Credential-Harvesting Campaign Impersonates Fashion Retailer Shein
A phishing campaign is impersonating fashion retailer Shein in an attempt to steal users’ credentials, according to researchers at Check Point.
“The email arrives with a tempting subject line: ‘Order Verification SHEIN’ – claiming to be from Shein customer service,” the researchers explain.
“But a closer look reveals a red flag – the sender’s email address doesn’t match Shein’s official one. The email excitedly announces you’ve received a mystery box from Shein. However, the included link won’t bring you a surprise gift; it leads to a fake website designed to steal your personal information (a credential harvesting site).
This phishing attempt is quite transparent. It preys on your excitement by claiming you’ve won a prize and uses the trusted brand name ‘Shein’ to gain your trust. However, a vigilant user can easily spot the scam: check the sender’s email address (it shouldn’t be random letters) and verify that any links lead to legitimate Shein webpages.”
Check Point notes that scammers can be expected to impersonate any popular brand, and observant users can recognize red flags associated with phishing a
“Just like other phishing attempts, scammers are trying to capitalize on popular brands and current trends to trick you,” the researchers write. “This time, they’re using Shein. There are several red flags that this email isn’t legitimate. First, there’s a strong sense of urgency surrounding the ‘mystery box’ offer, which is designed to create excitement and pressure you into clicking.
Another clue? The email address itself is a jumble of random letters, not a recognizable Shein address. You won’t find any Shein branding or logos in the email either. Finally, the link in the email won’t take you to an official Shein webpage, but to a fraudulent website designed to steal your information.”
Check Point offers the following recommendations to help users avoid falling for phishing attacks:
- “Make sure you don’t click on links from websites whose address isn’t the official one and check the email’s source
- “Check the address of the website and the sender’s name for spelling and punctuation errors on websites that look real
- “Ensure the email is free of spelling errors. Pay attention to the language in the email: are you expecting to be addressed in this language by your shipping company?”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Check Point has the story.
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here’s how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Select from 20+ languages and customize the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organization compares to others in your industry
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW