Social media companies, particularly LinkedIn, are now the most impersonated brands in phishing campaigns, researchers at Check Point have found.

“Social media networks have now overtaken shipping, retail and technology as the category most likely to be targeted by criminal groups,” the researchers write. “So far this year, LinkedIn has been related to more than half (52%) of all phishing-related attacks globally, marking the first time the social media network has reached the top of rankings. It represents a dramatic 44% uplift from the previous quarter, when LinkedIn was in fifth position and related to only 8% of phishing attempts. LinkedIn has now overtaken DHL as the most targeted brand, which has now fallen to second position and accounted for 14% of all phishing attempts during the quarter.”

Shipping companies are still in second place, with DHL and FedEx impersonation accounting for a significant portion of phishing attacks.

“Shipping is now the second most targeted category, with threat actors continuing to take advantage of the general rise in e-commerce by targeting consumers and shipping companies directly,” the researchers write. “DHL is second to LinkedIn, accounting for 14% of phishing attempts; FedEx has moved from seventh position to fifth, now accounting for 6% of all phishing attempts; and Maersk and AliExpress have entered the top ten list for the first time. Our report highlights one particular phishing strategy that used Maersk-branded emails to encourage the download of spoof transport documents, infecting workstations with malware.”

Attackers have also impersonated shipping giant Maersk with phishing emails that deliver the Agent Tesla malware.

“During the first quarter of 2022, we observed a malicious phishing email that used Maersk’s branding and was trying to download the Agent Tesla RAT (Remote Access Trojan) to the user’s machine,” the researchers write. “The email which was sent from a webmail address and spoofed to appear as if it was sent from ‘Maersk Notification (service@maersk[.]com)’, contained the subject, ‘Maersk : Verify Copy for Bill of Lading XXXXXXXXX ready for verification.’ The content asked to download an excel file ‘Transport-Document’, that would cause the system to be infected with Agent Tesla.”