Most of us have received a scam email at some point in our lives. Usually, these are phishing attacks in which scammers will pose as a well-known, reputable brand and try to solicit personal details, credentials or financial transactions from victims.

Without malware attachments, these can often slip through a company’s cyber defences. According to the FBI, this is costing businesses $12.5 per year in losses.

In its Quarterly Threat Report, cybersecurity company Agari found that 54% of advanced email attacks use a brand’s name to deceive.

“Display name deception continues to be the most common technique used with business email compromise (BEC) attacks,” Agari’s vice president of product marketing Seth Knox told Verdict.

“The thing that’s new in this report is how prominent the use of brands in the display name attacks are, as opposed to individual names.

“I think people, when they look at BEC attacks, think of the common one, which is CEO to CFO wire fraud type scams. But what we’re seeing is an increase in the use of brand names.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Some of these brands are being impersonated by scammers more than others. Based on Agari’s findings, here are the ten most common brands being impersonated by scammers that you should watch out for.


Topping the list of display name deception is Microsoft, with 35.87% of email scammers copying the technology company. This figure doubles to more than 70% when looking specifically at high-value exec targets.

Knox says that it is the companies diverse offerings that make it the most impersonated brand.

“One of the things about Microsoft is it’s not just one domain or brand,” he explained.

“Microsoft has a lot and we aggregated all of their properties into one company and brand,” says Knox.

That includes services such as Office 365, Hotmail, Outlook and OneDrive. File sharing platforms such as OneDrive are a particularly popular means of attack against business employees.

“They [scammers] pretend to be a business partner or their lawyer, then do a display name deception that looks like a One Drive file.

“Because they have so many brands and so many things are used to interacting with, they [Microsoft] become a target.”


Closely following Microsoft is Amazon, at 26.79%. Similar to Microsoft, the score reflects the amalgamation of all of Amazon’s services.

For enterprises, an Amazon scam could be particularly dangerous if the scam gained access to Amazon’s cloud platform, Amazon Web Service.

“If someone gets access to your credentials to Amazon Web Services they can take down your business and do lots of damage and take lots of money,” says Knox.

In addition to this there’s Amazon Prime and shipping notifications for Amazon products that can snare victims.

“Amazon has got a wide variety of different, plausible cons that you could run off of their brand that are both business to consumer and business to business,” says Knox.

Bank of America

Financial institutions are often targets. Bank of America is the second largest bank in the US by assets, but again it’s the diverse financial service, making it an easy choice for scammers.

“Banks are obviously a target,” says Knox.

This gives scammers a smorgasbord of financial frauds to choose to imitate: mortgage, credit card, current accounts and wire transfer.


Chase, the commercial banking arm of JP Morgan, is a target for the same reasons as Bank of America.

“It’s a very large and diversified financial services institution,” says Knox.

This means that they have lots of financial services that can be imitated through display name deception.


With Dropbox being the most used file sharing platform, it’s not surprising to see it in the top half. When it comes to executive levels, however, Dropbox jumps to second place – but is still a distant second to Microsoft.

“It’s very common [for scammers] to use file sharing services, DropBox in particular, because you might get a lot of files shared to you from people outside of your company,” says Knox. “So it’s very easy to impersonate that in an attack and get somebody to click on a link.”

In May last year Google fell victim to such an attack. An email claiming to be from Google Docs was sent to about a million users. It contained a link that risked giving hackers access to their account – but fortunately Google thwarted the attack within “approximately one hour”.


The electronic signature service is a popular business tool and is a “particularly dangerous” brand used by scammers.

“It’s very common for the people who are highly targeted, like CFOs, to get DocuSign,” explains Knox.

“What happens is you get an email to approve something via DocuSign and you’re supposed to click on the button. Someone can fake that email and fake the display name and someone’s very likely to click on that.

“They’re [the CFO] also likely to do things like input bank account numbers or provide sensitive information through a DocuSign account.”

DocuSign is also widely used during real estate transactions, with many scams targeting people in that area.

Read more: Homeless homebuyer: The cyberattack taking people’s life savings


All of the shipping companies are prone to be impersonated by scammers, but UPS tops the list – possibly because it operates at a larger volume.

“People will send a confirmation or a tracking number link and get people to click on the link and ask for various passwords or information,” says Knox.


Netflix is a surprising addition to the top ten. Because the video streaming service is a commercial offering rather than enterprise, it’s likely to be part of a broader net cast by scammers that targets business and consumer email addresses alike.

“I think some of these would be more likely to be used in a broad attack where they send out thousands of messages, so Netflix would probably fall under that category,” says Knox.


The Internal Revenue Service is a popular target for impersonation for both businesses and consumers.

“In the US there’s a surge of those in January because that’s when W2 statements are sent out,” says Knox. “Then there’s another surge during the filing period when people might try and scam you out of refunds, so they might do something to get the information they need to file your taxes in advance and get the refund.

“W2 are very common corporate attacks because they’ll try to get a HR person to send you the W2s of everybody in the company.”

This gives scammers access to all of the employees’ social security numbers and all the information they need to steal their identities, as well as steal their tax refund.

How to combat display name deception

It is worth pointing out that display name deception is something that the brands themselves can’t control. However, using Domain-based Message Authentication and Conformance (DAMRC) gives brands the ability to recognise when an email isn’t coming from the brand’s approved domains.

“When the email platform, such as Office 365 or Gmail or Yahoo get an email, they check against a list of authorised servers that can send email on behalf of that brand,” explains Knox.

“So, they are basically checking the authorised list of people who are allowed to send as Microsoft or Bank of America or Amazon. If it isn’t on that list, then they take an action.

“And that action can be to block it and throw that email away, it could be to put it in the spam folder. The blocking is called p=reject. And then there’s quarantine, which means it goes into the spam folder.

“And then there’s none, which gives them an alert but it still gets delivered to the end user.”

All of the above brands are at the highest level of protection, while Amazon is at the middle level, says Knox.

And the reason why hackers can use display name deception?

Because “when email was created, nobody thought of someone pretending to be someone else,” says Knox. “They didn’t build in authentication of the person who sent it.”

Read more: Spotting and avoiding phishing scams so you don’t get hooked