Research Reveals 265 Different Brands Impersonated in Phishing Attacks

Over the past three decades, malicious emails have evolved from low-value, low-impact threats like spam and simple phishing to targeted high-value, high-impact attacks like ransomware and business email compromise. Easily evading traditional security solutions like secure email gateways (SEGs) and yielding significant ROI for threat actors, these socially-engineered attacks aren’t going anywhere.

This week, Abnormal released our H2 2022 Email Threat Report, focused on data from January to June 2022. The report explores the current email threat landscape and provides insight into the latest advanced email attack trends, including the rise of brand impersonation in credential phishing attacks.

As with most modern email threats, credential phishing attacks have become progressively more complex in recent years and, therefore, more convincing. With increasing frequency, cybercriminals are using impersonation to leverage the familiarity and reputation of well-known brands and fool targets into providing their login credentials. In the first half of 2022, threat actors impersonated brands in 15% of phishing emails.

To make things even easier for attackers, the number of platforms and apps we use is always growing—as is the number of accounts we create for online portals. A report from LastPass found that employees at large enterprises manage an average of 25 passwords; at smaller organizations that number jumps to 85. And, as much as employers discourage it, the report revealed that employees reuse one password an average of 13 times.

Every software and website that requires you to provide your email address for access represents a phishing opportunity for cybercriminals—and they know it. And once they have access to the account, they can use it for all types of nefarious activities, from infiltrating additional platforms to stealing money from the account to buying products using your credit card.

Of the more than 425,000 credential phishing attacks in which a brand was impersonated in the first half of 2022, 32% involved the impersonation of a social network, with LinkedIn being the most impersonated platform.

Because LinkedIn often sends emails with updates about profile views and search results, users are accustomed to receiving occasional, unsolicited emails from the platform. This means that in addition to more standard phishing emails that claim there is a problem with the account, threat actors can also recreate these other types of LinkedIn emails and include a link to a phishing site.

After social networks, Microsoft products were the second most impersonated, with Outlook, OneDrive, Microsoft 365, and the parent company appearing in 20% of incidents. One of the reasons organizations use Microsoft is that the company provides a large suite of solutions applicable to every business use. The downside of this is that attackers will leverage that ubiquity and authority to convince employees they’re at risk of losing access to their inbox or important files.

And perhaps most concerning about Microsoft credential theft is that compromise of these accounts allow bad actors to use that email address to send other email attacks, impersonating real employees and hijacking ongoing conversations to redirect payments or request new fund transfers.

Of the 265 individual brands that attackers impersonated, nearly one in four were in the financial services industry—including banks, credit card providers, and online payment processors. Fan favorites included American Express, PayPal, and Wells Fargo.

While this is somewhat unsurprising, it is still concerning. Gaining access to an organization’s banking or payment portal allows threat actors to transfer money to their own accounts, redirect incoming payments, send fraudulent payment requests, and steal sensitive financial information to use in future attacks.

Further, victims of such attacks may not be able to easily resolve the situation, and their accounts could be closed permanently. Not only does this impact their ability to use any other platforms connected to the account, such as billing and accounting software, but the company will also have to dispute fraudulent charges with their bank and pay any additional fees that result from the attack.

One other interesting thing to note is that of the approximately 25,000 attacks in which a business management software provider was impersonated, 27.4% involved a document management solution brand like DocuSign. From the target’s point of view, receiving an email with a request to log in to view or sign a document is far from unusual. And from an attacker’s point of view, gaining entry into an organization’s digital document repository means they have access to a wealth of proprietary and sensitive information.

Credential phishing attacks represent a huge threat to organizations as a well-crafted (or even somewhat realistic-looking) phishing email can trick an employee into providing login credentials. But what makes phishing particularly dangerous is that once a threat actor has access to an internal account, they can launch even more costly attacks. Based on the data, advanced email threats will only become more sophisticated, more pervasive, and more damaging.

For additional data on how credential phishing impacts your industry as well as insights into supply chain compromise and business email compromise, download the email threat report.