Cybersecurity firm Proofpoint points to a new phishing attack called CoGUI that is primarily targeting Japanese companies and has a financial motive. Japanese authorities have recently warned of an increase in such attacks on financial institutions. The attackers attempt to gain access to accounts to steal money, which is then often used to buy Chinese stocks.
Researchers note that these phishing attacks, called CoGUI, are becoming more common in Japan. The attacks impersonate well-known brands such as Amazon, PayPay, and Rakuten. In April 2025, fake tariff messages were also sent out in response to news from the U.S. government.
Japan is one of the most attacked countries
The attackers send a lot of messages to Japanese companies. This makes Japan one of the countries that are attacked the most. This kind of large phishing attacks in Japan is not new. Similar attacks were already reported in 2020.
It is not certain whether buying Chinese stocks is directly related to CoGUI, but it is a possible consequence of these attacks. In April 2025, researchers saw more of these types of attacks, especially after tariff news. Some attacks used fake tariff messages.
Smart tricks to avoid detection
CoGUI uses clever tricks to avoid detection, such as blocking certain areas and recognizing browsers. This allows them to target attacks and evade security, making them more dangerous.
The attacks often consist of many messages, sometimes millions per attack. An attack usually lasts three to five days.
Most attacks impersonate Amazon, but sometimes banks, retailers like Rakuten and Apple, or even the Japanese tax authorities.
The messages contain links that lead to fake websites where users have to enter their login details. It is notable that these attacks do not attempt to steal additional security such as two-step verification, which is common in other phishing attacks.
Tips
Phishing attacks often use well-known brands to trick people. They try to make people rush, so that they click on a link quickly. To prevent this, it is important not to click on links immediately.
Proofpoint therefore advises users to take the time to visit the official website and log in to verify that the message is genuine. Companies are advised to warn employees about these types of attacks and ask them to report suspicious messages. It is also wise to enable two-factor authentication for extra security. For the best protection, special security keys can be used. This can prevent your data from being stolen.
