Utilizing a spoofed sender address that closely resembles a legitimate email address, a threat actor hopes to trick targets into divulging private information.
Threat actors hope to deceive recipients into revealing sensitive information by leveraging mimicked branding and spoofed versions of familiar security mechanisms.
A cybercriminal claims regulatory changes have restricted the target’s Disney+ account access and urges them to update payment details using the provided link.
Cybercriminals exploit the urgency of a signature request to trick recipients into visiting a phishing site under the guise of reviewing a confidentiality agreement.
Using a spoofed email address, the threat actor sends a fake notification regarding employee benefits to compel the target to click on a phishing link.
Cybercriminals create a sense of urgency with a spoofed Regions Bank email, tricking recipients into divulging personal details through a phishing site.
Threat actor sends fraudulent file-sharing notification linked to cleverly disguised phishing website to deceive recipients into revealing confidential information.
Attackers use a spoofed email address and exploit the urgency of security issues with an Amazon account to deceive the recipient into providing sensitive information.
An attacker impersonates an internal HR department to manipulate employees into scanning a malicious QR code under the guise of viewing benefits information.
An attacker creates a sense of urgency by threatening email discontinuation and prompts the recipient to enter account information into a phishing page mimicking a legitimate login portal.
Attackers use a spoofed email to exploit the trust of Spotify users and direct them to a phishing site under the guise of updating payment information.
By posing as SiriusXM and offering a free 90-day subscription extension, an attacker hopes to convince the target to provide their credit card information.
An attacker attempts to steal sensitive information by impersonating AWS and encouraging the target to click a phishing link disguised as an application for an account credit.
A cybercriminal impersonates Craigslist and sends a likely AI-generated email regarding a payment failure to convince the target to provide payment details.
Attackers use an AI-generated email to exploit the trust of a known brand and direct recipients to a phishing site under the guise of enhancing account security.
In this likely AI-generated attack, a threat actor poses as a Meta representative and uses a link hosted on a legitimate domain as the first step in a phishing attempt.
Using a spoofed email address, a threat actor poses as the target company's HR team and manufactures a sense of urgency to manipulate the recipient into visiting a phishing page.
After compromising an email address, an attacker sends a fake document notification to fellow employees linked to a fake Microsoft login page hosted by Webflow designed to steal credentials.
After compromising a vendor’s email address, an attacker crafts a fake document notification linked to a fake Microsoft login page hosted by Webflow designed to steal credentials.
After compromising a legitimate email account, an attacker uses Canva to host a malicious redirect link before impersonating Microsoft to gain access to a target’s environment and install Malware.
Using the compromised account of a real attorney, an attacker emails the target regarding outstanding invoices with a link to a fake SharePoint landing page.
After spoofing one of Microsoft’s real no-reply emails, an attacker sends an identical imitation of a OneDrive notification regarding recently deleted files, urging the target to take action.
An attacker impersonates payment solutions provider Wirex using a convincing account verification email and branded phishing page to steal login credentials.
By mimicking Coinbase’s branding in both the email and landing page, an attacker attempts to create a sense of urgency around suspicious account activity and prompt immediate action from the target.
Leveraging a compromised external vendor account, an attacker sends a fake Docusign notification linked to a Google Sites page containing a phishing link to steal sensitive information.
An attacker attempts to trick a target into revealing sensitive information by using a compromised email account and a legitimate content-sharing platform.
A threat actor uses a fake message delivery failure notification and fabricated authentication processes to try to convince a target to reveal sensitive information.
After compromising a Constant Contact account, the attacker impersonates a law firm and sends a fake voicemail notification to attempt credential theft.
After registering a legitimate Microsoft-based email account, an attacker sends a fake Microsoft voicemail notification to deceive a target into entering sensitive information.
A threat actor exploits the reputation of an established domain to send an email with an embedded image of a fabricated file-sharing notification linked to a phishing page.
By crafting an email that resembles a voicemail notification from Microsoft, an attacker hopes the target will scan a malicious QR code that leads to a credential phishing website.
An attacker attempts credential theft via a PDF attachment with DocuSign branding containing a QR code linked to a phishing site impersonating a Microsoft login page.
An attacker capitalizes on the inherent urgency of tax season and attempts to trick a target into clicking a malicious JPG to view purported tax documents.
Using a legitimate sending domain as a mask and a spoofed display name, an attacker pretends to be from Capital One’s customer service team to steal login credentials.
An attacker poses as a bank representative and creates a sense of urgency regarding the target’s credit card to compel them to click an embedded phishing link.
A phisher uses a spoofed domain to send a malicious email that incorporates PayPal's branding and creates a sense of urgency around potential account closure.
By compromising a legitimate domain, an attacker hopes to entice the target to a credential phishing website where sensitive information like payment details can be stolen.
An attacker attempts to steal sensitive information by encouraging the recipient to use a masked phishing link to update their shipping address for a pending delivery.
By creating a sense of urgency and using official-sounding language, an attacker attempts to compel the target to click a phishing link purportedly related to payroll updates.
After compromising a known domain, the attacker creates a fake landing page that mimics OpenSea’s official website and leverages social engineering to create a sense of urgency and persuade the target to take action.
Using a real domain as a mask, an attacker sends an image attachment with a QR code to entice the target to follow the link to reauthenticate MFA on a fake landing page.
An attacker gets engagement from the target after discussing an RFQ and uses Microsoft survey forms to create a spoofed SharePoint link to appear legitimate.
