KnowBe4 warns of phishing campaign using fake surveys

KnowBe4 has published research on a global phishing campaign designed to steal credit card and personal data through fake survey reward offers. The operation uses hundreds of newly registered domains to avoid email security filters.

The campaign imitates well-known brands across retail, logistics, travel, financial services and healthcare. Its emails promise expensive items such as smartphones, smartwatches and headphones in exchange for completing a customer survey. Rather than asking for account credentials up front, the attackers lead recipients through several steps before requesting a small delivery payment that collects card details and other information.

The research says the operation targets both organisations and individual consumers worldwide. The emails can bypass secure email gateways by relying on rapid domain rotation, with attackers registering large numbers of low-cost domains each day and abandoning them within 48 hours.

How it works

The approach uses a longer scam funnel than many phishing campaigns. Users first see 10 to 15 survey questions that appear legitimate, creating the impression that they have earned a reward. They are then shown fake comment sections designed to resemble social media posts from other supposed winners.

The final step is a request for a modest shipping charge, typically between USD $5 and USD $10. Once a victim enters card details and personally identifiable information on the payment page, the data is sent to infrastructure controlled by the attackers, according to the researchers.

The campaign also cycles through brand identities to improve its chances of success. Attackers use near-identical copies of official landing pages and rotate through names familiar to large groups of users, regardless of where they shop or which services they use.

Brands cited in the research include Costco, Kroger, Harbor Freight, Tractor Supply Co., Sam's Club and Dick's Sporting Goods in retail; Marriott and AAA in travel and motoring; FedEx in logistics; and EquityFirst Financial and BlueCross BlueShield in financial and health services.

Short-lived domains

A central feature of the campaign is what researchers described as a churn-and-burn domain strategy. By using newly registered domains with very short lifespans, the attackers can stay ahead of blocklists that depend on known malicious web addresses.

The report also points to heavy use of low-cost top-level domains. Combined with high-fidelity page design and social engineering tactics such as countdown timers and limited-stock claims, that infrastructure helps the campaign appear convincing while remaining difficult to disrupt quickly.

The techniques identified by KnowBe4 map to established phishing and infrastructure acquisition methods in the MITRE ATT&CK framework. The researchers linked the activity to domain acquisition for hosting phishing kits, high-volume phishing links sent by email, and information theft through staged forms that collect personal and financial data.

Broader trend

The findings underscore a broader shift in phishing operations from straightforward password theft to more elaborate, consumer-style journeys that build trust over time. Rather than relying on a single deceptive prompt, attackers are using repeated interactions and small commitments to make the final payment request seem plausible.

That structure also broadens the pool of potential victims. Users who would ignore a direct request for login credentials may be more willing to complete a survey for a recognised brand and pay a small fee if the process appears consistent with a promotional giveaway.

One defensive measure, according to KnowBe4, is to block or flag newly registered domains less than 30 days old via DNS filtering. It also advises users to treat any request for payment details linked to a free reward with suspicion, particularly when the offer arrives in an unsolicited email.

The company argues that organisations need to train staff to recognise broader social engineering patterns rather than focus only on conventional phishing emails. Its research shows that the latest campaign demonstrates how attackers now combine brand impersonation, scarcity tactics, fake social proof, and short-lived infrastructure to harvest financial data at scale.

The report describes the result in stark terms, saying attackers are harvesting high-value personally identifiable information and financial data from unsuspecting users on an unprecedented scale.