In 2025, a notable phishing campaign targeted major U.S. energy companies including Chevron, ConocoPhillips, PBF Energy, and Phillips 66. The attackers leveraged advanced impersonation techniques by cloning legitimate corporate websites using HTTrack, an open-source website copier. This resulted in the creation of over 1,465 phishing domains designed to mimic authentic energy sector websites. The infrastructure supporting these phishing operations was distributed across multiple hosting providers and countries, complicating takedown efforts and increasing resilience against mitigation. Chevron was the most heavily targeted brand, with 158 fake domains impersonating its online presence. The phishing sites combined credential harvesting mechanisms with investment scam frameworks, aiming to steal sensitive login information and defraud victims through fraudulent investment schemes. Many of these malicious domains exhibited low detection rates by security vendors, highlighting significant gaps in current anti-phishing defenses and threat intelligence sharing. The campaign utilized various tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK techniques such as domain impersonation (T1583.001), credential harvesting (T1589.002), and user execution (T1204.001). The sophistication and scale of this campaign underscore the need for enhanced threat intelligence integration, rapid detection, and coordinated mitigation strategies within the energy sector to protect critical infrastructure and personnel from credential compromise and financial fraud.

For European organizations, especially those in the energy sector or with business ties to U.S. energy firms, this phishing wave poses a significant risk. Credential harvesting can lead to unauthorized access to corporate networks, potentially exposing sensitive operational data or enabling further lateral movement within critical infrastructure environments. The combination with investment scams also threatens employees and stakeholders financially, potentially undermining trust and causing reputational damage. Given the distributed hosting and low detection rates, European companies may face challenges in timely identifying and blocking these phishing domains. Additionally, if European energy firms use similar branding or have partnerships with the targeted U.S. companies, they may become collateral targets or face spillover effects. The campaign’s scale and sophistication could also inspire similar attacks targeting European energy companies, increasing the overall threat landscape in the region.

European organizations should implement multi-layered anti-phishing defenses beyond standard email filtering. This includes deploying advanced domain monitoring solutions to detect and take down impersonating domains rapidly, leveraging threat intelligence feeds that specifically track energy sector phishing campaigns. User awareness training should be tailored to recognize sophisticated website cloning and investment scam tactics. Implementing strong multi-factor authentication (MFA) can reduce the risk of compromised credentials leading to unauthorized access. Organizations should also conduct regular phishing simulation exercises to test employee readiness. Collaboration with industry information sharing and analysis centers (ISACs), such as the European Energy ISAC, can improve threat intelligence sharing and coordinated response. Network defenders should monitor for indicators of compromise related to credential harvesting and investment scam activity, including unusual login patterns or financial transactions. Finally, legal and takedown teams should be prepared to act swiftly against malicious domains hosted across multiple jurisdictions.