Yahoo was the most impersonated brand for phishing attacks in Q4 2022, climbing 23 places and accounting for 20% of all attempts, a new study by Check Point Software found.
The Most Impersonated Are...
The vendor’s Brand Phishing Report for Q4 2022 lists the companies most frequently imitated by cybercriminals in phishing attempts to steal individuals’ personal information or payment credentials during the three-month period. Among IT giants, Microsoft and Google followed Yahoo.
Here’s list by percentage of overall appearance in brand phishing attempts:
- Yahoo (20%)
- DHL (16%)
- Microsoft (11%)
- Google (5.8%)
- LinkedIn (5.7%)
- WeTransfer (5.3%)
- Netflix (4.4%)
- FedEx (2.5%)
- HSBC (2.3%)
- WhatsApp (2.2%)
Check Point found that among the most popular ruses used by cybercriminals was distributing emails with subject lines that suggested a recipient had won awards or prize money from senders such as "Awards Promotion" or "Award Center." The content made it appear that the recipient had won a prize from Yahoo.
Promises Not Kept
As with most phishing expeditions, the email recipient was prompted by the cyber crooks to send their personal information and bank details with a promise the threat actors would transfer the winning prize money to the account. The email also contained a warning that the target must not tell people about winning the prize because of legal issues.
In general, the technology sector was the industry most likely to be imitated by brand phishing in the last quarter of 2022, followed by shipping and social networks. DHL came in second place with 16% of all brand phishing attempts, ahead of Microsoft in the third spot with 11%. In DHL’s case, cyber criminals used the brand to generate bogus delivery notifications. LinkedIn also returned to the list this quarter, reaching fifth place with 5.7%.
“We are seeing hackers trying to bait their targets by offering awards and significant amounts of money,” said Omer Dembinsky, Check Point Software data group manager. “Remember, if it looks too good to be true, it almost always is. You can protect yourself from a brand phishing attack by not clicking on suspicious links or attachments and by always checking the URL of the page you are directed to. Look for misspellings and do not volunteer unnecessary information.”