Research Identifies Prevalence of Brand Impersonation in Three-Year Cross-Industry Analysis

September 4, 2024

Author: Max Gannon

A frequently asked question in cybersecurity is “What affects me?”. Companies want to know not only what is affecting other companies but what is specifically affecting similar companies in their industry and is therefore likely to affect them. This report looks at data from July 1, 2021, to July 30, 2024 (approximately 3 years). The data focuses on spoofed brands seen in the top 10 industries Cofense provides services for, as well as the context these spoofed brands were seen in. For the top 10 industries there were 14 different spoofed brands.

Breakdown

As can be seen in Figure 1, Microsoft spoofing accounted for the vast majority of the emails seen, taking up 92.87% of the top spoofed brands. The next closest were Adobe and Webmail at 3.53% and 1.62% respectively. The last 11 of the top 14 spoofed brands only accounted for only 2.02% of the total, indicating exactly how often Microsoft, Adobe, and Webmail are being spoofed.

Figure1-png-WM.PNG

Figure 1: Top 14 spoofed brands seen in phishing campaigns targeting the top 10 industries seen by Cofense.

Brands

The following brands constitute the top 5 brands spoofed in each industry, for a total of 14 different brands. Details of each brand, such as the types of campaign it is most often associated with, the kind of spoofing usually seen with it, and the timeframe when it was most popular, are provided.

Adobe

Adobe-spoofing emails most frequently request a signature and occasionally links to Adobe’s legitimate signature page which contains a hyperlink to a credential phishing page. Adobe spoofing has been consistent over time and used by many threat actors of varying skill levels. Phishing email templates spoofing Adobe are frequently sold on the dark web. As seen in Figure 1, Adobe was the 2nd most popular spoofed brand.

Aeon Bank

Aeon Bank spoofing emails typically claim to require card usage verification, which requires the victims’ credentials. These were most seen during March 2024 through June 2024, June 2023 through July 2023, and June 2022 through September 2022. This brand only appeared in the top 5 spoofed brands in the Transportation industry and barely made it into the top 5 spoofed brands. Aeon Bank is known for being a popular bank in several Asian countries. It also works strictly online with no physical branches making email the primary method of contact. That allows threats spoofing of this brand likely more effective than other banks, as customers of Aeon Bank are more used to a fully digital experience.

Canada Post

Phishing emails spoofing Canada Post most heavily targeted the Retail industry. These emails typically utilized the familiar package notification theme and were most popular mid 2023 and have since tapered off. These emails were typically more visually advanced than some of their other shipping company spoofing counterparts with well-designed emails and phishing pages.

China Union Pay

China Union Pay spoofing phishing emails most heavily targeted the Manufacturing and Professional Services industries. Phishing emails spoofing this brand were most popular from December 2023 to February 2024. These emails were most commonly in Chinese and had a large amount of variance in their themes from basic notifications to salary adjustments to notices from the state tax department.

DHL

Phishing emails spoofing DHL have been consistently seen across the 3 years that this data covers. These emails also have relatively consistent volume year-round without significant spikes around the holidays, as covered in our Strategic Analysis on the topic. What is unusual about DHL spoofing emails is that they come in more languages than any other spoofed brand, including Microsoft. A quick examination yields over 12 distinct languages during the covered period. It also is the most common spoofed brand to be associated with malware rather than just credential phishing.

DocuSign

DocuSign-spoofing was only in the top 5 of one industry, Healthcare. Emails spoofing DocuSign were themed around the expected documents requiring a signature and a significant number of them claimed to deliver internal documents from HR requiring a signature. DocuSign-spoofing emails have had consistent volumes from 2021 to 2024 but were only used for delivering malware in large scale campaigns in early 2021.

Dropbox

Dropbox-spoofing was featured in the top 5 of only 2 different industries. Dropbox was also the brand most commonly associated with the use of HTML files as the first delivery mechanism. These HTML files were most commonly attached and hosted embedded credential phishing content. Legitimate Dropbox pages were used for credential phishing; however, these were less often seen compared to legitimate Adobe pages.

