Brand Impersonation Phishing Attacks up in 2023

Max Harper
13.09.23 12:48 PM Comment(s)

*Click here to add to basket 🛒*
Brand impersonation attacks are on the rise in 2023.

Why are brand impersonation attacks so effective?

Everyone loves a discount! Particularly during a cost of living crisis, this makes people more likely to click on the fraudulent offers they receive via email.

Let's take a look at a trending example...

1. Shein-discount-phishing-email-blur-600px
Shein is reported to be the largest online-only fashion retailer in the world, with a valuation of $100bn. As a result, it's a highly popular household name with a significant audience. Like every retail brand, customers are going to be no stranger to receiving regular marketing emails, designed to engage customers and increase sales.

This particular phishing attack includes use of a look-a-like email domain and websites, with the aim of stealing people's log-in credentials and payment details, and taking fraudulent payments.

Spear Shield partner's Egress, Threat Intelligence team has detected a 128% increase in Shein brand impersonation emails since 1st January 2023, compared with November 2022.

How is the phish constructed?

Sent from a spoofed domain that impersonates Shein, such as 'shien', instead of 'shein'. Also, sent from unclaimed domains such as 

Despite the use of spoofed domains, the emails passed DMARC authentication. They were also sent via legitimate third-party mailing platforms (such as Salesforce and Mailchimp).

The email design itself, is an exact replica of a Marketing email that Deal Town, an online archive of email newsletters, records as being sent on 17th June 2022. It's likely the cyber criminals used the existing email as their template when creating the attack to add credibility, but even included the incorrect spelling and grammar you can see in the image 'Have we meet?'. 

"There's a phish for everyone..."

Image 23-02-2023 at 13.53

was the second most impersonated brand in 2022, representing 13% of all phishing pages according to csoonline

As more and more organisations continue to adopt Microsoft 365, users are new to to some of the emails they're receiving, and could be lured into a false sense of security...

and Adobe, were other highly-impersonated   brands but Facebook takes the claim as the number   1 impersonated brand in 2022.

Detecting brand impersonation attacks

 As you can see in these examples, it can be   incredibly difficult for the average user to detect   sophisticated impersonation attacks. If there's any   doubt about the legitimacy of an email where there's e.g a promo code, it's possible to navigate to the real website via your browse or search engine and enter the code there.

Techniques used to increase deliverability

Cyber criminals use a combination of techniques to improve deliverability, making it more likely that these kind of emails will be sent to your user's inbox, rather than quarantined by a SEG or sent to the Junk folder by Microsoft.

Even though most are using lookalike domains, if an email passes DMARC authentication, it makes it much more difficult for signature-based anti-phishing technologies (like secure email gateways (SEGs) to be able to detect them.

Finally, the use of legitimate mailing platforms (e.g Salesforce and Mailchimp) to send these attacks increases their deliverability rate, making it less likely they'll be filtered out by spam filters or signature-based detection.

How can i mitigate risk of phishing and help support my users?

Our recommendation here at Spear Shield is combining security awareness and training with real-time teachable moments at the point of risk.

Transformative and engaging training content has its place, but it's an activity, not an outcome. This needs to be combined with interventions or nudges when they're most needed - when people are carrying out risky actions in real-time. 


You may have noticed the dynamic HTML banners injected into into each of the emails in the screenshots - 'This email shows strong signs of phishing' these are what we refer to as 'real-time teachable moments'.

Examples on the inbound:

✔️ Dynamic HTML banners offering users warnings about potential phishing attacks. No more CAUTION: External Email this could be dangerous - appearing on EVERY single email they receive.

Examples on the outbound:

✔️ Intelligent,
dynamic DLP prompt to alert the user that they're about to respond to a dangerous email or a warning message if they're about to send the wrong address, attach an incorrect file, or use an inappropriate level of encryption.

These teachable moments are designed to not only stop breaches in the moment, but also to educate your users in real-time as to why an action has been flagged, reinforcing Security Awareness & Training, and boosting the ROI of training efforts.

With the combined approach, our customers benefit from being able to genuinely understand their risk on a per person basis, rather than at an organisational level only.

Interested to learn how Spear Shield and their customers are able to detect and respond to sophisticated phishing attacks like brand impersonation attempts that are able to slip through the net? 

Spear Shield are currently running a FREE Email security assessment that can help you identify:

  • Total number of Dangerous and Suspicious emails detected landing into employees inboxes throughout the engagement
  • Insight into the top types of phishing emails your organisation is receiving
  • Insight into the top types of payloads being used in the phishing emails your organisation is receiving
  • Insight into your Supply Chain Health (DMARC status of inbound emails)
  • Insight if there are live phishing attacks sat in employees inboxes that can be remediated together
  • Phishing Simulation results (with and without an ICES solution implemented)
  • Previous caught user analysis breakdown
  • Insight into how many users were stopped in their tracks at the link advisory page
  • Insight into the reporting heroes in your organisation
  • Insight into what device type your employees are engaging business emails on. (mobile, PC, both)
  • Consultative recommendations for security best practice

If you'd like to learn more, you can visit or contact the team today:

01473 948980

About Spear Shield

Here at Spear Shield, we are continuing to invest in our goal to create one of the most cyber-secure client communities in Suffolk, East Anglia and across the UK.

Our approach is to work closely with IT teams and business leaders to help identify cyber risk, understand core business drivers and challenge the conventional approaches to legacy cybersecurity strategies to enable our customers to exceed their cybersecurity goals.

Spear Shield has a portfolio of award-winning cybersecurity solutions and services that we align to enable our customers to be able to solve even the most complex and advanced cybersecurity challenges.

The team at Spear Shield specialises in:
- Mitigating the risk of social engineering attacks and human-activated cyber risk
- Real-time asset discovery, device security and compliance
- 24/7 Managed Threat Hunting and proactive Incident Response

If you would like to learn why organisations are choosing to secure with Spear Shield, please do contact a member of the team to arrange a confidential conversation today.

The team has several year's experience working within both the private and public sector, have a very consultative approach and would welcome the opportunity to learn more about your organisation.

Max Harper