The Federal Bureau of Investigation (FBI) today warned of recently detected spear-phishing email campaigns targeting customers of “branded companies” in attacks known as brand phishing.
This warning was posted as a public service announcement through the office’s Internet Crime Complaint Center platform, in coordination with DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
Targets are sent to phishing landing pages through a variety of means, including spam emails, text messages, or web and mobile applications that can impersonate a company’s official website or online address.
Attackers embed login forms or malware into their phishing pages with the ultimate goal of stealing user IDs, payment details, or various other types of Personally Identifiable Information (PII) from their victims.
In addition to these ongoing phishing attacks, threat actors are also developing tools to trick potential targets into revealing information to bypass two-factor authentication (2FA) account protections by intercepting emails and by compromising the accounts.
“When cybercriminals gain access to a consumer’s online and email accounts, cybercriminals may be able to intercept emails with 2FA codes used to make significant changes to online accounts, update words password, verify user access or change security rules and configuration before the account owner is notified and informed, “the Federal Law Enforcement Agency noted.
âThe FBI has observed cybercriminals selling scam software and offering these tools with the appearance of their own ongoing technical support.
“Cybercriminals are financially motivated to develop these fraud tools to improve their scam tactics and more effectively harvest consumer credentials to compromise and take over account access.”
According to Check Point’s Brand Phishing Report for the second quarter of 2021, the top five brands by their appearance in branded phishing attempts are Microsoft (45% of all branded phishing attempts worldwide), DHL (26%), Amazon (11%), Bestbuy (4 %) and Google (3%).
Brand phishing defense recommendations
The FBI has encouraged private sector partners to remain vigilant and evaluate their internal security policies and provide their consumers with information regarding account security protocols.
If you are the victim of a branded phishing attack, you should contact your local law enforcement agency or the local FBI office (contact details available at www.fbi.gov/contact-us/field-offices) and report the incident to the FBI. Internet Crime Complaint Center on www.ic3.gov immediately.
Consumers are urged to follow these recommendations to defend against phishing attempts:
- Beware of unsolicited email or social media contact from anyone you do not know personally and / or containing messages tricking you into opening a link or attached file.
- When you receive account alerts, rather than clicking a link in an email or text, choose to navigate to the website using the secure URL to view logs, messages, or notices.
- Closely check the spelling of web addresses, websites and email addresses that appear to be trustworthy but may be imitations of legitimate websites, to include username and / or domain names / addresses (ie, the capital “I” against the small “L”, etc.).
- Use strong, unique passwords and don’t reuse the same password across multiple accounts.
- Do not store any important documents or information in your email account (for example, private keys in digital currency, documents with your social security number, or photocopies of a driver’s license).
- Enable 2FA and / or multi-factor (MFA) authentication options to secure online accounts, such as phone number, software-based authentication programs / apps, USB security key, or customer account. separate messaging (with a unique password that does not link to other consumer accounts) to receive authentication codes for account logins, password resets, or updates to sensitive account information.
- If possible, do not use your primary email address to log into websites. Create a unique username not associated with your primary email address.
On Monday, the FBI and CISA also warned critical infrastructure partners and public / private sector organizations not to lower their defenses against ransomware attacks during the holiday season.
In October, he informed the American public that malicious actors were actively using bogus unemployment benefit websites to harvest their sensitive financial and personal information.
The U.S. Federal Trade Commission (FTC) said in February that the total number of identity theft reports doubled last year from 2019, with a record 1.4 million reports in one. single year.