Microsoft is still the brand most spoofed by cyber criminals attempting to conduct phishing attacks – but fraudsters are increasingly sending phony emails claiming to be the likes of Facebook and Amazon to steal login credentials, financial data and other information from victims.
An analysis of phishing URLs and most-impersonated brands in recent months has been conducted by cybersecurity company Vade Secure.
Microsoft remains the biggest brand copied by phishing attacks, with the number of unique malicious URLs in emails claiming to be from Microsoft up by 15.5% compared with last year.
SEE: 10 tips for new cybersecurity pros (free PDF)
Microsoft accounts are an obvious target for hackers given the number of users who have Outlook Hotmail or Office 365 accounts.
Office 365 accounts are appealing targets because they could become a valuable asset for conducting large-scale attacks against enterprise networks, either by using the accounts to view and steal restricted files and data, or by using the legitimate address to phish other users and gain access to even more accounts.
Attacks spoofing Microsoft often claim that there's a problem with the user's account and that they need to login via a link to solve the issue. This link leads to a spoof of the Microsoft Office 365 page, which captures the email addresses and passwords entered, handing them to the attacker.
Meanwhile, fake URLs targeting Facebook accounts have grown by 176% in just a year, meaning that impersonating the social network is now the third most popular avenue of attack for phishing.
With billions of users, there's a vast amount of Facebook accounts to potentially compromise, although for the most part, social media accounts aren't going to provide attackers with much useful aside from email addresses and passwords and a way to send new phishing messages to the friends of a compromised victim.
However, researchers note that the pervasiveness of Facebook and the way in which the service is used to login to other services means that attackers who breach a Facebook account could use it to access other services used by the user, potentially providing them with additional information that can be exploited in more lucrative campaigns.
"Microsoft Office 365 phishing is the gateway to massive amounts of corporate data, while gaining access to a consumer's Facebook log-in information could compromise much of their personal, sensitive information," said Adrien Gendre, chief solution architect at Vade Secure.
"The fact that we saw such a significant volume in impersonations of these two brands means that virtually all email users and organisations need to be on heightened alert," he added.
The report lists PayPal as the second most common brand spoofed by cyber criminals – although the number of malicious URLs targeting it has declined slightly.
It's another natural target for attackers because it's a trusted brand and it's one of the most widely used online payment services in the world.
These phishing attacks look to trigger urgency in the victim by claiming there's a problem with their account or that a false purchase has been made, requesting the user click a link and enter their details to be unwittingly stolen.
Other high-profile brands that attackers masquerade as include Netflix, Bank of America, Apple and the Canadian Imperial Bank of Commerce, with cyber criminals going after well-known brands – some of which are used to control finances – in the hope that the number of users means they'll have some success.
But analysis of phishing URLs reveals that Amazon is quickly becoming a popular target for phishing attacks, with the number of malicious URLs up over 400% in just over a year and rocketing up to become the eighth most targeted brand by attackers.
Attackers appeared to increase activity around Prime Day, with phishing emails claiming to offer vouchers, prizes and other non-existent goods in an effort to steal accounts and the login details and payment information stored within.
Phishing attacks remain popular with cyber criminals because, put simply, they work – and they're cheap to send. However, they can be protected against with anti-phishing technology and end users can be trained to recognise dodgy emails.
"In reality, no solution will ever block 100% of threats so you need to be prepared for the unexpected. A critical first step is end user training so that employees can spot phishing emails. This requires augmenting structured training with on-the-fly, contextualized training that is tailored to specific bad behavior, such as clicking on a Microsoft phishing [link]," said Gendre.
Users who receive an email claiming to be from a certain company can check their account by not clicking the link, but instead going direct to the website's homepage – if something really is wrong with their account, they can find out there.
MORE ON CYBERCRIME