Global phishing attacks increased by 34% in 2024 compared with 2023, with the HoxHunt Phishing Trends Report identifying millions of new phishing sites reported monthly. 91% of these cyberattacks start with a simple phishing email, where attackers aim to deliver malware or steal credentials through a user’s inadvertent click on a malicious link. (“Wait, so I didn’t win a free iPad?”)

Understanding the anatomy of a phishing attack is a crucial step in defending customers from a phishing scam that takes advantage of your brand to launch an attack. After all, when a customer (or employee) falls victim to a phishing scam from a company impersonating your own — they won’t care that you didn’t even know it was happening. The reputational damage and the blame may still fall squarely at your door. 

Gone Phishing: What are the Most Common Types of Phishing Scam?

Phishing and more specifically, brand impersonation is one of the most successful tactics that cybercriminals use to steal data and launch attacks (T1598/T1566 in the MITRE ATT&CK framework). It relies on human vulnerability, and often plays on fear or excitement in order to encourage individuals to act without caution, exploiting their trust. Phishing campaigns are highly scalable and versatile, and can be tailored to attack specific industries, individuals, or enterprises. Here are four common types of phishing attack vectors to consider, where criminals may impersonate your brand: 

1. Websites: An attacker can create a false website which mimics a legitimate business, including an eCommerce site that takes financial details from its users, a government or healthcare portal, or a business login page. Individuals are then tricked by email or text message to click on a link that directs them to the false site. Here, they enter their credentials or personal information, which can then be harvested by the attackers. In one example, the Real Estate industry was targeted by phishing emails directing them to a fake Microsoft 365 login page, which was able to steal thousands of credentials, including potential password variations or previous passwords that could then be sold on the Dark Web. 
2. Social media: While many individuals are wary of their email inbox, social media can often be a more trustworthy ground for attackers to leverage. By impersonating trusted brands or sending direct messages through social media, attackers can leverage the casual nature of social media to attract users to click on a malicious link. In 2020, scam tweets from accounts pretending to be high-profile individuals such as Elon Musk asked users to send Bitcoin to a specific cryptocurrency account, and more than 130 users fell victim to the scam, with the attackers obtaining over $100,000. 
3. Mobile apps: With the rise of “there’s an app for that” culture, mobile applications are another popular attack vector. Individuals are used to providing apps with permissions, but when these are excessive, and if the app is not legitimate, this can allow attackers to steal information or inject malware onto a device. In 2023, Microsoft reported a scam involving banking trojans which lured users to download a malicious banking application. Once users click on the link, this action installs a malicious APK file on their device. The APK file installs an app which impersonates a legitimate banking organization, and is then able to ask for login information and personal and financial details to harvest for further use. 
4. Business Email Compromise (BEC): Finally, BEC scams target organizations by impersonating specific individuals such as executives, supply partners, or trusted colleagues. In 2023, BEC losses were the second-highest of any cyber attack. After all, even if you pause for thought, when an email comes from your boss or your most valued customer, you’re much more likely to agree to transfer funds or share confidential information. BEC scams are different from other phishing attacks as they are not distributed at scale, but rather carefully crafted to mimic an individual. By impersonating trusted individuals, in 2022 criminals were able to steal more than $11M from Medicare and Medicaid programs run by government entities. 

Hook, Line, and Clicker: How is a Phishing Attack Delivered?

While for the victim, an attack begins at the click — for attackers, the work starts long beforehand. Attackers need to gather information about their target during reconnaissance, collecting crucial elements such as email addresses, social media profiles, or the structure of an organization so that attacks can land in the right places and be as convincing as possible. 

Next, criminals craft the bait they are using, for example choosing the right branding, logos or language that matches the business or person they are impersonating. When building a website, registering a domain name which will help fool the victim is also a priority. Lookalike domains, typosquating and subdomains are a common tactic when impersonating a brand.

They can also use social engineering tactics such as emotional triggers to encourage people to click. Fear tactics like “unusual activity has been identified in your bank account” or the use of excitement such as “you’re invited to meet Beyoncé!” are common. (No? Just me?)

Now it’s time for the delivery of the phishing attack. While email is the most common method, SMS, social media and even phone calls are also prevalent. The attack is usually delivered by a malicious link or an attachment, which takes users to false websites or initiates a malware download automatically. 

Attackers can now focus on exploitation. They have access to harvest sensitive data, they can install malware onto the device, or they can manipulate the user into taking next steps such as transferring money to their account. When credentials are stolen, they can then be monetized by selling them on the Dark Web, using them for identity theft or to launch a ransomware attack. 

Netting the Scammers with Brand Monitoring and Threat Intelligence

When cybercriminals use your brand to trick users into giving up their data, it’s not only the customers who experience the fallout. For the brand, there is reputational, operational, financial and even legal damage to contend with. U.S. financial services provider Synapse reportedly lost $85M in customer funds in part due to online fraud, contributing to its ongoing bankruptcy proceedings. Short version? It’s never been more important to protect your brand against being used as bait in a phishing scam against another organization. 

Luckily, brand monitoring and Cyber Threat Intelligence (CTI) is a powerful ally against brand impersonation. By monitoring newly-registered website domains as well as similar or lookalike domains, an organization can act preemptively to have a malicious website taken down if there is a sign of suspicious activity. Similarly, social media monitoring can give you insight into brand impersonation attacks or executive impersonation attacks at the earliest stage, and monitoring app stores and browser extension platforms can give you eyes there, too. 

Ending the Catch and Release Cycle of Phishing for Good

With the growth in Gen AI tools, phishing is becoming an even greater threat. According to the Harvard Business Review, “the entire phishing process can be automated using LLMs, which reduces the costs of phishing attacks by more than 95% while achieving equal or greater success rates.”

However, organizations are not powerless to protect themselves against brand impersonation, and we’re not talking about curating another anti-phishing awareness email for your consumers. Instead, by understanding where brand impersonation can occur, and adopting a proactive defense strategy that monitors criminal activity to identify risk long before it arrives in a consumer’s inbox, enterprises can significantly reduce the threat and limit the impact of brand impersonation. By leveraging Cyber Threat Intelligence to proactively monitor for Phishing and Brand impersonation, these threats can be detected early on, blocked on all major browsers and platforms within minutes and fully taken down within hours!

Interested in adopting a proactive approach to Phishing and Brand Protection? 

Speak to an expert and let’s get started.