The Yahoo brand was the most used in phishing scams in Q4 2022, appearing in one in five such emails. The online company skyrocketed in the rankings of such threats late last year, outpacing other commonly used names such as freight company DHL and tech names such as Microsoft, Google and LinkedIn.
- Phishing attacks grow by almost 230% in Brazil in the first half of 2022
- Microsoft OneNote Is Criminals’ New Weapon in Phishing Attacks
A fake promotion with cash prizes was the bait to steal victims’ personal and financial details. The draw would be organized by Yahoo, with various names, and indicated an amount of hundreds of millions of dollars to be received, provided that the user filled out a registration form with the information within 48 hours and did not tell anyone about the victory, for reasons cool.
“It’s important to remember that if a message offers something that seems too good to be true, you have to be suspicious”, explains Omer Dembinsky, manager of the data research group at Check Point Software, which released the ranking of brands most used in scams. He cites this as a common but still victimizing scam that led to Yahoo’s surge to the top of the impersonation rankings.
The result also called attention for appearing in the midst of the end-of-year shopping season. E-commerce and delivery companies tend to be the most used during Black Friday and Cyber Monday periods, with the appearance of Yahoo at the top of the rankings demonstrating a new interest by bad guys for technology companies.
While 20% of fraud attempts used the internet company’s name, 16% still went ahead by circumventing DHL communications, with false information and links about shipping packages. Problems with accounts, service offers and other information about profiles complete the top 5, with Microsoft (11%), Google (5.8%) and LinkedIn (5.7%) on the list.
In the case of the Redmond company, for example, one of the main baits is Teams. Microsoft’s communication and video conferencing platform appears in phishing messages warning about false messages or incoming calls from false senders who try to induce the victim to click on links and access false websites, where he enters login information. The risk here is greater on corporate accounts, whose data can be leaked and used in later attacks.
Check Point Research also draws attention to old scams that remain in use, such as the promise of an Instagram verification badge being used as a method to steal credentials. Adobe software licenses, from bogus partner offers, also feature prominently, another way to steal personal, financial and login information.
“You can protect yourself against branded phishing attacks by not clicking on suspicious links or attachments, always checking the URL of the page the sender is directing you to,” points out Dembinsky. “Also look for misspellings in the message and do not provide unnecessary information.”