Veteran web company Yahoo! has emerged as the most imitated brand in phishing attacks over the last three months of 2022, according to Check Point’s quarterly Brand phishing report, which highlights the organisations most frequently exploited by cyber criminals when trying to steal personal or credit card data.
Check Point’s research unit says it observed a 23% spike in illegitimate use of Yahoo!’s branding, accounting for 23% of all noted attempts. This appears to have been the result of a sustained campaign in which cyber criminals distributed emails with subject lines including “Awards Promotion” or “Award Center”, which informed the victims they had won hundreds of thousands of dollars in a contest organised by Yahoo!
Of course, no such contest existed – the objective of the campaign seems to have been to swindle targets out of their bank details, which were supposedly needed to transfer the “prize money”. The emails also contained a threat not to tell anybody about having won the prize, citing “legal issues”.
“We are seeing hackers trying to bait their targets by offering awards and significant amounts of money,” said Omer Dembinsky, data group manager at Check Point.
“Remember, if it looks too good to be true, it almost always is. You can protect yourself from a brand phishing attack by not clicking on suspicious links or attachments and by always checking the URL of the page you are directed to. Look for misspellings and do not volunteer unnecessary information.”
The surge in imitation of its branding was somewhat remarkable in that Yahoo! is hardly the online force it was in the 2000s – but in general the most phished brands remained technology and social media organisations, and logistics and shipping companies.
Predictably, campaigns using shipping as a lure – often in the form of a missed delivery notification – were highly active over the festive period, with DHL accounting for 16% of observed attempts in Check Point’s telemetry, placing it second behind Yahoo!
In third place was Microsoft, accounting for 11% of phishes; in fourth, Google, accounting for 5.8%; followed by LinkedIn, WeTransfer, Netflix, FedEx, HSBC and WhatsApp.
Some of the more widespread campaigns observed included a fake “blue tick” verification email purporting to come from Meta’s Instagram, and a malicious campaign exploiting Microsoft Teams, with the subject line, “You have been added to a new team”.
Both would have proven highly effective campaigns for their originators – the Instagram messages played up to people’s desire for recognition, or to feel like they are getting something others are not, a common feature of phishing campaigns, while the emails purporting to be from Microsoft successfully exploited the widespread use of Microsoft Teams in today’s workforce, imitating legitimate messages.
In general, the average person can quite easily spot a phishing email as long as they are paying attention. The UK’s National Cyber Security Centre (NCSC) recommends people be inherently suspicious of emails that claim to come from an authority, such as a bank, government department or GP; of those that give them a limited time to respond to an offer; that induce feelings of panic, fear, hope or curiosity; relate to something that is in short supply or hard to get, such as concert tickets or cheap flights; or that play on current events, at this time of year Self Assessment Tax Returns and Valentine’s Day will likely feature.
The NCSC also operates an email reporting inbox for members of the public to send suspicious emails to. To use this service, simply hit the forward button on the email and address it to [email protected].
Launched at the height of the first Covid-19 lockdown, the service has received over 16 million emails to date, and as a result of the public’s input, the NCSC has been able to remove approximately 110,000 scams across 200,000 URLs.