approximately 25,000 attacks in which a business management software provider was impersonated, 27.4% involved a document management solution brand like DocuSign. From the target’s point of view, receiving an email with a request to log in to view or sign a document is far from unusual. And from an attacker’s point of view, gaining entry into an organization’s digital document repository means they have access to a wealth of proprietary and sensitive information.

The Evolving Threat of Credential Phishing

Credential phishing attacks represent a huge threat to organizations as a well-crafted (or even somewhat realistic-looking) phishing email can trick an employee into providing login credentials. But what makes phishing particularly dangerous is that once a threat actor has access to an internal account, they can launch even more costly attacks. Based on the data, advanced email threats will only become more sophisticated, more pervasive, and more damaging.

For additional data on how credential phishing impacts your industry as well as insights into supply chain compromise and business email compromise, download the email threat report.

Research Reveals 265 Different Brands Impersonated in Phishing Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More