The most dangerous phishing attacks seem completely ordinary. If something hits our inbox, seemingly from a bank or online service we already use, we inherently trust it. The familiarity of the apparent sender suggests authenticity, with potentially disastrous consequences.
Phishing is, of course, a type of cyberattack where hackers deceive people into revealing sensitive information like passwords or credit card details. This is often done by impersonating a real source, perhaps through email.
We have all seen too many of these by now. An insistent email from Amazon urging us to update our login credentials. A message from a co-worker asking for login details because they forgot theirs. Canada Revenue Agency telling us our account is in arrears and letting us know we can conveniently pay it through Apple gift cards. There is no end to these scams on the internet.
We instantly ignore most of these because they are clearly fake, such as from a bank you have never frequented. If a message also lacks personalization, we can guess it is being sent indiscriminately to millions of people and is a fraud.
To overcome that lack of personalization, attackers may resort to spearphishing, which is targeted at a small group, or even a single individual. This can be very effective if carefully crafted, but it usually requires some knowledge of the individual or details about their environment or history. The more detail it contains, the more genuine it looks, and the more likely it is to snare the target.
Individualized, specific information can be gleaned through various search tactics, but a common one is to use public records that are easily accessible online. This includes registrations such as trademarks, and although this is not new, there has been an increase in sophisticated spearphishing attempts against trademark owners.
When a trademark is registered in Canada, like most other countries, the registration is posted on the registry's website. In Canada, this is the Canadian Intellectual Property Office. Publication like this is necessary so other parties can search for potential conflicting trademarks and find owners. Accordingly, the name and address of the trademark owner will be available. Most of the time a phone number or email is not posted, but a simple web search can quickly find many of those details.
Most registrants are not experts in trademark procedures. All they might know is that they registered a trademark, they paid some fees, and that registrations have a limited term which will eventually require renewal. Attackers take advantage of all these factors and put together a spearphishing email designed to extract money from the victim.
For instance, we have seen an uptick in official-looking emails, allegedly from a trademark agent, warning that the recipient's registration is either up for renewal or is somehow in jeopardy. These look genuine. Here's a graphic from one that is making the rounds in 2024:
Pretty impressive, right? It says right there it is "Official", and they have a testimonial from the CEO of one of Canada's largest companies.
But... if you did not already know what he looks like, here is the real Galen G. Weston:
The first graphic was in an email warning the recipient that someone else has applied for a trademark which might infringe theirs, and the recipient should use the email sender's company to deal with this.
The attacker will try to strike up a relationship and get some money for a renewal, or to fight the infringement, or some other excuse to extract funds. It might go even further and seek bank account information, with terrible results for the victim.
Another type of spearphishing involving trademarks or patents is an official-looking email, or even snail mail, warning that the registration is about to expire, or that the "normal" annual maintenance fee is due. It is usually not an extreme amount, maybe a few hundred dollars, but it is fake.
Spearphishing attacks like this, especially with little understood procedures like those in trademark and patent registrations, are dangerous because they look real. They also involve relatively small amounts, so less care is taken to verify the request.
There is not much you can do to avoid getting these messages in the first place. Your registration is in the public record, and anybody, good or bad, can search them. The protection you have is vigilance when you do get an email like this. The best approach, if you have questions, is to talk to the agent who acted for you in the original application. They will be able to instantly tell you if it is legitimate or not. If you are not using the original agent, contact another representative who can track down the information for you. We at Procido see these often and are happy to help with questions about a registration, whether we handled it initially or not.
Although most of us are used to spam and phishing attacks, attackers are always improving their methods, and adding new techniques to take advantage of gaps in our knowledge, distractions or just the busy-ness of work life. Be careful with any messages, and if anything hits your desktop that looks suspicious, feel free to reach out to us.
Also, be sure to visit our booth at the National Franchise Expo at Saskatoon's Prairieland Park on October 5 and 6, 2024. Discover new franchise opportunities, learn from industry experts, and network with like-minded individuals. This exciting event brings together franchisors from a variety of industries, offering attendees the chance to explore businesses that are seeking franchisees.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.