Maybe not intentionally, but a basically-dormant company like Apple Records could very well provide a really attractive attack vector. Their security is probably going to be orders of magnitudes worse than Apple Music, so why not just hack Apple Records instead?
Registering a domain and hosting a phishing website usually comes at a small price (around 10$) which is just 1% of the VMC (I just learned that).
“Expensive” is very subjective, I think it highly depends on the financial standard of the actor and the expected value.
In the case of Apple: if it is expected to aid in phishing an interesting iCloud user, or scamming 100 users for 10$, then I expect that there will be actors that will pay this initial cost to make more later on.
I agree that the classic mass-mail LQ phish actors would probably not go here, but the same holds for smaller organizations. With the current price-tag, end users then still have to trust non-BIMI and BIMI verified e-mails daily.
That seems to leave plenty room for phishing. Also, if VMC prices drop, it will also attract more phish actors.
Though I see your point, I do not think that a financial bar is effectively combatting phishing.
I do not know how valid the paper trail concern is; I haven’t gone through the VMC procedure(s).
You don't just need the VMC itself, you have to get a registered trademark, which is also probably up there in the thousands.
> I do not know how valid the paper trail concern is; I haven’t gone through the VMC procedure(s).
You can currently steal a credit card, lie to a registrar and start your phishing campaign. Having to have a legal entity for a phish paints a nice target on your back.
I haven’t been through the trademarking process myself, but I would assume that a LOT of them exist.
Would it be possible to register a trademark that looks similar to another company’s and impersonate them? I can’t imagine the process would be 100% effective.
Sure the company would probably notice pretty quickly, but not before you’ve spear phished a couple clients.