The FBI issued a warning today about recent spear-phishing email operations that targeted “brand-name companies” consumers in strikes known as brand phishing. In alliance with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the bureau issued this alert as a public service notice through its Internet Crime Complaint Center platform (CISA).
“As consumers more routinely make purchases, conduct business, and receive support online and through mobile applications, cybercriminals continue to target brand-name consumers due to the sheer number of people using brand-name services and the level of trust and legitimacy associated with these companies,” the alert reads.
The targets are directed to phishing landing pages by various methods, including spam emails, text messages, or web and mobile apps that may imitate the identity or internet address of a company’s legitimate website. In order to steal their victims’ user passwords, financial data, or other sorts of personally identifiable information, attackers inject login forms or malware into their phishing pages (PII). Furthermore, by intercepting emails and compromising accounts, threat actors are likely creating tools to entice potential targets into disclosing information to defeat account security, such as two-factor authentication (2FA).
According to the federal law enforcement agency, cyber thieves may be able to intercept emails containing 2FA codes that are used to make substantial changes to online accounts, reset passwords, verify user access, or modify security rules and set up before the account owner is contacted and aware.
As per Check Point’s Brand Phishing Report for Q2 2021, Microsoft (45 percent of all brand phishing efforts globally), DHL (26 percent), Amazon (11 percent), Bestbuy (4 percent), and Google (3 percent) are the top five brands by the appearance in brand phishing attempts.
The FBI has urged private sector partners to be cautious and assess their internal security standards, as well as give information on account security processes to their customers.