Verizon customers are being targeted by a phishing campaign which researchers described as having a sophisticated, mobile-first approach that optimizes its phoney sites for mobile devices and demonstrating awareness of Verizon infrastructure.

Lookout researchers discovered the attack in late November 2018 and said activity has since intensified in March, when three waves of attacks were recorded in two consecutive days, according to an April 1, 2019, blog post.

Researchers noted the  threat actors use of the abbreviation ‘ecrm,’ which Verizon uses as a sub-domain for its electronic customer relationship management platform.

“This shows that the attackers did their research. For example, the first set of domains include ‘ecrm’. The phisher is attempting to spoof: “ecrm.verizonwireless[.]com,” researchers said in the post. Researchers noted all of the domains in the phishing kit included the identifier and the Verizon name.

“Cybercriminals clearly did their homework when designing this campaign,” Corin Imai, senior security advisor at DomainTools, told SC Media. “They not only registered a large number of spoofed domains that could easily trick even the most attentive users, but they also adopted a very common social engineering technique: that of creating a sense of urgency by including a call of action in their message.”

Imai noted the messages contained information that there has been a change in the victim’s payment schedule, ensuring the instinctive reaction to click on the link for more information.

Verizon warned its customers about the scam, noting it will never ask for personal or account information via email and instructed users to delete any suspicious mail while providing examples of previous scams.