DHL Was the Most Imitated Brand in Phishing Campaigns in Q4, 2021

A recent report from the cybersecurity firm Check Point has revealed DHL was the most impersonated brand in phishing attacks in Q4, 2021, overtaking Microsoft. Check Point’s data show 23% of phishing emails impersonating brands in Q4, 2021 spoofed DHL, up 9% from the previous quarter.

Microsoft is usually the brand most impersonated by cybercriminals due to the huge number of customers. In Q4, 20% of all brand impersonation attacks spoofed Microsoft, down from 29% in Q3. The rest of the top ten list consists of WhatsApp (11%), Google (10%), LinkedIn (8%), Amazon (4%), FedEx (3%), Roblox (3%), PayPal (2%), and Apple (2%).

Q4 includes two of the biggest online shopping days of the year – Black Friday and Cyber Monday – and with the pandemic prompting even more people to shop online, it is no surprise that so many phishing campaigns impersonated DHL, the global market leader in the logistics industry, operating in more than 220 countries and territories.

The phishing lures used in the campaigns included shipment notifications for fictitious packages that included links to spoofed websites that users are required to click to view tracking information. When the user lands on the website they are required to verify their identity by providing sensitive information. Other lures include notifications about failed deliveries and packages stuck at customs. In one of the campaigns, the landing page was an almost carbon copy of the official DHL site, with the URL the only indication that the site is not what it seems.

Another logistics firm was also extensively imitated in phishing attacks in Q4. It was the first time that FedEx has made the top ten list of the most spoofed brands in phishing attacks. Check Point identified one campaign impersonating FedEx that delivered SnakeKeylogger malware, with the emails coming from a spoofed support[@] email address with a subject line of ‘Bill of Lading-PL/CI/BL-Documents arrival.’ The emails claimed a package could not be delivered due to an incorrect delivery address. The recipient was required to download a compressed RAR file that included an executable file that installed the keylogger if executed.

There was a marked increase in the number of phishing attacks spoofing WhatsApp, which jumped from 6th position in Q3 to 3rd in Q4.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of