After compromising a pro-manchester email account, a threat actor uses Monograph to host a malicious link that sends the target to a fake Microsoft login page.
By creating a sense of urgency around unauthorized account activity and using a display name that includes "Chase Bank," the attacker aims to compel the recipient to take action.
An attacker claims to be from PayPal investigating a fraudulent transaction and requests sensitive information from the target to complete a verification process.
Using a “two-bridge[.]com” domain as a mask, an attacker sends a credential phishing email disguised as an HR department update regarding approval of a new company handbook.
After compromising the email account of a Vanguard Cleaning Systems employee, an attacker creates a legitimate-looking PDF with a masked phishing link to steal credentials.
Using a legitimate Turkish domain, an attacker attempts credential theft by applying social engineering to convince a target their cryptocurrency wallet is at risk of suspension.
After compromising a Titan Worldwide domain, an attacker pastes previous conversations and a masked phishing link into an email in an attempt to steal sensitive information.
An attacker pretends to be from Medicare Australia and informs the recipient that their Medicare services have been suspended due to insufficient contact information.
An attacker uses a legitimate NHS domain and Microsoft SharePoint to trick a recipient into clicking on a masked phishing link and exposing sensitive information.
By creating a sense of urgency around unauthorized account access and using a sending domain that includes "Bank of America," the attacker aims to compel the recipient to take action.
By using a legitimate document-sending service, the attacker is counting on the recipient to engage with the attachment and expose sensitive information.
An attacker attempts credential theft by spoofing the USDA with an official-sounding message and a PDF attachment containing a QR code that leads to a phishing site.
An attacker pretends to be from Spotify’s customer support, inquiring about updating payment details, and creates a legitimate-looking fake Spotify login page where sensitive information can be stolen.
An attacker embeds a malicious link into an image file that looks like a Microsoft Office 365 password change alert and includes official-sounding written disclosures to increase credibility.
By leveraging a domain similar to official Robinhood communications, an attacker attempts to steal sensitive information by creating a sense of urgency.
An attacker gains control of a vacation resort’s customer service email address and attempts to steal sensitive information after informing the recipient of a refund.
An attacker likely uses generative AI to create a fake automated USPS message about incorrect address information, including links to a fake USPS landing page.
Using a cleverly disguised no-reply domain, an attacker poses as Apple customer support in an attempt to get billing details and other sensitive information.
Attackers disguise phishing email to VP at financial institution as notification that full storage capacity has been reached and emails will no longer be delivered.
Attackers pose as the internal support team at an online retailer and claim the recipient's email account has been queued for deactivation in an attempt to steal credentials or install malware.
This phishing attack impersonated a real estate agent using dotloop, a real estate transaction management software, to trick the recipient into visiting a phishing website.
This link-based attack impersonated the IRS using the pretext of sharing a secure ShareFile message that led to a phishing site designed to steal email credentials.
This phishing attack impersonated FedEx using a fake shipping notification pretext to direct a recipient to a captcha-protected phishing page created to steal personal and financial information using MFA bypass tactics.
This link-based attack incorporated a fake file attachment posing as shared tax documents that led to a phishing page meant to steal email credentials across multiple email providers.
This payload-based attack posed as a fake incoming ACH payment masked as an automated email from an internal company system, which contained an HTML attachment that led to a branded phishing page intended to steal the recipient’s credentials.
This link-based attack imitated a company human resources email that announced the release of a new employee handbook, which included a link to a phishing page meant to steal an employee’s name and email credentials.
This payload-based phishing attack posed as an announcement from the company human resources team about updates to the company’s employee benefits package and requested the recipient review a supposed updated handbook, which actually opened a phishing page to steal account credentials.
This attack impersonated a company CFO using a pretext of employee rewards and recognition to solicit a response leading to a request for Australian myGov credentials.
This payload-based attack posed as an aging report being shared by an automated internal system that contained an HTML attachment leading to a credential phishing page.
This payload-based attack contained a Office365-themed PDF attachment with an embedded link to a legitimate Adobe page, which included another link to a final credential phishing page.
This link-based attack exploited the compromised account of an external third-party to make it appear that a vendor was sharing a link to a document about new dues, when the link actually led to a OneDrive phishing page to steal credentials.
This payload-based credential phishing email employed bypass tactics, including a hidden sender address and obfuscated text, to pose as an invoice for employee training.
This payload-based credential phishing attack sent from a self-addressed spoofed email address posed as a security alert, indicating the user’s data had been accessed from a suspicious location and an HTML attachment needed to be reviewed or else their account would be locked.
This payload-based attack was sent to a company executive using a tax refund theme as a pretext to get them to open an HTML file attached to a blank email, which led to a company-branded credential phishing page.
This payload-based credential phishing attack targeted an executive with an email posing as financial documents shared via SharePoint and used foreign character substitution to bypass detection.
This payload-based credential phishing attack impersonated DocuSign and requested that recipients review employee payroll and retirement documents contained in an attached HTML file.
This attack impersonates the Australian Taxation Office with a payment transfer theme and asks the recipient to validate their identity by leading them to a phishing page contained within an HTML attachment.
Attackers send what appears to be an encrypted message, similar to what you might receive from your bank, to trick recipients into providing Microsoft 365 login information.
Attackers impersonate the company payroll department to send a wage update that takes users to a OneDrive phishing page and steals Microsoft 365 credentials.