Survey Scam Exploits Brand Trust to Steal Credit Cards at Scale

A new phishing campaign is quietly turning everyday “free reward” emails into a global data theft machine, according to fresh research from KnowBe4 Threat Labs. Security analysts say the operation blends high-volume email distribution with polished brand impersonation and behavioral psychology to extract credit card details and personal data from victims at scale.

The campaign revives a familiar lure. Users receive emails promising high-end prizes like smartphones or headphones in exchange for completing a short survey. But what looks like a simple marketing promotion is actually a multi-stage fraud funnel engineered to build trust before asking for payment details.

A Phishing Funnel Designed for Conversion

Unlike older phishing attacks that immediately prompt for passwords, this campaign slows the interaction down. Victims are guided through a sequence of steps that mirror legitimate customer feedback programs.

First comes a realistic survey experience. Users answer a series of questions about a brand they recognize. Then the interface shifts to a reward page featuring fake testimonials and comments designed to reinforce credibility. By the time users reach the final step, they are asked to pay a small shipping fee, typically under $10, to receive their prize.

That final transaction is where the attack succeeds. Payment details and personally identifiable information are captured and transmitted to attacker-controlled infrastructure in real time.

This technique reflects a broader shift in phishing strategy. Instead of relying purely on urgency or fear, attackers are investing in psychological engagement. Small actions create a sense of commitment, making victims more likely to follow through.

Trusted Brands Used as Bait

The campaign casts a wide net by impersonating well-known companies across multiple industries. Retailers, logistics providers, travel brands, and even healthcare organizations are all used as entry points.

Commonly spoofed brands include major retailers and services that users interact with regularly. This increases the likelihood that a target will recognize the name and engage with the message.

The approach is simple but effective. By rotating through different brands, attackers ensure that nearly every recipient sees something familiar.

Infrastructure Built for Evasion

What makes this operation particularly difficult to stop is its infrastructure strategy. Researchers observed the use of hundreds of newly registered domains that often remain active for less than 48 hours.

This “churn and burn” model allows attackers to stay ahead of traditional email security gateways and blocklists. By the time a domain is flagged, it has already been abandoned and replaced.

The phishing pages themselves are also highly convincing. Attackers are deploying pixel-perfect replicas of legitimate websites, complete with modern design elements and responsive layouts that reduce suspicion.

Why This Campaign Matters Now

The scale and sophistication of this campaign point to a larger trend in cybercrime. Phishing is no longer just about tricking users into clicking a link. It is evolving into a full user journey optimized for conversion, similar to legitimate marketing funnels.

For organizations, this raises the stakes. Traditional security awareness training that focuses on spotting suspicious emails may not be enough when the interaction feels authentic from start to finish.

How Enterprises Can Respond

Security teams are being urged to adopt more proactive defenses.