Spoofing brands is an effective way for phishers to get into the inbox and to convince end-users to click.

For large companies, being spoofed is part of the territory.

Starting in January 2022, Avanan has seen an increase in hackers spoofing Walgreens. The attack claims a potential reward if the end-user offers the company feedback. Instead, the end-user will be redirected to a phishing page. In this attack brief, Avanan will discuss how scammers are spoofing Walgreens to steal credentials and other data.


In this attack, hackers spoofed Walgreens by sending a link to a survey, with the promise of a reward. Instead, users will be redirected to a credential harvesting page. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Impersonation, Credential Harvesting
  • Target: Any end-user



In this attack, hackers are spoofing Walgreens to steal credentials. This is an effective way for phishers to get what they’re looking for. Credential harvesting, according to our research, makes up 54% of all attacks. Impersonation attacks are also effective because they can target anybody. Trusted brands are an efficient way to do this. 

Email Example #1

In this email, a notice asking the end-user to provide Walgreens with feedback is sent. A promise of a $50 Walgreens gift card is also dangled. When clicking on the link, however, the victim is sent to a credential harvesting page.


This “reward” does not come from a Walgreens address. 


In this email attack, hackers have impersonated a popular brand to send credential harvesting attacks. 

By spoofing a popular brand, the hackers are hoping to target vulnerable users who are accustomed to getting notifications from their pharmacies. 

By using classic social engineering language, such as “Open Immediately”, the hackers are also hoping to induce the end-user to act under pressure. 

Since Walgreens holds prescriptions for a lot of people, it’s a brand that people may get plenty of emails. By adding urgency, it can trick an unsuspecting user into thinking it’s about a medication or a test result, especially since Walgreens carries out COVID-19 tests. 

However, there is an insignificant historical reputation with the sender; the “From” and “reply to” are different, and it links to a low-traffic site. All of those combine to create a suspicious email. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Remind users to check the sender address. In this case, the sender address is not from Walgreens
  • Encourage users to hover over any links to see the intended URL. This URL does not go to a Walgreens page
  • Remind end-users to be careful of messages from Walgreens that include surveys or potential rewards

Subscribe to Our Attack Briefs for More Research