A brand-phishing email is designed to impersonate the official websites of prominent brands – such as those within the technology, banking, shipping, and retail industries. The purpose is to trick consumers into revealing sensitive personal account information. The email will contain malicious code that will redirect to a fake website (scampage) that requires consumers to login to verify information. Links to these scampages are sent through emails, text messages, or via web and mobile applications and may spoof the identity or online address to resemble the genuine site. The scampages may then use login forms or malware to steal users’ credentials, payment details, or other personally identifiable information (PII).
- Be suspicious of unsolicited contact via email or social media from any individual you do not know personally and/or containing messages enticing you to open a link or attached file.
- When receiving account alerts, rather than clicking a link within an email or text, opt to navigate to the website using the secure URL to review any logs, messages, or notices.
- Closely verify the spelling of web addresses, websites, and email addresses that look trustworthy but may be imitations of legitimate websites, to include the username and/or domain names/addresses (i.e., capital “I” vs small “L”, etc.).
- Use strong unique passwords, and do not re-use the same password across multiple accounts.
- Do not store important documents or information in your email account (e.g., digital currency private keys, documents with your social security number, or photocopies of a driver’s license).
- Enable 2FA and/or multi-factor authentication (MFA) options to help secure online accounts, such as a phone number, software-based authenticator programs/apps, USB security key, or a separate email account (with a unique password that does not link to other consumer accounts) in order to receive authentication codes for account logins, password resets, or updates to sensitive account information.
- When possible, do not use your primary email address for logins on Websites. Create a unique username not associated with your primary email address.