Impersonation scams are everywhere: bad actors are constantly trying to convince you that they represent organizations like LinkedIn, PayPal, your bank, the FBI, the FTC, and the IRS as they look to steal your money and information. When it comes to phishing schemes, which typically try to trick you into handing over sensitive data or account credentials via malicious links, tech brands are (perhaps not surprisingly) among the most commonly spoofed.
A recent report from Check Point Research found that Microsoft was imitated in nearly a quarter of all branded phishing attempts in Q4 of last year—nearly double the next most-impersonated company.
The most popular brands for phishing scams
According to researchers, tech companies and social networks are consistently among the most popular brands for impersonators running phishing scams, with the following share in the final quarter of last year:
-
Microsoft: 22%
-
Google: 13%
-
Amazon: 9%
-
Apple: 8%
-
Facebook (Meta): 3%
-
PayPal: 2%
-
Adobe: 2%
-
Booking: 2%
-
DHL: 1%
-
LinkedIn: 1%
While you should always be on guard for common phishing tactics, it’s wise to be especially wary of unsolicited communication from any of the companies listed—especially if that communication is related to account security and/or urges you to click a link. We’ve covered at least one campaign involving nearly every brand here, all of which are known and largely trusted among users, making them prime targets for these types of scams. Check Point notes that stolen Microsoft and Google credentials are particularly valuable because they’re widely used in day-to-day workflows.
Common phishing tactics
Broadly speaking, a phishing scam starts with an email, text, or social media message that appears to be from a legitimate source. It likely asks you to update or verify personal information—often related to a payment or account security—with a link to what appears to be the company’s website or login page. Of course, this link leads instead to a spoofed version of that site designed to harvest your credentials, credit card number, bank details, or other personal data, which scammers can then use for identity theft, account takeover, or purchase fraud.
Note that while the above methods are among the most common, phishing can also happen via phone call, voicemail, and malicious browser pop-ups.
How to protect against branded phishing attacks
As we mentioned, just because you generally trust a company doesn’t mean you should blindly trust all communication from it. If you receive a message that is unprompted, sounds urgent, and is unrelated to any recent action on your part (such as a login attempt or bill payment), do not engage with it. Don’t click any links, open any attachments, or respond directly. Look out for typos and other errors, including the original sender—though as scammers have found ways to appear verified, this isn’t always an obvious red flag.
If you’re unsure about the contents of the message, go directly to the website or app and log in to see any legitimate alerts. A password manager offers an extra layer of security here, as it’ll protect you from entering credentials on a spoofed page.
Finally, enable a strong, phishing-resistant form of multi-factor authentication everywhere you can, and especially for high-use and high-value accounts like Microsoft and Google. If your credentials are compromised, threat actors won’t have that additional factor to utilize them.
Original Source: https://lifehacker.com/money/brands-scammers-often-impersonate?utm_medium=RSS
Disclaimer: This article is a reblogged/syndicated piece from a third-party news source. Content is provided for informational purposes only. For the most up-to-date and complete information, please visit the original source. Digital Ground Media does not claim ownership of third-party content and is not responsible for its accuracy or completeness.