Facebook

Much like emails spoofing Meta, the majority of emails spoofing Facebook were themed around policy violations. Campaigns spoofing Facebook specifically rather than Meta are often indicators of threat actors reusing older templates from before everything was rebranded to Meta. Facebook spoofing has been consistently popular from 2021 to 2024. It is important to note that although spoofing of Instagram is listed separately, threat actors would often spoof Instagram but request credentials for Facebook/Meta.

Instagram

Instagram-spoofing emails, while not common at the time of this report, did appear most frequently in 2023. The most common themes of Instagram spoofing emails were related to “Verified Badges” in 2023 and “Copyright Infringement” in 2022. They were spread out evenly across 2021-2023 in terms of volume.

Internal

Emails that were marked as “Internal” spoofing were emails that spoofed the brand of the recipient’s company. This is a relatively common tactic; however, this technique only made it into the top 5 spoofed brands of 3 different industries. Messages using these kinds of brands typically had themes related to internally shared documents, such as benefits notifications or HR documents requiring interaction. A large number of these emails also used voicemail themes. Typically threat actors simply extracted the recipients domain from their email address and filled in the relevant areas with that.

Meta

Meta-spoofing emails were in the top 5 spoofed brands in only 2 out of the 10 industries featured. Meta is considered to be a combination of emails spoofing Meta, Instagram, and Facebook as these are now combined and are frequently spoofed interchangeably. However, they were typically some of the most fully featured emails with coherent narratives and believable topics and had some of the more advanced credential phishing pages. Additionally, threat actors seem to believe that Meta has recently become popular in Germany as almost half of the emails covered in 2024 were in German have been targeting German-speaking users at the time of this report, as half of the emails covered in 2024 spoofing Meta have been in German. The most commonly covered topic by emails spoofing Meta focused on policy violation. It is important to note that although spoofing of Instagram is listed separately, threat actors would often spoof Instagram but request credentials for Facebook/Meta.

Microsoft

Microsoft-spoofing emails were among the most varied, as threat actors have created several email themes, from MFA notifications to shared documents, as well as mailbox issues and voicemail notifications by simply including the Microsoft logo and supporting text in the email. As seen in Figure 1, Microsoft was by far the most popular spoofed brand. Due to Microsoft’s usage in a wide variety of contexts by a wide variety of threat actors, tracking trends over time is typically unreliable.

South African Post Office

Spoofing of the South African Post Office was common only in the Mining industry. These very specific emails were all in English and resolved around package delivery. These were common in 2022 and 2023 but appear to have sharply declined in volume in 2024.

Webmail

Webmail is a generic term used when a credential phishing page says nothing more than “webmail” and claims to be the email client for the victim’s company. These are typically seen when threat actors use a low budget or  entirely free phishing kit and are unable to replicate the victims’ company or spoof a common brand such as Microsoft. It is often indicative of a threat actor who is putting minimal effort into their phishing emails. Webmail’s place as the 3rd most commonly spoofed brand provides a  clear view regarding the amount of effort threat actors need to put in to capture credentials from users and bypass security measures.

Industries

This report focuses on the top 10 industries that Cofense sees receiving the highest volume of credential phishing emails containing a clearly defined spoofed brand. The following industries are included:

  • Finance and Insurance
  • Manufacturing
  • Mining
  • Retail
  • Real Estate
  • Healthcare
  • Utilities
  • Transportation
  • Professional Services
  • Information

Finance and Insurance

The Finance and Insurance industry is, as expected based on Figure 1, most at risk of emails spoofing Microsoft. The 2nd most commonly spoofed brand being Adobe is also expected as Adobe is the 2nd most commonly spoofed brand overall and highly relevant to an industry that frequently shares documents requiring signatures both internally and externally. Webmail  comes in at 3rd place, which is also predicted due to the low level and effort required, as well as being relevant in nearly every industry. DHL is frequently used to deliver hard copy documents, so its appearance in 4th place is logical. Meta spoofing emails were the 5th most common. Potentially threat actors may believe that the common Meta theme of copyright infringement is particularly relevant to business in this industry. This data can be seen in Figure 2.

