FBI: ‘Scampages’ Raise Stakes for Email Security, Brand Protection

Together with the U.S. Cybersecurity and Infrastructure Security Agency, the FBI released a public service announcement (PSA) last week cautioning businesses and consumers to beware of a rampage of fake websites (scampages) and related phishing emails that lure brand-loyal buyers to reveal personal information by impersonating their favorite brands. 

According to the PSA, these are multi-layered scampage campaigns that can bypass two-factor authentication (2FA), especially if the second factor involves sending confirmation codes to an email address.[1] When the scammers detect that a person is using their email address as the user ID for a branded account, it can redirect them to a lookalike page of the same domain as their email address in an attempt to steal the user’s email account login and password. With that information, brand impersonators can intercept 2FA notifications, which means they can reset passwords and take over the user’s accounts at any brand-name websites where the person regularly buys or conducts other business. 

As has happened in the past with sophisticated hacker technology, the criminals behind this rising tide of scampages are distributing their software as a kind of “product-as-a-service” that includes “their own ongoing technical support,” according to the FBI. This dramatically increases the volume of attacks by permitting even non-technical criminals to create scampage campaigns.

Both the FBI and Mimecast’s own past research suggest ways organizations can protect themselves from impersonation attacks, whether their own brand is being impersonated or attackers are impersonating another brand in order to compromise your company’s IT infrastructure. 

How to Avoid Brand Exploitation Attacks

Mimecast’s The State of Brand Protection 2021 (SOBP) report concludes that a combination of technology and employee training and is required to protect against business email compromise and phishing attacks that use brand impersonation tactics. The SOBP research recommends that organizations:

• Train: A study comparing Mimecast customers with and without awareness training showed that employees in organizations without training clicked on malicious links an average of 13.6 times more often than those with training.
• Collaborate: Specifically, security professionals should work closely with the organization’s marketers, who are usually charged with protecting the brand. One interviewee in the SOBP report said: “Security teams should be riding alongside and shooting down fraudulent websites as they pop up so that they don’t get in the way of marketers’ leads.”
• Monitor: Marketers and C-suite executives are always surprised at how much their brands are being exploited by cybercriminals — but brands only learn the extent of the problem when they actually monitor for it. Otherwise, the exploitation is virtually invisible to the victimized brand. Measuring the problem enables action.
• Outsource: Third-party protection services are less costly and more effective than doing the work in-house, according to research from Frost & Sullivan. Mimecast’s Brand Exploit Protect service, for example, is solely focused on identifying and taking down malicious brand impersonation sites.
• Deploy DMARC: With the Domain-based Message Authentication, Reporting and Conformance (DMARC) email authentication standard, organizations can identify emails that impersonate their brands and authenticate their legitimate emails so that they don’t end up in a spam folder. But DMARC requires monitoring, strategic analysis and planning.

FBI Brand Protection Recommendations

For its part, the FBI’s PSA “encourages private sector partners to remain vigilant, evaluate internal policies and continue to communicate with their consumers regarding account security protocols.” It goes on to make specific recommendations for businesses to share with their employees and customers, including:

• Be suspicious of unsolicited email or social media contact from anyone you don’t know, especially if they ask you to open a link or an attached file.
• Don’t click links within an email or text — period, case closed. Instead, manually navigate to the website that you wish to visit.
• Scrutinize the spelling of web addresses, websites and email addresses that look trustworthy but may be imitations of legitimate versions.
• Use strong unique passwords, with different passwords for every account.
• Don’t store important documents or information, such as digital currency private keys, anything containing your Social Security number, or photocopies of a driver’s license, in your email account.
• When possible, create unique usernames for online accounts — don’t use your primary email address.
• Enable 2FA options to secure online accounts but use something other than your main email as the second factor, such as “a phone number, software-based authenticator programs/apps, USB security key or a separate email account (with a unique password that does not link to other consumer accounts).”

The FBI encourages anyone, or any organization, that believes they have fallen victim to brand impersonation to contact local law enforcement or their local FBI field office. In addition, they say to immediately report the activity to the FBI’s Internet Crime Complaint Center.

The Bottom Line

It’s getting harder and harder to protect your brand against online impersonation, or to secure your organization against business email compromise, ransomware and other cybercrime that uses brand impersonation to break into the corporate network. Cyber resilience increasingly requires strong cybersecurity technologies such as secure email gateways, ongoing security awareness training, brand exploit monitoring services — and constant vigilance. 
 

[1] “Cyber Criminals Likely Developing and Selling Scamming Tools to Harvest Credentials of Brand-Name Consumers,” FBI