Consumers need to be wary of topics that claim to be from top American brands, a new report says.
Amazon was the most “impersonated” by phishing attackers in 2020, accounting for 41.5% of all complaints to the Federal Trade Commission, totaling 1,262 phishing incidents, CrowdStrike said, adding that many more went unreported.
Apple accounted for 33.3%, with 1,012 complaints. Together these tech giants accounted for 74.7% of all impersonation complaints analyzed, CrowdStrike said.
The top 5 brands in 2020 exploited by scammers were Amazon, Apple, the Social Security Administration, Microsoft and Bank of America, according to a study by CrowdStrike.
The Social Security Administration (SSA) was third in the ranking of organizations faked by scammers. And among all U.S. federal agencies, the SSA accounted for 91.8% of phishing scam complaints, CrowdStrike said.
The ranking is based on a Freedom of Information Act request to the Federal Trade Commission by CrowdStrike that asked about the total number of phishing scams involving the top 50 brands and all U.S. federal agencies.
Phishing is a serious cybersecurity problem in the U.S. costing Americans over $54 million in 2020 according to the FBI. Typically, phishing scammers are after your password and other account information. Or they may try to get you to download a malicious file that will install viruses. Phishing typically is done via email, SMS, phone, or social media.
A typical scam cited by CrowdStrike “incentivizes the user to manually download and execute” files. In one example, if you click on the attached file, a trojan infects your computer with malware that does keystroke logging, often for the express purpose of stealing your password.
An email containing a malicious file or link which deploys malware when clicked by a recipient is a common tactic cited by the FBI in its 2020 Internet Crime Report.
What to watch out for
CrowdStrike says the typical red flags of phishing messages include:
Asks for sensitive information: legitimate businesses won’t ask for credit card information, Social Security numbers or passwords by email and will not send you a link to log into a system outside of their website, CrowdStrike said.
Uses a different domain: a message from Amazon will come from “@amazon.com.” It won’t come from “email@example.com.”
Contains links that don’t match the domain: Hover the cursor over any links. If they don’t take you to the brand’s site, they’re bogus.
Includes unsolicited attachments: legitimate companies don’t send attachments. Never click on an attachment.
Is not personalized: Addressing you as “Dear Valued Member” instead of by your name.
Poor spelling and grammar: phishing emails often contain excessive grammatical errors.
Americans can report phishing attacks to: firstname.lastname@example.org.