Figure2-png-WM.PNG

Figure 2: Top 5 spoofed brands seen in phishing campaigns targeting the Finance and Insurance industry.

Manufacturing

Much like the Finance and Insurance industry, the 1st, 2nd , and 3rd place spoofed brands are Microsoft, Adobe, and Webmail respectively as seen in Figure 3. However, the prevalence of the 4th most common brand, China Union Pay, was unexpectedly popular in this industry. China UnionPay is based in China, making it appear that threat actors believe the Manufacturing industry is the most likely industry to have a relationship with a Chinese company or have Chinese manufacturing buildings and workers that might use China UnionPay, as this is one of the most common forms of payment in China and is widely accepted at most businesses and ATMs in mainland China. The position of DHL in 5th place is logical, as DHL is frequently used for engineering and manufacturing logistics. A chart detailing the top 5 spoofed brands in the Manufacturing industry can be seen in Figure 3.

Figure3-png-WM.PNG

Figure 3: Top 5 spoofed brands seen in phishing campaigns targeting the Manufacturing industry.

Mining

The first 3 positions of the brands seen spoofed by the Mining industry are Microsoft, Adobe, and Webmail respectively. In addition to engineering and manufacturing logistics, DHL is also known for being used for mining logistics and shipping heavy equipment, making it the  4th most often spoofed in credential phishing. The 5th position being taken up by the South African Post Office implies that a large number of companies in the Mining industry have interests in South Africa. The South African Post Office is also in the top 5 for only the Mining industry. A brand only being seen in the top 5 for only 1 industry indicates that threat actors targeting that industry have seen it to be beneficial for them to customize their phishing campaigns. A chart with the visualizing the top 5 spoofed brands in the Mining industry can be seen in Figure 4.

Figure4-png-WM.PNG

Figure 4: Top 5 spoofed brands seen in phishing campaigns targeting the Mining industry.

Retail

The relative positions of Microsoft and Adobe were seen to be placed in the 1st and 2nd most common spoofed credential phish respectively. DHL coming in 3rd is logical for this industry as DHL claims to be “a long-established partner of the retail and fashion industry”. Canada Post coming in 4th implies that threat actors believe at least one important part of Retail’s logistic chain passes through Canada. Webmail coming in 5th is unexpected, due to the vast popularity Webmail spoofing has over other industries. This implies that threat actors put more effort into DHL and Canada Post themed emails targeting the Retail industry than most other industries. The top 5 brands spoofed in the Retail industry can be seen in Figure 5.

Figure5-png-WM.PNG

Figure 5: Top 5 spoofed brands seen in phishing campaigns targeting the Retail industry.

Real Estate

The top 2 positions of spoofed brands targeting the Real Estate industry were Microsoft and Adobe, which placed in 1st and 2nd respectively. However, Adobe accounts for 7.5% of the spoofed brands which is much higher than in other industries. The next closest industry that Adobe takes 2nd place in is the Transportation industry at 4.5%, meaning that Adobe is nearly twice as popular in the Real Estate industry compared to any other industry. Threat actors have knowledge of exactly how many documents a new homeowner has to sign, and therefore have taken advantage of the Real Estate industry having an unusually large number of Adobe documents being shared externally. Internal spoofing coming in 3rd for the Real Estate industry is due to threat actors crafting a larger number of customized campaigns targeting this industry. Webmail comes in 4th place, indicating that although threat actors are willing to engage in customization, other threat actors are still targeting the industry with more basic campaigns. Lastly, Dropbox spoofing, which was only in the top 5 spoofed brands for the Real Estate industry, appeared to be only slightly less frequent than Internal or Webmail spoofing. The differences in the top 5 brands spoofed in the Real Estate industry can be seen in Figure 6.

Figure6-png-WM.PNG

Figure 6: Top 5 spoofed brands seen in phishing campaigns targeting the Real Estate industry.

