10 Spoofing Facts You Need to See
These Spoofing Facts Can Help You Avoid a Brand Impersonation Nightmare
Spoofing or brand impersonation is a popular tactic that cybercriminals use to perpetrate phishing attacks. By making messages seem routine or faking that a message came from a well-known and trustworthy brand, the recipient is less likely to suspect that a message is malicious. Spoofing is a serious danger to business security that employees face daily and is commonly used in business email compromise schemes — the most expensive cyberattack a business can experience. It’s also frequently used as a tool in social media fraud, credential compromise, account takeover and other dangerous cyberattacks. Learning more about spoofing and brand impersonation can help IT professionals and potential victims spot this danger and guard against it effectively.
See cybercrime trends & the results of thousands of phishing simulations in The Global Year in Breach 2022. DOWNLOAD IT>>
10 Spoofing Facts to Know
- 25% of all branded emails that companies receive are spoofed or brand impersonation attempts.
- Brand impersonation has risen by more than 360% since 2020.
- 97% of employees cannot recognize sophisticated phishing threats.
- 98% of cyberattacks contain one or more elements of social engineering like spoofing.
- 98% of organizations received a threat from a supplier domain in 2021.
- One-quarter of all email phishing attacks in Q4 2021 spoofed UPS or DHL.
- Brand fraud in 2021 was 15 times higher than in 2020.
- 1 in 3 employees is likely to click the links in phishing emails.
- 45% of employees click emails they consider to be suspicious “just in case they are important.”
- 1 in 8 employees is likely to share information requested in a phishing email.
Drill down to the bottom line to see why security & compliance awareness training is a smart investment. GET IT>>
Spoofing Facts Spotlight: Microsoft
Microsoft is one of the most spoofed brands that employees encounter. Why? Employees handle a lot of Office files, including via email. These Microsoft spoofing facts offer a snapshot of the scope of the danger presented by this type of brand impersonation.
- Approximately 145 million people use Teams/Office 365 every day.
- Just under 50% of malicious email attachments arrive in Microsoft Office formats.
- Microsoft Office formats like Word, PowerPoint and Excel are popular file extensions for cybercriminals to use when transmitting malware via email, accounting for 38% of phishing attacks.
- The next most popular delivery method are archived files, such as .zip and .jar, which account for about 37% of malicious files.
Get a step-by-step guide to building an effective security and phishing awareness training program. GET GUIDE>>
Spoofing Facts About Social Media Fraud
Spoofing/brand impersonation is a hallmark tactic of social media phishing. The faceless nature of social media makes it ripe for fraud and that’s a problem for businesses as well as consumers. In January 2021, organizations experienced about 34 social-media-related phishing attacks per month. However, in June 2021, this number rose closer to 50, representing a 47% increase through the first half of 2021. By September 2021, organizations were looking at around 61 social-media-related phishing attacks per month – a shocking 82% increase in just three quarters. Cybercriminals are always working to exploit the current hot social media platform. Right now, that means littering TikTok with spoofed messages and suspicious ads.
Most Counterfeited Luxury Brands on TikTok
Hashtagged brand impersonation/spoofed posts in 2021 (in views)
- Gucci 13.6 million
- Rolex 11.7 million
- Louis Vuitton 2.08 million
- Dior 282,700
- Chanel 163,181
Source: The Fashion Law
Learn 5 red flags that could indicate a malicious insider is at work in your organization! DOWNLOAD INFOGRAPHIC>>
Spoofing Facts About Suspicious Subject Lines
Caution when handling branded email can help reduce the chance of interacting with a phishing message. Subject lines that feature oddities like “Warning,” “Your funds has…” or “Message is for a trusted…” should set off alarm bells, especially if the subject line demands urgent action. There are a few red flags that are tip-offs that a branded email may be spoofed or faked instead of a genuine message from that brand.
Common subject lines of spoofing messages aimed at businesses
- Reset Password Required
- Update Payment Information
- Failed Delivery Attempt
- Immediate Action Required
- Account Security Alert
- Final Notice
- Overdue Invoice
- Pending Invoice
- Tracking Link Enclosed
- Pending Customs Fees
Set businesses on the zero trust path with the 6 Tips for Implementing Zero Trust Security infographic! GET IT>>
Other Red Flags That Could Indicate Spoofing
Spoofing is generally a facet of phishing. These red flags in suspicious messages often point to spoofing.
An improper or unprofessional greeting
If the greeting seems strange, be suspicious. Is the greeting in a different style than you usually see from this sender? Is it generic when it is otherwise usually personalized, or vice versa? Anomalies in the greeting in a message are clues that it may not be legitimate.
A message sent from an unofficial or unusual domain
Check the sender’s domain by looking at the email address of the sender. A message from a major corporation is going to come from that company’s usual, official domain. For example, if a message carrying a security warning says it is from “[email protected] instead of “[email protected],” it’s likely phishing.
Odd word choices and grammar
This is a hallmark test for a phishing message. Check for grammatical errors, usage mistakes, data that doesn’t make sense, variances in the company name or address, strange word choices and problems with capitalization or punctuation. An error-filled message is probably phishing.
Be the hero that defeats a company’s security threats to declare victory over cybercriminals! GET THE GUIDE>>
Unusual spelling mistakes and emojis
Even major brands sometimes send out messages with spelling errors. However, a message riddled with errors isn’t likely to be legitimate. Also, some brands do use emojis in email subject lines, but they are rarely used in the body of a major branded email. Emojis in the text could mean phishing.
Variations in style or choppiness
Sometimes, when bad actors spoof emails, they only replace some of the text. If a message is choppy or contains parts that don’t fit the rest, be wary. Beware of unusual fonts, colors that are just a little off, logos that are odd or formats that aren’t quite right. These are common indicators of a spoofed message.
Strange links
Malicious links are a cybercriminal’s best friend and a common way through which malware is distributed. Links that don’t go to the company that supposedly sent the message’s official domain or social media account are dangerous and could be attempts to phish or deploy ransomware.
If it’s too good to be true…
Be cautious about interacting with messages from celebrities, government agencies as well as companies especially if they seem tailor-made for you. For example, the U.S. federal government will never ask you for PII, payment card numbers or financial data through an email message.
The Guide to Reducing Insider Risk can help IT pros stop security incidents before they start! GET IT>>
Spoofing Facts Tell the Tale: Employees Need Training to Avoid Danger
Security and compliance awareness training is a powerful weapon against cyberattacks of all kinds, including spoofing. Security awareness training empowers employees to resist phishing lures to spot and stop cyberattacks before they start. It also reduces a company’s chance of experiencing a damaging cybersecurity incident by up to 70%. Get started quickly using BullPhish ID.
- Don’t just train employees about phishing. Get them up to speed on threats like ransomware, smart security behaviors and compliance too.
- Make training and tracking a snap with personalized portals for every user, enabling trainers to painlessly track and assign training.
- New videos and phishing kits are added every month.
- Use premade plug-and-play kits and videos, or customize training materials to reflect the unique industry threats that employees face daily.
- Rely on the top phishing simulation solution in the channel.
Let us help you get a strong phishing defense in place right away to lower data breach risk fast. Contact an ID Agent solutions expert now for a personalized demo of our award-winning solutions.
Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>