Microsoft's The Top Brand Scammers Use When Phishing For Clicks, Study Shows

Nearly as soon as the web was born, scammers were using it to con people out of their money. From foreign princes who need your help to reclaim their family fortunes to chain emails with embedded ransomware, there's no shortage of schemes deployed by those unscrupulous fraudsters. But one of the most tried and true is the Microsoft support scam, and new research conducted by a cybersecurity firm attests to its popularity.

Phishing scams that leverage brand recognition come in a few forms. In some cases, the attacker will try to trick users with low tech literacy on the phone, convincing them to grant remote access under the pretext of official tech support. In other cases, a link in a phishing email will lead to a fake website that steals personal information, including credit cards. Scammers take advantage of the trust their victims may have in the brand being impersonated. New cybersecurity research shows that Microsoft is the most impersonated brand by scammers. It's crucial to know the difference between official communications from the tech company and scammers trying to breach your accounts to keep yourself safe online.  

According to research conducted by human risk management platform Hoxhunt, Microsoft beats out other companies in an undesirable metric. It's the company most commonly impersonated by scammers, with DocuSign and generic HR communications rounding out the top three. Microsoft has issued phishing warnings related to Office 365, among other schemes. Phishing refers to the act of using deceptive tactics to extract personally identifying or financial information from a victim. Hoxhunt notes that Microsoft scams use scare tactics to convince victims that their account is in jeopardy unless the scammer's instructions are followed, hoping they'll click a malicious link or compromise their account by handing over a two-factor authentication code.

Microsoft scammers are essentially digital con men. Because Microsoft is one of the most widely known brand names in the world, and because Windows is the de facto operating system for over a billion active users, scammers can exploit that name recognition. Regardless of your personal opinion of the company and its software, many average users see it as trustworthy. That means their guard is lowered when they see what claims to be legitimate communication regarding their Microsoft account, making them more likely to click a link and fall victim.

The company behind this report is a risk management firm that helps workplaces train employees to better defend themselves against cyberattacks, so these reports are a form of marketing. Nonetheless, the information is valuable. Like the majority of scams, Microsoft impersonators hack people, not computer systems. Why battle your way through layers of security when you can convince an account owner to give you access? That's why it's essential to recognize the signs of a phishing attempt so you can steer clear.

If you ever receive an email claiming to be from Microsoft (or Google, or another service with which you have an account), check the email address. Legitimate communications will end with the company's domain (e.g., microsoft.com). Even if the domain is legitimate, make sure the links are, too, by checking where they lead before you click (most browsers show the destination of an embedded link when you hover your mouse over them.) If you receive communications about your account status and aren't sure if they're above board, try logging into the account in question through the website rather than following a link.

Most suspicious of all is unsolicited support from someone claiming to work for Microsoft. Think about how difficult it can be to get human support from big tech companies at the best of times. Proactive offers to help you with a computer issue are far more likely to be scams than they are to be altruistic efforts from a tech giant. If you believe you have a problem with your Windows computer, reach out to Microsoft directly through its website or the Get Help app on your PC. Microsoft does have live technicians who can remotely access your computer, but they will do so using built-in tools already installed on your Windows 11 PC. Hackers may try to breach your account by requesting a two-factor authentication code. Never give a 2FA code to anyone.

Some other methods of phishing are pop-ups on websites or spam notifications on Chrome. Never click on anything that looks designed to scare you into action, especially if it comes through an unrelated website or app. Along with aggressive requests for financial or identifying information, those are all signs you're on a scam website.