Healthcare

The 1st and 2nd placed brands spoofed in the Healthcare industry are consistent with other industries, making up of Microsoft and Adobe respectively. Threat actor usage of Webmail in 3rd place implies that on average, threat actors targeting the Healthcare industry have a harder time gathering credentials through more niche and sophisticated attacks. Dropbox came in 4th and DocuSign came in at 5th most common. This implies that threat actors believe both shared documents and shared files are common in the Healthcare industry. This is not unexpected, as companies in this industry likely pass around a large number of records both internally and externally. A breakdown of the top 5 spoofed brands in the Healthcare industry can be seen in Figure 7.

Figure7-png-WM.PNG

Figure 7: Top 5 spoofed brands seen in phishing campaigns targeting the Healthcare industry.

Utilities

The Utilities industry once again saw Microsoft being the most commonly spoofed, However, this industry also saw that the 2nd, 3rd, and 4th placements taking up a larger share of the total than any other industry. This implies that messages targeting this industry were more varied compared to other industries. The inclusion of Internal spoofing in 3rd implies that the messages were more highly customized to target the recipient. Adobe coming in 4th  is expected, as it is a popular choice in every industry. Instagram placed 5th and appeared in only 1 other industry. In total, the Utilities industry saw the broadest range of spoofing and the most inconsistent amount of applied effort on the threat actor’s part. This suggests that the Utilities industry may have a larger variety of skill level in the threat actors targeting it than some other industries. The top 5 brands spoofed in the Utilities industry can be seen broken down in Figure 8.

Figure8-png-WM.PNG

Figure 8: Top 5 spoofed brands seen in phishing campaigns targeting the Utilities industry.

Transportation

The Transportation industry saw some of the heaviest spoofing of Microsoft and Adobe, which placed in 1st and 2nd place respectively, with 3rd through 5th place accounting for less than 1% of the total. This can be seen in Figure 9. One uncommon, spoofed company that was not seen in any other industry was Aeon Bank, which placed 3rd. Campaigns spoofing Aeon Bank were all in Japanese indicating that threat actors were specifically targeting Japanese speaking employees of the Transportation industry. Lastly, 4th and 5th place were Dropbox and Webmail respectively, however this number is minimal as the amount of Microsoft and Adobe spoofing was the highest. The overwhelming difference in the top 5 brands spoofed in the Transportation industry can be seen in Figure 9.

Figure9-png-WM.PNG


Figure 9: Top 5 spoofed brands seen in phishing campaigns targeting the Transportation industry.

Professional Services

The top 3 spoofed brands for the Professional Services industry are Microsoft, Adobe, and Webmail, being the 1st, 2nd, and 3rd most commonly spoofed brands respectively. The appearance of Meta as the 4th most popular brand, along with the fact that most Meta spoofing emails were themed around policy violation, implies that threat actors likely believe the Professional Services industry is one of the most likely to be immediately concerned with potential impacts to their social media pages. China UnionPay, appearing in only 1 other industry, emerged in 5th place. This suggests that threat actors believe that companies in the Professional Services industry are as likely to have business relations with Chinese companies, similar to the Manufacturing industry. The top 5 brands spoofed in phishing campaigns targeting the Professional Services industry can be seen in Figure 10.

Figure10-png-WM.PNG

Figure 10: Top 5 spoofed brands seen in phishing campaigns targeting the Professional Services industry.

Information

The Information industry’s 1st and 2nd place were taken by Microsoft and Adobe respectively. The spoofing of internal brands appearing in 3rd implies that threat actors targeting companies in the Information industry are willing to put forth more effort than some other industries. The absence of Webmail as a top 5 spoofed brand further reinforces this. Facebook and Instagram hold 4th and 5th place respectively. The presence of 2 social media platforms as spoofed brands indicates that threat actors believe companies in the Information industry are highly concerned with their public appearance. However, the appearance of Facebook rather than Meta implies that threat actors may be reusing older templates rather than generating new ones that are uniquely Meta themed. This data is visualized in Figure 11.

Figure11-png-WM.PNG


Figure 11: Top 5 spoofed brands seen in phishing campaigns targeting the Information industry.